Are you using WhatsApp for business communications? 2021 is the year to stop

Should you be using WhatsApp for business communication?

While WhatsApp is a consumer-grade application, many people are using it for business purposes. It’s free and it’s easy to use – most people are probably already using it – so it seems like the ideal communication tool, particularly now many employees are working remotely. 

But is WhatsApp really suitable for business communication? 

Privacy Policy Updates

WhatsApp was acquired by Facebook in 2014. At the time, CEO Jan Koum stressed how deeply he valued the ‘principle of private communication’. However, just two years later, in 2016, both apps announced they would be ‘coordinating more’– but did give users the option to opt-out of sharing their personal data with Facebook.  

This time around, there is no opt-out. 

Users who want to continue using WhatsApp after May 15th 2021, have to agree to the updates made to its terms and privacy policy. This means being prepared to share their personal information such as names, profile pictures, status updates, phone numbers, contacts lists, and IP addresses, as well as data about their mobile devicewith Facebook and its wider companiesUsers who don’t accept the new terms will be blocked from using the app. The new policy, which applies to all users outside of Facebook’s European Region (including the UK), also means that simply deleting the app from the device will not prevent WhatsApp from retaining a users’ private data.  

Since the privacy policy changes were announced, WhatsApp has now said that it will not be sharing personal data from people who previously opted out of sharing their information with Facebook. According to The Register, this setting will be apparently be honoured going forward next month, even if you agree to the new policy. For all other users though, there is no opt-out.  

A WhatsApp spokesperson also said this update ‘primarily centres around sending messages to businesses to get answers and support’, claiming there will be no change in data-sharing for non-business chats and account information. However, there has been much criticism and concern about the update online.  

Update: 12th May 2021

Originally, WhatsApp planned to roll out its privacy policy update on February 8th 2021. However, due to huge public backlash and confusion, they opted to delay until mid-May. Through a series of updates, WhatsApp attempted to clarify its position, reiterating that the update is mainly meant for businesses using its messaging platform. But nonetheless, WhatsApp stated that the change would not impact “how people communicate with friends or family” on the platform. The company also specified in a blog post that it would continue to provide end-to-end encryption for private messages, and it didn’t keep logs of its users’ messaging and calling.

However, despite the clarification around data sharing, there are still plenty of reasons why businesses should stop using WhatsApp for business-related communication

GDPR Compliance and Liability

WhatsApp makes it abundantly clear that the app is designed for personal use in their Terms of Service. 

“Legal And Acceptable Use. You must access and use our Services only for legal, authorized, and acceptable purposes. You will not use (or assist others in using) our Services in ways that: … or (f) involve any non-personal use of our Services unless otherwise authorized by us.” 

After installing WhatsApp on your device, you’ll receive a pop-up asking for your permission for the app to access your contact. It requests that you ‘Upload your contacts to WhatsApp’s servers to help you quickly get in touch with your friends and help us provide a better experience. Agreeing to this means that all your phone contacts are accessible in the app. The problem is, it doesn’t distinguish between personal contacts and business ones. Your contacts haven’t given permission for a third party to access their personal data, which could be a potential breach of GDPR.  

WhatsApp has been clear that is for personal use. Users must agree to these terms and conditions before they can access the service and WhatsApp can access the users’ contacts. Therefore, the responsibility for GDPR lies with the user, not the app. 

Individuals who use WhatsApp for any business communications are in breach of the terms of service. This limits WhatsApp liability for GDPR because they have given the user all the responsibility for seeking the permission of their contacts.  

Security Risks of WhatsApp

Using WhatsApp for business communications is fraught with security risks tooWhile the app famously boasts security due to its end-to-end encryption, there have been plenty of reported hacks and flaws.  

Just last October, security researchers revealed that links to thousands of WhatsApp chats were accessible online. Although there was a quiet change to stop the links from being indexed by Google, the information was still readily available on other search engines. The group’s title, image, description and owner’s phone number were all readily accessible, you didn’t even need to actively join the group   

WhatsApp communications are also notoriously difficult for companies to monitor. It may be possible if they are taking place on a corporate-owned device, but even then, there are multiple hoops to jump through. Companies could require the employee to surrender the device, but to access the content itself, there would need to be an IT policy that states WhatsApp as an acceptable communication channel for business purposes. Although, this policy would be in breach of WhatsApp’s acceptable usage policy. The IT policy should be crystal clear about the firm’s right to access and for what purposes (ensuring these are proportionate), so the employee has no expectation of privacy.  

