Make those minutes count

Securing the Right Levels of Encryption

EncryptionIn a business environment where workplace collaboration is now considered the norm, how are consumer-focused companies implementing end-to-end security? According to industry experts, many commercial entities are simply emulating the security infrastructures of companies like Apple and WhatsApp.

To combat unsolicited messaging and foreign intrusion, Apple revamped its security infrastructure to protect all its iPhone users and data. Similarly, WhatsApp amended its messaging technologies so that no one could access messages except for end-user clients. These changes have served as models for businesses wishing to incorporate stronger levels of encryption for their communications technologies.

Issues with Encryption

While encryption is now commonplace for collaborative efforts, it is still not easy for companies with cloud-based messaging and communications. This is due to the following obstacles:

  • Cloud technologies are consistently changing and evolving, resulting in newer encryption modules that must be adopted and implemented by subscribers.
  • Cloud-based services are now adding more features, including bots, artificial intelligence, and even third-party integration.
  • The above-mentioned features are simply known as “valued additions”. However, this means that third party vendors will still have full access to user data and content.

To tackle this form of “accepted intrusion”, companies in the cloud are looking for stronger and more durable forms of encryption. In fact, they are seeking codes and programs that will protect user data and transmissions from even recognized vendors and services providers. In an industry that is blanketed with so many forms of encryption, is it possible to secure the right balance between content access and privacy?

Encryption Solutions in a Nutshell

There is no concrete answer to the current encryption dilemma. However, IT experts still play a pivotal role in encrypting codes and establishing access, eligibility, and defense for messaging programs. In other words, companies cannot go either way with encryption; not too insecure, but also not too clamped down. They must collaborate to find common ground and acceptable levels of encryption for all parties involved.

To that end, businesses should use fully locked down end-to-end consumer messaging tools. This means companies can take advantage of existing encryption and security codes without investing in other paid messaging apps.

Enterprise Messaging Providers

While WhatsApp seems to be a plausible solution, it is not the only program in town. Enterprise messaging providers also feature end-to-end encryption databases for all messaging platforms. However, services like Slack and HipChat are designed to be less strict when it comes to recognized intrusion. The latter includes IT involvements, especially during periods of downtime and maintenance. Certain clients may also have access to these internal chat databases, which can seriously impact privacy. With this in mind, user content and data can still be breached, and hackers may easily be able to intrude as well.

Understand VoIP Security Vulnerabilities and How to Combat Them

shutterstock_165758546smVoice over Internet Protocol (VoIP) offers substantial benefits to businesses, but the same IP technology that creates these benefits also introduces potential security vulnerabilities. Cybersecurity has become an increasing focus for companies across the United States and around the world as hackers try to exploit the growing use of IP to gain access to networks.

Budget resources are increasingly being dedicated to fending off threats, but breaches continue to expand. Companies must take security threats via VoIP seriously and take steps to counter those potential attacks. Consider the following threats and mitigation measures.

Types of Threats

  • Call Interception. VoIP by its nature involves the transmission of voice interactions over IP links, and bad actors will look for opportunities to intercept those transmissions. This requires the hacker to fully access the signal transmission between point A and point B. Typically, the intent of this type of breach is to interrupt the call by diminishing call quality via transmission delays or echoes or uploading sound packets to a server. Authentication and encryption tools are the most effective way to combat this type of threat.
  • Identity Misrepresentation. Hackers may attempt to access VoIP calls so they can eavesdrop, sometimes with the intent to steal information. This is particularly worrisome when sensitive information, such as credit card numbers, is transferred across VoIP links. Typically, hackers will seek the path of least resistance when attempting to access a network, so basic security features such as authentication and encryption may serve as an adequate barrier to entry for most hackers.
  • Theft of Service. An increasing concern for VoIP systems is hackers gaining access to use service, then leaving companies with the bill. These attacks are often carried out outside of business hours, so the breach is less likely to be detected and shut down right away. This threat is best mitigated with software-based measures, firewalls, and good security hygiene, including strong passwords.
  • Disruption. Denial-of-service attacks are another growing area of concern. These attacks seek to interrupt normal business communications by flooding call centers or transmission lines with fraudulent calls. When this occurs, calls from legitimate callers often are unable to get through. Firewall solutions that are built to identify and block fraudulent calls are the best defense against service interruption attacks.
  • Physical Attacks. Sometimes bad actors will go to any length to disrupt service and wreak havoc on a company’s operations. While attention is often focused on thwarting virtual attacks, physical infrastructure can be left vulnerable. Criminals may cut off a power source or damage hardware, rendering the network temporarily useless. It is crucial to take physical security at data centers as seriously as virtual security by ensuring equipment and data centers are secured and inaccessible.

