This time last year, when the idea of wholesale abandonment of offices for remote working was almost unimaginable, enterprise security was the prevailing reason not to support remote working. Many felt the jury was still out on productivity benefits, and besides, enterprises had corporate networks cast in iron, with layers of finely-tuned cyber protection patrolling the perimeter.
And then, COVID-19 hit. With the scramble to remote working, IT teams had to act fast, often with short-term fixes. The expectation of a few weeks’ hiatus has since turned into the “now normal,” with remote working practices apparently here to stay. All of this might suit users, but it raises serious questions for employers about data protection and compliance, and how to accommodate the need for work flexibility without attracting unacceptable cyber risk.
Not as easy as locking everything down
For enterprises with little or no legacy of remote working, the sudden switch introduced an equally abrupt change in focus to locking down devices using endpoint security. This typically saw selected devices granted privileged access to corporate networks via tunneling or VPNs to protect data integrity and mitigate attacks. While enhancing security, this methodology also came with its own set of headaches, especially for employees who could not go back to the office to pick up corporate-issued hardware and faced restrictions on accessing network access when using their personal computers and BYOD devices.
A far better approach would be to deploy a communications solution that has built-in security and encryption protocols and can operate on any device, even ones not owned or managed by the organization. This would provide far more flexibility and adaptability for organizations, while ensuring privacy and security measures are taken into account.
The idea of one solution is instructive. COVID-19 has exposed more people to many more communications experiences, but this emphasizes the value — to users and administrators alike — of a unified communications and collaboration (UCC) solution that pulls them all together seamlessly and securely.
Hybrid, irregular, anything but normal
Having jumped from one workplace extreme to the other in the initial throes of the pandemic, the new working model isn't a return to office-based normality, but it isn't entirely home-based either. Going forward, we’re likely looking at a new era of hybrid workers, jumping between corporate spaces and home offices, but also coffee shops and vacation homes too.
This dynamism need not be problematic for security and compliance if the focus shifts to the user and their device rather than their location, working hours, or even their choice of network. In short, organizations need to reject the old perimeter-based thinking of cybersecurity and instead apply the best practices of cyber-resilience like encryption, authentication, and integration with endpoint management and governance.
Becoming cyber resilient
Security should be a key concern when choosing UCC solutions because so much data in so many places expands the size of the attack surface for cybercriminals to exploit, and for users to unwittingly leak data out.
Clearly, a heightened awareness of cyber threats among the user base will be important in encouraging behaviors that mitigate risk and increase resilience. However, this resilience also needs to physically extend beyond the office-centric perimeter and acknowledge that, to get the most out of UCC in a hybrid work style, workers will invariably use a variety of devices and networks to leverage UCC applications. That means baking security features into the UCC softphone itself. For example:
- Transport Layer Security (TLS) at a minimum to ensure privacy and data security, encrypting communications between your call platform or VoIP server and the UCC softphone application. mTLS (Mutual TLS) is a strong method of “mutual” authentication in verifying sessions and is lightweight enough not to impinge quality and performance, while also protecting against adversarial attacks.
- Secure Real-time Transport Protocol (SRTP) to provide confidentiality, message authentication, and replay protection to audio and video media streams.
The UCC provisioning platform should also ideally employ secure Lightweight Directory Access Protocol (LDAP) to ensure encryption between the UCC softphone and interactions with other servers within the enterprise or organization.
Another key consideration is how to integrate UCC applications with the enterprise’s chosen mobile device management (MDM) platform. By doing this, admins can remotely manage the UCC service, irrespective of whether the deployed softphone device is company-owned. This is important in the initial rollout of UCC applications and their scale-out to additional users, as well as to support real-time changes to application control. UCC softphones that are compatible with a wide range of MDM vendor platforms out of the box can ensure an extra layer of security with the ability to lock or remotely wipe containers with supported MDM frameworks on employees’ devices.
Cyber threats are an ever-present feature of the communications landscape, and the accelerated shift to more dynamic working practices will encourage attackers to divert their attention from penetrating hardened office-based perimeter networks to going after “weak spots” out in the field. Greater user vigilance will be an important part of the response, but there are numerous measures that enterprises can employ to engineer strong cyber resilience to keep their users and data safe.