Things get even more complex if the employee owns the device and WhatsApp has been installed outside of a mobile device management (MDM) container installed as part of a BYOD policy. The same policy that applies to the corporate-owned device could be extended to employee-owned ones as well. However, given the device is owned by the employee and used predominantly for personal use, it is doubtful whether a forced surrender and access could be seen a legally proportionate.  

If there’s no BYOD policy in place? Access is near impossible. As a personal device, the employee would have much higher expectations of privacy and there would need to be an extremely compelling reason, akin to a criminal offence, for an employer to try and obtain access.

What should you use instead of WhatsApp?

While you could write WhatsApp into your IT policies as an acceptable communication channel for business communications, you would knowingly be in breach of the app’s acceptable usage policy.  

Plus, even with that in place, there is still a myriad of security, privacy, monitoring and accessibility concerns linked to the app’s business usages. That’s before you even begin to factor in cultural problems potentially caused by the informal nature of the app. Employees could post personal messages to work chats by mistakeaccidentally share their live location, or information could get lost between multiple group chats. 

Instead, it’s much better to opt for a business-grade secure communication solution. Many of these solutions function in the same way as consumer-grade apps, giving users a familiar interface so they can get started immediately, but with much stronger security. Solutions are available across multiple devices and will protect your voice, video and text data in transit and at rest, preventing accidental leakage or malicious attack.  

Join the Business & IT Leaders Forum

Do you want to receive more content like this? Then join our Business & IT Leaders Community. Not only will you receive our monthly briefing with more business improvement tips and advice, but you’ll also get exclusive access to virtual events designed for leaders who want to make strategic improvements and get ahead of the competition. 



How can VDI solutions help IT Managers manage a widespread remote workforce and transform the workplace

How can VDI help IT Managers manage a remote workforce

The COVID-19 has had a huge impact on the way businesses deliver IT services to end-users. The lockdown and subsequent restrictions left businesses scrambling to deal with an unprecedented situation where their entire workforce needed to work from home. Most simply weren’t set up for permanent, widescale remote working but had no option but to embrace it to remain operational. 

Technology like online meeting and collaboration tools, hosted telephony, VPNs and virtual desktop infrastructure (VDI) saw a surge in adoption as businesses looked for ways to keep their employees connected, productive and secure. Of course, VDI solutions are nothing new. Businesses have been using it for over a decade to deliver desktops and applications to end-users. However, it is seeing a resurgence, both due to current challenges arising from COVID-19 and the maturation of Windows Virtual Desktop. This was highlighted in the recent Spiceworks Ziff Davies 2021 State of IT Report which found 46% of businesses were using or planning to use VDI by mid-2022. Furthermore, 26% of businesses planned to increase VDI deployment specifically because of the new challenges that have surfaced due to the pandemic.  

How can VDI solutions help internal IT Teams?

1. Reduced Costs

Delivering desktops through VDI helps reduce the time it takes to provision new desktops. Easy and quick to set up, VDI not only reduces the time required by the IT team and the support costs, but it also provides more immediate value to the business. 

VDI can also help IT Managers optimise and reduce their IT spend. Purchasing and upgrading hardware for remote employees is a significant cost, but as a virtual desktop can be accessed from almost any device it can really help slash spend in this area.  

2. Simplified Licencing

Software licencing is one of the most common issues for IT managers with remote employees. If an end-user uses a personal device for remote working and needs a particular app to do their job, it’s ITs responsibility to licence this. Not only do multiple licences increase IT costs, but it also complicates licence tracking and compliance. The IT team needs to be able to prove that apps on personal devices are properly licenced and differentiate between corporate-owned software and personally owned software. VDI solutions eliminate this challenge for IT teams by keeping the licenced software within the business’s own data centre and removes the need to track remotely installed apps.  

3. Improved Security

Security is a constant concern, even more so with the new threats emerging as a result of the pandemic. It’s a particular issue for IT teams where end users are using personal devices to access company data or systems. There are no guarantees that the device adheres to the company security policy, it may be infected, compromised or running an outdated operating system. However, with VDI, device-level security becomes less important as the user remotely connects a corporate desktop which IT configures to exact security requirements. The personal PC essentially becomes a thin client as all activity takes place in the data centre, with all of the corporate security systems and controls in place.

