How to lock down cloud communications
It’s been three years since thousands of organisations were forced to switch to remote working practically overnight. Some already had cloud-based communication and collaboration platforms that eased the transition. But many others had to cobble together tools and processes that would allow their employees to keep working – often within an incredibly tight timeframe.
With decision-making processes radically curtailed and staff potentially using any means at their disposal to collaborate and share critical information, security problems were inevitable. Indeed, not long after the announcement of the first lockdown, reports of Zoom bombing began to appear in the press. But this was far from the only cybersecurity vulnerability that newly remote companies were exposed to.
Dan Caplin, associate director of cybersecurity at the consultancy S-RM, says that security “fell by the wayside” in the scramble to enable remote working. “Put upon IT administrators had to set up remote working solutions quickly using well-known platforms, such as Office 365 and Citrix, to name just a couple. In many cases, they skipped incorporating key protections, like multi-factor authentication, or were left trailing behind on the latest security patches.”
The proliferation of personal devices in post-pandemic work environments added further fuel to the fire. In short, attack surfaces massively increased. “New opportunities were created for malicious actors to compromise an organisation and it created an immediate need for organisations to review their cybersecurity posture,” says Matt Hull, head of threat intelligence at the cybersecurity firm NCC Group.
While many organisations are now up-to-speed with the basics, the evolution of cyberattacks post-pandemic, coupled with more complex working setups, could still catch some out. For example, an increase in workplace messaging tools may not have been accompanied by updated security awareness and training procedures.
“As a result, many workers have not received training on how to use instant messaging platforms securely,” says Dr Jason Nurse, director of science and research at cybersecurity and data analytics firm CybSafe. He adds that “with threats becoming increasingly common and complex, compliance-based tick-box training may not be enough.”
Long-standing security threats – such as phishing attacks, social engineering, malware and ransomware – have also evolved to exploit remote working vulnerabilities. “These attacks can occur through email, messaging apps, video conferencing tools and other remote working solutions,” says Lorenzo Grillo, managing director of the disputes and investigations practice at professional services firm Alvarez and Marsal.
“For example, attackers may send phishing emails or messages that appear to be from a legitimate source and request sensitive information or credentials. They may also use social engineering tactics to trick employees into revealing sensitive information or granting unauthorised access to systems.”
Hull adds that: “We have also seen that, once a network is compromised, the attackers are using internal communications platforms to monitor internal activity and to engage with other users, who are far more likely to respond if they think the contact is coming from a colleague.”
Attackers are also using evermore sophisticated technologies to gain access to valuable data. “[They] may now use AI-powered tools to generate convincing phishing emails or leverage zero-day vulnerabilities to exploit weaknesses in software and systems,” Grillo explains.
And while the adoption of multi-factor authentication has helped to make major breaches of communication channels an increasing rarity, malicious actors have shifted their focus to remote access as a method to infiltrate organisations. So how can organisations stay on top of evolving security challenges without compromising the widely accessible and diverse communication environments that remote working depends upon?
In essence, it comes down to finding the right unified communications as a service (UCaaS) vendor. UCaaS allows companies to combine different modes of communication – e.g. video conferencing, messaging, SMS, phone, email and other tools – in a single platform. This allows for easy collaboration regardless of device or location, but “you [also] have threat actors saying: ‘how do we take advantage of this?’” says Jaysin Nguyen, director of solutions engineering at UCaaS provider RingCentral.
It’s therefore vital that organisations partner with a UCaaS vendor that takes data security and compliance seriously. “The use of any UCaaS platform should always be underpinned by security fundamentals, including good password hygiene and multi-factor authentication,” says Tim Rawlins, director and senior advisor at NCC Group.
“Sensitive documents and data should be kept safe, and only stored and shared on platforms that have security fundamentals such as end-to-end encryption and secure data storage as a bare minimum. Some UCaaS solutions are simply more security-minded than others, so due diligence is the key.”
The increasing cost of data breaches highlights the importance of getting this due diligence process right. In 2022, for example, European authorities reportedly issued fines totalling €832m (£731m) for violating the GDPR.
To avoid falling foul of data breaches – and the financial and reputational damage that often accompanies them – organisations must look for a UCaaS vendor that is transparent about their security practices. For instance, they should be upfront about how data is collated and used, the physical security of their environment and their adherence to regular security assessments.
“Certain policies should be made public,” says Nguyen. “In our case, we have a data protection policy, we have an Information Security Addendum. These are standing policies that are referenceable and publicly available on our website…we [also] provide public statements on how we meet GDPR, and what controls are in place to allow us to achieve that.”
A comprehensive set of administrative controls across video, messaging and phone services, such as limiting who can enable screen sharing and waiting rooms that enable the host to approve attendees who wish to join a meeting, should also be embedded into the platform.
Certifications such as SOC 2 are another key indicator of a UCaaS vendor’s level of commitment to strong security. Likewise, they should also be able to demonstrate a multi-layered network security programme that includes industry-standard firewall protection, as well as intrusion detection and intrusion prevention systems. Because as Nguyen rightly says: “For every convenience that’s developed, a threat actor will look for a way to exploit it.”
Find out more about how RingCentral supports secure hybrid working