Building resilience in the Public Sector – How secure mobile communications are a key part of the solution
With the ever-increasing incidence of cyber attacks, particularly via mobile phones, cyber security is one of the biggest threats to public services, critical national infrastructure (CNI) and citizens’ data. Almost everyone carries a mobile phone, and many of us take for granted the connectivity and convenience they provide. However, this very convenience also opens up a whole host of risks around data security. As most personal phones are also used for work communications, that means that business data is at risk too!
When it comes to harnessing technology to provide resilience in the public sector, mobile phones play a key role. While providing a huge risk to organisations, mobile phones are also part of the solution – so long as they are used in the correct way and that business and personal data is separated and managed on them (e.g. via a Mobile Device Management solution). This is equally true for BYOD devices that are used for business but that the organisation does not manage. An enterprise secure communications platform can ensure separation between business and personal data, even on BYOD devices.
Independent, trustworthy communications channels
A secure communications platform that runs independently of the mass-use consumer-grade apps that are very often monitored and targeted by hackers and other malicious and state-backed actors, can provide a communications channel when other corporate systems are compromised. This is a critical requirement when first discovering a cyber breach and marshalling a response. Secure calls, video calls and other communications involving sensitive and even classified data CAN be made safely on ordinary mobiles when appropriately secure software is used.
Indeed in the US’s National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide (SP800-61) https://csrc.nist.gov/pubs/sp/800/61/r2/final, in Section 3.1.1 Preparing to Handle Incidents it states that “...smartphones are one way to have resilient emergency communication and coordination mechanisms. An organization should have multiple (separate and different) communication and coordination mechanisms in case of failure of one mechanism.”
Increasing scope of Cyber Assessment Frameworks
To combat the increasing cyber risks, the National Cyber Security Centre (NCSC) Cyber Assessment Framework (CAF) and NIST Cybersecurity Framework (CSF) have both recently increased their scope to cover more scenarios and more industries. Likewise, in the EU the NIS2 Directive (which takes effect from October 2024) has extended the previous NIS 1 regulations.
NCSC CAF and NIST CSF both suggest that groups with key contacts/structure, such as suppliers, law enforcement, internal groups and stakeholders, SOCs, etc. are pre-defined and set up in preparation for when an incident occurs, so that communications can begin immediately on the secure channel. With a built-for-purpose secure communications platform, organisations are able to pre-define the groups for internal and external contacts and integrate them into business continuity processes in the event of a critical incident.
Secure Communications – Beyond Critical Incident Management
There are many other ways in which a secure comms platform can help public sector organisations to increase resilience by supporting compliance with cyber security and assessment frameworks beyond simply providing a safe communications channel in the event of an attack:
- Incident co-ordination with colleagues, collaborators and third parties
- Supply chain communications
- Central user management, for rapid deployment and (just as importantly) one-click revocation of lost or stolen devices, ensuring only authorised users can access your secure communications
- Identity-based authentication so that users can be sure who they are communicating with (protect against spoofed accounts, identity theft and deepfake scams)
- Data security for corporate information held on BYOD devices. Features such as Message Burn and remote wipe capabilities mean that the organisation keeps control of data within its secure communications ecosystem, even after it has been sent
- Resilient communications networks supported by ‘out of band’ channels that do not rely on the public internet so are more robust to attack
- Response and recovery planning is kept private and secure, so that adversaries cannot monitor plans and progress
In the event of a serious incident on critical infrastructure including a cyber attack, it is crucial for public sector organisations to have an independent, out-of-band communications channel. It is also important that everyone knows how to use the channel, so that if the worst does happen, precious time is not wasted reminding everyone of how they should be communicating (assuming that that is even possible if standard comms channels have been compromised). Given the increasing requirement for using secure communications within government, public sector, CNI and regulated industries, organisations should start investigating suitable solutions sooner rather than later.
For more information visit: www.armourcomms.com or call us on 020 38 37 36 01
Cyber Security updates
Sign-up to get the latest updates and opportunities from our Cyber Security programme.