 

IS CONFIDENTIAL DATA LEAKING OUT OF YOUR BUSINESS? FIND OUT TODAY WITH A COMPLIMENTARY DARK WEB SCAN

 

4. Reduced Technical Support Time

IT Managers’ workloads are higher than ever now they need to manage a fully remote workforce on top of their existing responsibilities. VDI solutions make it easier for IT teams to support remote end-users because it puts them in a standardised environment, with the device itself less significant. It also reduces major technical issues and speeds up resolution time because IT teams already have all the information about the user’s virtual desktop systems to handOf course, technical issues can still occur with virtual desktop users, but these are usually related to connectivity and performance and are simpler to identify and resolve.  

5. Centralised Management

With everything centrally stored, managed and secured, desktop virtualisation streamlines the management of software assets. This makes it easier for the IT team to set up and provide end-users with desktops and applications, no matter where they are located. Administrators can also deploy, patch, upgrade and troubleshoot from a central, singular location, rather than updating end-users’ environments individually.  

Are VDI solutions the right choice for every business?

Desktop virtualisation has continually developed over the last decade, but today the main two categories are VDI and DaaS (Desktop as a Service). VDI is suited to businesses who want to host and manage the virtual desktops themselves, on their own servers. DaaS is very similar but removes the need for infrastructure management by delivering it as a cloud service.  

Both VDI and DaaS are well placed to deal with the most common challenges of traditional desktop and laptop systems, such as software licencing inventory, ensuring compliance and expensive procurement. Outside of these legacy challenges, both solutions also help businesses deal with IT process concerns, such as keeping up with the rapid pace of change and the time IT staff have to dedicate to routine tasks (e.g. troubleshooting, helpdesk requests).  

DaaS has a slight potential edge on VDI due to the shared responsibility of a cloud model. It largely removes the need to manage the physical infrastructure, enabling IT teams to focus on the entire digital workspace and user experience.  

The prominent solution that overlaps both categories is Windows Virtual Desktop (WVD). Previous virtualisation options gave businesses limited options over the type of virtual machines they could use to deliver desktops. They had to either compromise on user experience and deploy Windows Server Desktop experiences to achieve the cost benefits of a multi-session. Or, they had to sacrifice on cost and deploy single sessions in Windows 10.  

This dilemma, plus the opportunities presented by Azure as a platform, ultimately led to the development of Windows Virtual Desktop (WDS). It’s the only virtual desktop infrastructure that offers simplified management, multi-session Windows 10, optimisations for Office 365 Pro Plus and support for RDS environments. An additional plus, just for IT teams, is the relatively short time to go live. A 100 person business with 4-5 servers could be looking at less than a week to set up from scratch. 

Are there any issues with VDI solutions?

However, like any technology option, VDI is not a onesizefitsall solution. Businesses still need to fully evaluate its suitability for their employees and their ways of operating. For example, while VDI is a good option for remote workers and contractors who need to securely access Office applications, it’s not the best for employees who travel frequently due to latency and VPN issues. 

Certain applications also still don’t perform as well in VDI style solutions. Microsoft Teams and Zoom are two of the most widely used conferencing platforms, yet they both have performance issues and limitations in VDI environments. For example, with Microsoft Teams some advanced features may not be available in a virtualised environment, and video resolution can differ. Call and meeting functionality is also only supported on a limited number of platformsAs there are multiple market providers, it’s recommended that you seek consultancy advice or speak to your virtualisation solution provider to confirm you meet the minimum requirements. 

VDI is just one element of the technology stack. Don’t forget you’ll need other complementary technologies to address gaps and round out the experience for the end-user if you’re looking to build a fully functioning digital workplace. 

Join the IT Leaders Forum 

By joining the community you’ll receive exclusive monthly briefings, tech updates from industry-leading vendors and free personal invites to top tech events. 



New call-to-action

Should I use software to monitor my employees’ productivity? | The QuoStar Q&A

Q & A Series - Should I monitor my employees' productivity

 

The Question

Our teams have been working from home since March and while overall it seems to be working well, I think some employees aren’t really working as they should be. Should I be using monitoring software to track their productivity?

The QuoStar Answer

Well, this is a relatively common question and one I’m sure many managers have contemplated in the previous six monthsSince lockdown, demand for monitoring software has soared. Searches for ‘employee surveillance software’ are up more than 80% and some providers have seen a threefold increase in demand for their tech 

However, employee monitoring is nothing new. In 2019, over 50% of large organisations were already using ‘non-traditional methods’ to monitor their employees, such as analysing email text, logging computer usage or tracking employee movementsEven employees themselves are beginning to expect a certain level of monitoring and believe it will increase in the future.

Advantages and disadvantages of employee monitoring

The benefits of employee monitoring are probably widely known. Many studies have shown that when people know they are being monitored, they behave in the way they think is expectedIn other words, they become more productive.  