Protection Measures

While the threats may be somewhat different for VoIP, the steps companies can take to safeguard their systems are the same common-sense approaches recommended for traditional computers and networks. Install and maintain firewalls, ensure communications and transactions are encrypted, and implement user authentication techniques along with basic security hygiene policies.
Companies also should work to stay ahead of threats by studying security trends and deploying best practices recommended to combat or prevent those threats. Businesses should work as a team with their VoIP vendor to ensure both virtual and physical assets are secure and hardened against potential attacks.

The Collateral Damage of Shadow IT

shutterstock_146042084Over the past few years it’s become evident that businesses are embracing cloud services, and that trend is predicted to keep growing. An enormous risk to the security and stability of a company’s cloud potential is a problem known as “Shadow IT,” the practice where the use of certain applications and services may be occurring outside of IT’s knowledge and approval.

Shadow IT happens because employees want fast, efficient ways to get things done. However, not everyone is tech-savvy enough to know a safe application from one that could allow malware or a virus into the company’s network. Here are a few of the many ways that shadow IT hurts a business.

Inadequate Security

Not all cloud services are created equally. Some applications are designed to be tightly locked down, encrypted, and otherwise protected against vulnerability. However, others may be very lax or incorrectly configured. For example, if data encryption is used, is it outdated encryption technology? Are the encryption keys stored on the same server? Either of these scenarios could be an access opportunity for hackers. Consider the traffic flow to and from the application as well as where it is stored. All of these points must be secured for that application to be safely used.

Data Gone Wild

When a cloud service hasn’t been properly vetted by the company’s IT group, it’s hard to know where data is actually going. Customer information is one of the most valuable assets a company possesses, and it should be up to date and protected. Failing to bring IT into the picture to assess an application could mean a gap in disaster recovery or business continuity programs. In addition, having multiple storage areas for data in a cloud service may lead to business decisions based on erroneous information.

Accountability

The IT department is liable for anything that goes wrong with a company’s technology, including shadow IT problems. Regardless of whether the group knows about cloud services in use, they are charged with keeping the company’s data secure. Should a breach occur as a result of an unknown cloud service, the IT team would still be held responsible for the damage.

Standardization Is Necessary

Using a pre-approved set of cloud services helps the organization save money in a number of ways. First and foremost, the risk of a security incident is drastically diminished through the vetting process. Second, when the business sets out to acquire licensing for all applicable users, it will typically receive a volume discount for a higher number of licenses. If workers use a variety of different cloud services, this savings is negated and the company spends more on software licensing.

Most Apps Aren’t Enterprise Grade

The use of cloud services began as a consumer movement and then spread to businesses. Employees today often take the apps they’ve been using at home and try to use them at work as well. However, these apps are not built with a large organization in mind. Security, scalability, data storage, and the stability of the developing company are all considerations that IT must be permitted to assess for a new app to be approved. Many of these shadow IT choices aren’t strong enough to defend against the type of maliciousness directed at enterprises, as in the case of distributed denial-of-service (DDoS) attacks.

Shadow IT is a very real problem for companies today, and one that must be included in security planning. Encouraging employee input on new cloud services and having an efficient vetting process can mean the difference between rogue use of applications and a secure company network.