Over the past two decades, communications technology and information technology have been converging. This convergence has required professionals in both fields to educate themselves on the key areas of the other discipline. This convergence now should include a third discipline: cybersecurity.
Becoming familiar with cybersecurity key practices will enable communications professional to provide greater value to the organization by:
- Avoiding service interruptions
- Enhancing customer trust
- Preventing financial losses
- Protecting sensitive information.
This is not surprising to anyone in the industry. However, cybersecurity is a broad field with multiple perspectives on what constitutes ‘best’ practices. Here are four areas to consider when reviewing communications technology solutions.
Governance
Good governance practices are often overlooked in cybersecurity but can be the most impactful. Governance covers a wide range of non-technical aspects of cybersecurity, starting with the simple practice of knowing what you are protecting and understanding the potential risk and impact of that asset (device, service, or software). This can be as straightforward as a spreadsheet or as comprehensive as a full asset management solution. Regardless of complexity, asset management and risk assessment can simplify cybersecurity decisions by narrowing the focus from ‘everything’ to the ‘most impactful elements.’
Another critical area of governance that spans all three disciplines is regulations and standards. Many industry sectors have specific regulations and standards that affect cybersecurity. Understanding these regulations and standards can also simplify cybersecurity decisions.
Data privacy regulations are becoming one of the most prescriptive and often overlooked areas in cybersecurity. They are frequently overlooked because it can be complicated to determine what applies in a specific situation. The application of privacy regulations can depend on geography, industry, information collected, and the parties involved.
Many industries or supply chains also align with specific cybersecurity standards for information protection practices. Identifying these standards can make cybersecurity choices easier. For example, the supply chain for the United States Department of Defense (DoD) requires organizations to comply with some level of NIST 800-171 (Cybersecurity Maturity Model Certification (CMMC)).
Operations
Effective operational practices significantly impact cybersecurity. These practices influence the behavior of individuals within the organization, thereby affecting overall cybersecurity. While many communications professionals shape these operational practices, incorporating cybersecurity considerations can further enhance project success.
Some key cybersecurity operational practices that could be considered:
- User Education – Staff act as the “Human Firewall” within an organization. Educating users about cybersecurity can significantly enhance operations by reducing the impact of phishing and other social engineering exploits.
- Change Management – Managing technology changes within the organization can greatly improve the reliability and security of systems. Ensuring that change management includes cybersecurity considerations and incorporates effective user onboarding and offboarding procedures can enhance project outcomes.
- Incident Response – Effectively addressing minor incidents can significantly lower the risk of major cybersecurity breaches or business disruptions. While not every incident is related to cybersecurity, managing them systematically can lessen their impact on the organization. Preparing for incident response and management should involve communication plans, mitigation strategies for common scenarios, and a process for learning from previous incidents.
- Cybersecurity Assessments – Operational practices are never perfect and should continuously improve. Regular checks or assessments are crucial to ensure that cybersecurity practices remain aligned with organizational objectives, governance standards, and regulations.
Endpoints and Devices - Monitoring and Management
From a cybersecurity perspective, endpoint devices pose one of the greatest risks due to their sheer quantity. Communication technology projects often integrate with existing devices (e.g., workstations, laptops, mobile devices, servers) or introduce new ones (e.g., analog gateways, IoT devices, sensors). Managing the security of these devices can be challenging, but many new device management solutions, often offered as a service, can simplify this task. The key is to ensure that all endpoint devices are managed and monitored. Simple practices like device patching and software updates can significantly enhance security. Given the complexity of cyber-attacks, it is also crucial to monitor endpoint devices and maintain central logging of security events. Artificial Intelligence (AI) tools can further enhance these capabilities. Incorporating these practices and tools can greatly improve the success of communications projects.
Data Security
As previously mentioned, data security and privacy are crucial to the fields of communications technology, information technology, and cybersecurity. There are several standard practices for enhancing the security of an organization’s critical data.
- Secure Authentication – Implementing a robust method for securely authenticating both users and devices is crucial for data security. Controlling access to data and ensuring the authenticity of users and devices is fundamental to an organization’s security. Multi-Factor Authentication (MFA) is essential for secure authentication but should be complemented with practices to securely authenticate devices (e.g., IoT devices, non-user devices). While all devices have operating systems that could be compromised, secure authentication helps minimize potential impacts.
- Network Segregation and Secured Networks – Different devices pose different security risks, so they should not be treated uniformly from a security perspective. It’s important to segment networks and devices and secure them according to their relative risks. Asset management and risk assessment governance processes can provide a template for implementing segregation and security.
- Encrypted Communications and Data Storage – One often overlooked aspect of data security is the secure communication and storage methods used within and between applications. Recognizing that no network is inherently secure, all communications should be encrypted. Similarly, any important or private data should be encrypted when stored. Ensuring that all communication technology projects consider this requirement is critical to the overall security of an organization’s data.
- Domain Name Systems (DNS) and Email Security – The ongoing risk of communications via email and other systems that rely on DNS means securing these systems is extremely important and sometimes overlooked. There are two key aspects to securing these systems. First, ensure that the organization’s DNS is hosted in a secure and reliable location, with access to DNS management limited and controlled by secure authentication methods. Second, ensure that the DNS records themselves are correct. For example, enabling email security techniques and records such as DMARC, DKIM, and SPF will improve the security of email communications. Similar settings are often available for other communication tools.
- AI Communications Tools – The growing use of AI tools to enhance communications can expose organizations to potential data privacy and data leakage risks. This could include smart assistants, chatbots, Natural Language Processing (NLP), personalized communication, automated translations, and content moderation tools. When an AI solution processes a request, it uses a dataset to generate its results. Some solutions use larger public or open data models, which can be risky as your data might become part of these models, posing a risk of data leakage. It’s crucial to be aware of these risks and ensure a thorough risk assessment is completed before implementing any AI solution.
Many communications technology professionals are already considering some of some or all these cybersecurity considerations. Incorporating these practices adds significant value to communications technology projects and contributes to their long-term success. By deepening their understanding of these cybersecurity practices, communications technology professionals can further enhance their cybersecurity capabilities.
Scott is writing on behalf of the SCTC, a premier professional organization for independent consultants. Our consultant members are leaders in the industry, able to provide best of breed professional services in a wide array of technologies. Every consultant member commits annually to a strict Code of Ethics, ensuring they work for the client benefit only and do not receive financial compensation from vendors and service providers.