The realtime data collected by tools can, if utilised correctly, help uncover problems and identify bottlenecks. You can allocate resources more effectively and rework processes to prevent employees from having to spend more time than necessary on certain tasks. It will also allow you to identify employee strengths and weakness, giving opportunity for both praise and further training 

A welcome side effect, particularly in the current climate, is enhanced data security As an examplesome tools can alert you to suspicious activity or block certain actions from happening altogether, such as the opening of certain applications. 

However, all these potential benefits can be instantly wiped out by a poorly handled rollout. Attempts to be covert or any dishonesty about the true purpose of monitoring will likely be viewed extremely negatively. Your employees may feel that their privacy has been devalued or violated, and like the company no longer trusts them. It may result in diminished morale and elevated stress, harming your ability to retain staff in the long run.   

Legal implications of monitoring employees at work

While employers are well within their rights to monitor activity on ‘business-owned’ devices, it’s a fine line to treadYou need to find a balance between employees legitimate expectation to privacy and the company’s interests, and there must also be a legitimate purpose for the monitoring.  

The Information Commissioner’s Office (ICO) states that employees should be made aware before monitoring begins, told the reasons for its use and how the information collected will be used. Government guidance also states that employers must clearly explain the amount of monitoring in the staff handbook or contract. This includes telling workers if they’re being monitoring, what counts as a reasonable amount of personal emails and phone calls, and if personal emails and calls are not allowed.  

You will need to carry out a formal ‘impact assessment’ to justify the use of monitoring tools before any go live. This identifies the purpose of the monitoring and the likely benefits and adverse impact. As part of the assessment, youll need to look at alternative ways the purpose might be achieved; look at the obligations that will arise from monitoring; and whether the decision is justifiable (compared to the effects the employee might experience).  

If you’re planning to use the information collected as the basis of disciplinary procedures (e.g. an employee being consistently unproductive) then I would also advise seeking legal advice to determine whether you need to amend your employment contracts to reflect this 

Monitoring software raises the age-old issue of data security and privacy as wellThe more that is recorded, the more data there is to secure and protect. Just last month, H&M was fined for collecting extensive details about their employees’ privatliveswhich was accessible to 50 other managers. So, it’s crucial that you understand exactly how your monitoring tool will collect and store information, particularly if this happening on a third-party system. If the data is stored in a different country to where you’re located, you may need to comply with additional regulations.    

What technology is available to monitor employees?

If you feel employee monitoring is both necessary and justifiable, then the good news is there are plenty of tools available. I won’t list specific products or providers, but some features you might look out for include:  

  • Screen Monitoring – Captures real-time screenshots of a computer’s desktop or active window at set intervals, allowing you to see work in progress at any given point  
  • User Activity Tracking – Tracks and collects real-time user actions and behaviour data on company networks and connected and monitored devices. Also known as User Behaviour Analytics (UBA), not only can these tools track productivity, they’re important for security as wellThis proactive form of monitoring can help you spot suspicious activity and prevent access privileges from being abused. Some tools will also alert when actions you have marked as ‘suspicious’ happens. For example, if an employee tries to download unauthorised software to a work device, the administrator will be notified immediately     
  • Internet Monitoring – Automatically monitors employees’ application and web usage during working hours. Reports break down what was accessed and for how long, allowing you to spot if someone’s spending too much time on certain sites. Most tools can also block, deter or limit employees from accessing unproductive sites during working hours. Usually, companies use these tools to block social media, online gaming portals, and entertainment or streaming sites.  
  • Time Tracking – Records time spent on projects or tasks. These apps are ideal for companies who bill by the hour, allowing for more accurate invoices, but it can also help with resource allocation. Records can help you identify bottlenecks and investigate whether you should amend processes or provide greater support for employees.    
  • Keylogging – Keyloggers run in the background to track, capture and record all keyboard activity and mouse clicks. They can track activity across a variety of platforms, including email, instant messengers, web browsers and apps. The data collected can provide insight into daily activity, attitude, professionalism and productivity.    
  • Call Recording – For industries, like recruitment, where communication is necessary for successful outcomes, your telephony system should be able to give you the insights here. Some hosted telephony and VoIP tools offer in-depth metrics including time on the phone, time to answer, who answered which call, and calls made/received/missed.  
  • Constant Presence Tools – Utilise the webcam to take photos of employees at regular intervals, to check they’re at their desk. With some products, you can see photos all on one screen and click on them to start instant video chat.  
  • GPS  This may an option if you have employees working at multiple locations or at client sites, as they can allow you to record individual’s hours and locations in one place.  

