With the advent of hybrid work, there's more reason than ever for enterprises to put a greater focus on enterprise communications security, and for communications/IT professionals to build stronger relationships with their enterprises' security organizations. Spreading workers out over remote locations, uncertain connections, and multiple applications and devices just increases the attack surface that the enterprise must defend.
This No Jitter article by consultant Scott Murphy lays out a clear overview of the elements of enterprise security strategy, and is a great explanation of the principles of network security. Murphy breaks the task down into three main areas:
- User/Application Access and Security
- User and Device Security
- Security Operations and Response
Applying these general principles to the specific task of securing enterprise communications systems-as well as the data these systems generate and store, and the functions they perform-is what our Security & Compliance track at Enterprise Connect is all about. Sessions include an overview of the security landscape from networking guru Terry Slattery, an independent consultant who will discuss I.T. Security with a Hybrid Workforce. Slattery will examine both the general principles of network security, as well as the specific ways in which these principles touch upon communications systems.
We also have a session led by Irwin Lazar of Metrigy, on UC and Collaboration Security: The New Threat Landscape, in which Lazar and his panelists will delve deeper into the communications/collaboration-specific threats and challenges that are emerging with the persistence of hybrid work. Lazar will discuss not just the challenges around basic messaging apps, but the ones arising from virtual whiteboards, in-meeting chat and transcripts, and more. The session will focus on protecting apps and data from unauthorized access, as well as data loss prevention and compliance issues.
These issues are critical because communications systems are generating and storing more information all the time, and ever since the pandemic, a huge amount of the enterprise's intellectual property and user information have been captured in these systems. How do you protect and provide governance over these critical assets?
Finally, we've got an intriguing session from Sorell Slaymaker of TechVision Research, Securing Communications for Incident Response. This session starts with the question: If your enterprise suffers a security breach-wherever in the enterprise that may happen-how do those responding to the breach communicate with one another while the incident is still ongoing? If they use the established communications infrastructure, which is connected to the network that's under attack, then communications about the security breach may themselves become subject to attack. Thus the attackers may be able to learn how your enterprise is responding to the breach, and use this information to exacerbate the situation and avoid detection. In addition, the established communications systems may have gone down with the attack.
Slaymaker's suggestion: Provision a standalone communications system, not connected to the network, for use exclusively during a security incident response. That may seem like a major step, and there's always the cost/risk/benefit tradeoff with security, but redundancy has always been a watchword in communications, and security is a critical area, so it may be worth considering.
These sessions show the layers of response that communications professionals have to think about when it comes to security and compliance. As an integral part of the enterprise network infrastructure, communications systems are subject to the same risks as any other asset. Call records and even employee usage data may not seem as tempting a target as the most sensitive customer data that draws headlines when compromised, but it may also be perceived by attackers as lower-hanging fruit. In addition, it may increasingly be the subject for legal discovery and other compliance actions.
Enterprise communications security and compliance is a critical issue, and I hope you can join us March 27 - 30 in Orlando for Enterprise Connect to explore this and every other hot topic in our industry.