How secure are your communications?
Monday 20th January 2020
Our Digital & Technology expert, Ryan Gracey, looks at the new guidance released by The National Cyber Security Centre to help businesses assess the security of voice, video and messaging communications.
The NCSC’s guidance has seven principles to help assess and make balanced security decisions when selecting communication technologies.
The principles:
- Protect data in transit. You should protect against tampering and eavesdropping by using a service that encrypts data as it travels and authenticates users.
- Protect network nodes with access to sensitive data. You should protect network nodes that access un-encrypted data and any part of the service involved in key management at a level appropriate to the impact if the communications are compromised. If that level of protection can’t be met, you should use a service that does not require un-encrypted communications data to pass through network nodes.
- Protect user access to the service. You should ensure user access to the service is authenticated and devices are appropriately configured so only the intended users can access communications.
- Ensure secure audit of communications is provided. You should ensure the service provides audit functionality to enhance security monitoring and investigating unlawful activities. Only authorised users should be able to use that functionality, with their access logged, along with the activity performed and justification for the access.
- Allow administrators to securely manage users and systems. You should ensure the service allows administrators to securely manage your users. Administrative rights should be restricted to authorised individuals that are subject to logging and, if supported, two-factor authentication.
- Use metadata only for its necessary purpose. You should ensure the service only uses metadata for the operation of the service and the service should clearly set out what content and metadata is collected and processed. You also need to have confidence that these will be followed by the supplier.
- Assess supply chain for trust and resilience. You should have confidence in your service provider and their supply chain security. To reduce the dependence on a single vendor, you should consider a standards-based communications service supported by multiple vendors. If you want to communicate with people outside your organisation, you should choose a service that is interoperable with their secure services.
For further information or advice with your business’ cyber security, please contact Ryan.