Most software products will offer multiple productivity tracking features, so you don’t necessarily need a purchase a separate product for each one.   

Final Considerations

Employee monitoring is a very difficult line to tread. It can never be a simple, blanket yes or no. Every business will need to evaluate the pros and cons in line with their specific processes, operations and culture.  

Bear in mind, the current situation is an extreme one. It may be overly simplistic to solely blame ‘remote working’ for impacts on productivity. Employees may have legitimate worries or problems in their personal lives as a result of the pandemic. They might be trying to balance childcare with work, caring for sheltering or vulnerable relatives or their mental health might be suffering. You will need to mindful of the wider circumstances when discussing productivity with individuals, as some may need greater support to achieve their usual ‘office-based’ output. 

If this is the first-time employees have ever worked remotely, this is not necessarily an accurate representation of how they would perform in ‘usual’ times. Yes, remote working is not for everyone. Some people much prefer to be in the office, surrounded by their colleagues. Some will always see it as an opportunity to shirk their duties, as there’s no one around to check-in. But I wouldn’t necessarily rush to write off remote working as a complete no-go for your entire business. 

If you do decide to go the software route, then ensure you’re transparent about it and be aware of how it might affect your company culture, as well as the legal obligations you’ll need to fulfil. 

Just remember that X hours in front of the screen does not equal X hours of productive work. Yes, these shiny new tools that take photos of employees at their laptop and track their GPS location, are great but they alone cannot paint a true picture. Arguably, working hours aren’t the most important thing, it’s the output of those hours. You need to identify meaningful KPIs and regularly track these to really assess an employee’s contribution to the business. A slightly extended lunch or an extra short coffee break in the afternoon might not be the end of the world if the work is still being done.  

It’s all about balance at the end of the day.  

Do you have a question for QuoStar?

Struggling with strategy? Confused by the cloud? In the dark about IT investment? Drop us a message below for the chance to feature in the next QuoStar Q&A*
Let us know how our team can help. Please provide as much detail as possible!

 

*All submitted questions are kept completely anonymous if featured in the series. 

8 ways IT Managers can more effectively support remote workers

8 ways IT Managers can support remote workers

Many businesses simply were not equipped for full-scale remote working and, with little time to prepare, it’s understandable why some had to piece together partial solutions just to get everyone set-up and working. However, with large numbers reporting that they’d like to retain some element of remote working and business reaping the benefits (without seeing huge downturns in productivity), it seems this trend could be here to stay for the long term.

To ensure remote working doesn’t put the business at risk, from a security and operational standpoint, IT Managers should begin to review policies and procedures in this area. While things may have worked ‘fine’ in the context of a pandemic, there are likely some gaps that need to be addressed in order to optimise remote working, improving the process for employees and the business alike.

How to support remote workers in 2020 and beyond

1. Complete network visibility

IT Managers must be able to confirm who is working remotely, which devices are being used and which critical applications are being accessed, so they can ensure the business remains secure. This is particularly important where employees are connecting to a VPN.

2. Understand the end user’s perspective

In order to improve the digital experience for employees, IT Managers need to ensure they have the tools and technology in place to identify, assess and resolves issues as they happen. Implementing a monitoring platform that can collect real-time, accurate data from end-users’ devices would allow IT teams to promptly identify issues and prevent issues before they arise. In the case where the issue points to a larger problem across the network, it also gives IT teams a chance to issue a resolution before it affects others.

3. Be proactive

Just responding to IT requests or issues in a timely manner is no longer enough. IT teams need to operate in a proactive manner in order to reduce productivity losses. Implementing a monitoring platform which collects accurate, real-time data from employees’ devices, web browsers and collaboration tools, will help IT Managers identify potential issues and address them before they cause pain.

4. Help end-users to help themselves

IT teams can often find themselves stretched thin, trying to resolve issues for on-premise and remote workers. By utilising the right engagement and automation tools, IT Managers can empower end-users to resolve common problems themselves by implementing a self-help system. This may include creating troubleshooting guides for low-level, recurrent issues, utilising Microsoft Teams bots like FAQ Plus and Quick Responses or encouraging remote workers to log IT issues with certain information so they can be resolved more efficiently.

5. Promote collaboration tools

Collaboration tools have seen huge uptakes as employees look for ways to maintain effective communication across the business. Microsoft Teams alone reported a 70% increase, with active daily user numbers jumping to more 75 million. The performance of these tools is tied largely to the performance of the local device and network, which the IT team has less visibility in a remote working environment. So, in order to be able to provide sufficient support and seamless collaboration experience for end-users, IT Managers should consider solutions which will give them the level of visibility they need.

6. Address shadow IT

When it comes to remote workers, security is often one of the biggest challenges for IT Managers. Away from the office, employees can wind up using their personal devices to conduct business or start accessing personal applications (such as instant messaging, streaming services and cloud storage) from their work device.

It’s critical that the IT team take steps to address this, but at the same time, they should also seek to understand why employees are using these tools instead of company authorised ones. Is it a case that they don’t know the tool is available? They don’t know how it works? Or it doesn’t have the features and functionality they require?

7. Ensure regular communication

One of the most oft-cited downsides of remote working is isolation. It’s important that lines of communication are kept open so remote workers still feel part of the business. To ensure remote workers are receiving the support they need, IT Managers should consider using engaging feedback tools such as email surveys and polls.

Microsoft Teams comes with several personal apps, bots and connectors which IT Managers could utilise to manage the feedback process. Microsoft Forms, which allows users to easily create survey, quizzes and polls, and Polly, which gathers real-time insights with simple polls, are just two examples of the tools available.

8. Implement training and educate employees

Many employees have needed to quickly adopt new collaboration tools in order to effectively work from home. While they may have gotten used to them, having to learn how to use tools ‘on the fly’ probably means they’re probably missing out on features which could significantly improve their day to day activity, productivity and efficiency.

Training will also help strengthen security parameters by ensuring employees are aware of the types of attack, how they should respond and how their actions could affect the business. There was a big uptick in the number of cyber-security attacks during the first wave of the pandemic, but generally, the landscape changes so regular security training for end-users should be carried out on a regular basis.

Conclusion

The switch to remote working happened at incredibly short notice for most companies. What typically would require months of planning, pilot tests and stress tests to successfully rollout simply had to happen there and then, and this has likely created a lot of new challenges for IT departments.

It seems that it might still be some time from businesses can have their entire workforce back in the office at once – if they even wish to revert to that – but there are steps IT managers can take now to improve the remote working experience.

With employees more reliant on technology than ever before, IT teams need to ensure they have effective communications channels in place to understand and address the needs to end-users. A proactive, security-first approach will not only improve the user experience but also help prevent remote working from posing a risk to the business.

Join the IT Leaders’ Community

Are you an IT pro looking to keep up to date with the latest technology news, get a first look at product releases and upgrades, and engage with like-minded peers? 

Join the IT Leaders’ Forum for exclusive content, downloadable assets and exclusive invites to free events with top-tier tech partners.  



Are state-sponsored cyber-attacks a serious threat to your businesses?

Cyber-security - Is state-sponsored cyber-crime a threat to businesses?

The notion that a country’s military cyber-division has your business in their crosshairs for a cyber-attack feels ridiculous. Firstly, what could your business have possibly done to warrant such an attack and secondly, why would your business be a target?

Why do state-sponsored cyber-attacks target businesses?

A state-sponsored attack usually has one of three objectives: probing for and exploiting national infrastructure vulnerabilities, gathering intelligence or exploiting money from systems and people.

Directly attacking government or military systems to achieve any of these is hard. Comprehensive defences are in place and so the chance of success is low. But attacking businesses – where senior executives often baulk at the idea of spending money on the security basics – is far easier.

Businesses have become a favourite of state-sponsored attackers because they’re the least defended port into a country through which money or information can be extracted and disruption or unrest can be injected. Yet not all types of business are likely to be attacked.

IS YOUR SENSITIVE DATA FOR SALE ON THE DARK WEB? FIND OUT TODAY WITH A FREE PRELIMINARY DARK WEB SCAN

What types of business should be concerned about state-sponsored attacks?

Let’s be real for a moment and acknowledge that most businesses don’t have to worry about state-sponsored cyber-attacks. Only if you fulfil one or more of the following criteria do state-sponsored cyber-attacks become a credible threat:

  • You provide a service that would cause public disruption if it went offline (gas, electric, water, telecoms, Internet, medicine, transport, waste management or education etc.)
  • You hold an active government contract
  • You are a government or local council entity
  • You are a highly profitable company
  • You hold significant sensitive information (e.g. intellectual property or classified/secret information)
  • You have a high financial sensitivity to IT downtime
  • You have an office or operate in a potentially volatile region (Africa, Middle-East, Syria, Iran, Israel etc.)

Depending on which criteria you meet, the motives for an attack are different, but they generally fit into one of three categories: espionage, political or financial.

Espionage

Espionage is the most common motive and attacks of this type typically target companies who hold intellectual property or classified information and steal it to be used for blackmail, intelligence theft or counter-intelligence.

Political

Politically motivated attacks target companies whose service is important to public life and then hit their IT systems with a destructive attack to create unrest and disrupt the populace.

Financial

Financially motivated attacks target companies with a high likelihood of answering a ransom request such as those with a high sensitivity to downtime. The attack then uses ransomware or a distributed denial-of-service attack to disable their IT systems and pressure them to pay up to relieve the disruption. However, the ransom money isn’t the attacks’ goal because the real aim of such an attack is to manipulate stock prices or global markets to improve the attacking country’s position in the global ecosystem.

What threats do state-sponsored cyber-attacks pose to my business?

Existing threats

In the main, state-sponsored cyber-attackers use existing methods of attack but delivered from a military-scale operation. This means you’re now up against a cohesive team of well-educated computer engineers, using military-grade systems and an entire data centre or global bot network to deliver the attack.

There is an upside though and it’s that the principles of a strong cyber-defence still apply. If you’ve already made the effort to secure your operations, scaling up those defences and using more mature solutions provide a good deal of safety.

Unique threats

State-sponsored attackers also have several unique tricks up their sleeve which leverage their more advanced capabilities. Here are a few examples:

Surveillance

The most common type of attack is near undetectable man-in-the-middle intelligence-gathering operations. After infection, every email, file, and phone call is harvested, passed on to the attacker and analysed. GhostNet was a surveillance attack attributed to China (although they deny involvement) that infected high-value locations such as embassies in Germany, South Korea, India, Thailand, Pakistan, Iran and 97 other countries before being discovered.

Destruction

Infecting and overloading industrial systems to cause damage that will kill and injure employees whilst hurting economic output is another favourite tool of state-sponsored attackers. One such attack, attributed to Iran (although they deny it), occurred in 2018. Purpose-built malware was used to target a petrochemical plant with the intention to override safety controls, cause a build-up of pressure and trigger an explosion.

Crippling infrastructure

Other attacks are purely malicious. Russia is attributed (although they deny it) with the creation of the CyberSnake malware which provides attackers complete access to a network and the option to wipe all data from connected systems. The malware was used as a secondary channel of attack to cripple the Ukrainian power grid during Russia’s invasion into Ukraine in 2014. A number of countries also had strange power issues in 2019, although none were officially attributed to a cyber-attack.

Espionage

Finally, there are state-sponsored attacks that aren’t for the purposes of war, but for economic gain. In 2018, China allegedly conducted a multi-year cyber-espionage campaign that involved stealing intellectual property from several aviation engineering companies and using the stolen technology to design and build an entire aeroplane.

How can I protect my business against a state-sponsored cyber-attack?

Although state-sponsored attacks can be a genuine threat for certain businesses, there are several actionable steps you can take to increase your security.

1. Have the basics in place

Whilst the basics won’t protect you from state-sponsored attackers, they provide a fundamental level of cover, which is negligent to be without.

At a bare minimum, you need to be Cyber Essential certified – although if you wish to undertake government contracts, you’ll need the Plus certification. We have an entire article on how to achieve the security basics if you’re interested in learning more.

Alternatively, if you feel you have a secure environment but want validation, we also offer thorough security audits.

2. Integrate security into your culture

Whilst a check-list exercise like Cyber Essentials gets you started on security, to have any real chance against state-sponsored attackers, you need security integrated into the culture of your business. This can only be achieved by adopting and practising globally recognised security standards like ISO 27001 and adopting a continual improvement mindset.

A security culture is especially important if you plan on tendering for government work since standards such as ListX become easier to comply with if you’re already treating security sensibly.

Address things at the human level by simulating attacks and identifying which employees need extra training. Accountability of security with the board is also essential to ensure priorities are maintained.

3. Isolate critical IT systems/data stores

Separating your most important IT assets from the open Internet and general internal network multiplies the difficulty of stealing your intellectual property, taking down your IT systems or disrupting your operations by an order of magnitude.

But since most businesses are built around easy access to these resources, it’s not as easy as just cutting all connections to your critical IT assets. With some intricate networking and rights management configuration it is possible though and drastically improves your resilience.

If isolation isn’t a possibility at all, data loss prevention plus complete encryption for data both in transit and at rest should be made a priority instead. Our teams are well versed in this sort of project, so can help you undertake an effective implementation.

4. Clean up your technology supply chain

The banning of Huawei’s cellular networking products in critical infrastructure and government systems by the US and elsewhere may seem like paranoia, but it guarantees that if a backdoor does exist, you don’t have it.

If you’re in a government contract or planning to tender for one, you’ve probably already made steps to mitigate your use of risky hardware and software. However, if you’re still yet to map out what hardware or software you have in your infrastructure, undertaking an audit is imperative.

5. Engage in threat-sharing

Collaborating with the others in your industry to trade threat intelligence is an effective way to rapidly increase your resilience.

If the idea of sharing your security vulnerabilities and attacks you’ve had against your IT systems with your competitors sounds too risky, check if your IT support provider is already doing something similar.

A proactive support provider should already be taking lessons learnt from one client and applying them to all their other clients (for example, blocking a malicious IP for all clients after it was found targeting one). Having an IT support provider who specialises in your industry helps since it provides you with more relevant defensive updates.

6. Secure your communications

It’s imperative that you have at least one fully secure channel of communication (e.g. voice, data, text, video). Whilst apps like WhatsApp offer some security through end-to-end encryption, news stories such as the invasive WhatsApp exploit show that it’s far from business-grade software.

A secure communications solution is necessary for guaranteeing you have at least one channel of private communication – be it voice, video, text or email.

Securing your communications is especially important for companies with offices in volatile regions since state monitoring is more prevalent.

Conclusion

If you think you’re at risk of a state-sponsored attack, want to be secure enough to tender for government contracts or simply want to improve your defensive capabilities, we have experience in helping businesses in your situation.

New call-to-action

Tips for managing multiple devices for IT teams

IT security - Tips for IT managers on managing multiple devices

BYOD, CYOD, IaaS and SaaS may have been buried under waves of new acronyms, but although they’re buried, they can’t be forgotten. These four acronyms changed the way businesses’ networks are structured, they multiplied the complexity of connectivity, they incited the development of mobile apps for traditionally desktop software and, along with cloud, gave life to agile working.

But big changes often bring challenges and these need to be addressed before the full benefits can be gained.

What challenges do multiple devices pose for an IT team?

1. Security

You must first think about your OS and web browser security. Most mobile applications will be delivered via a web browser, and all web browsers and operating systems will have their own security vulnerabilities. However, if you can isolate the application delivery against these vulnerabilities, that’s a very good first step.

Network security will be another key area to consider.  For a start, traffic will need to be secured between the device and the delivery platform in order to protect against man-in-the-middle attacks such as tampering and sniffing. To be safe, you should automatically assume that any network outside of the building is insecure and therefore make sure that appropriate controls (such as encryption) are put in place.

Of course, the BYOD trend raises additional security issues.  Truthfully, if a specific technology is really beneficial to an employee’s work, the company should supply and control it. People have always been the biggest risk to a business in terms of IT security. BYOD only exacerbates that fact.

However, IT teams will nonetheless need to address this issue. Isolation of the consumer devices from the corporate network will be key. If you need to open particular ports – ideally just standard web ports for access – then so be it. Thin-client and VDI solutions can also work well to aid isolation from the corporate LAN. Even so, you will require two-factor authentication as a bare minimum, and, ideally, prevent the storage of company data on the device itself.

2. Network performance

Along with security issues, you also need to consider managing network performance when delivering enterprise applications to devices outside of the delivery platform. Sure, it’s great to have numerous xGbps connections into the data centre, but if the CEO is in a far-flung location, and an application doesn’t perform as it should, the repercussions can be serious. It’s essential to also factor in latency here, especially when using thin-client technologies to deliver your application services.

Network resilience at the client end is also an important area that resellers need to think about. While your cloud delivery platform may work well for the 50 task-based workers in a remote office on a bonded SDSL service, but when that local line goes down with no viable SLA, it’s going to hurt. It may not be your fault, but any issues with service will affect the internal customer’s perception of your team.

3. Preparing for the future

In order to add value, IT teams need to balance current needs with what’s likely to come next.  Application delivery systems, cloud services technologies, and end-user device developments are fluid and changing rapidly. Therefore future-proofing is another important part of any mobile solution that you plan to deploy, manage and/or update.

4. The right support

Finally, it will be essential to provide adequate support for projects like these, either internally or with a third party. A lot of IT providers are jumping in, particularly from the ‘comms’ and ‘print’ side of the track, with a variety of Software as a Service (SaaS) and other cloud-based solutions. There are also a lot of IT companies pumping device control solutions that are too immature. This area is a whole new ball game, definitely not just a matter of hiring some extra skills.

New devices and apps will soon feature in IT environments to help deliver operational and productivity enhancements.  As a result, it’s essential that you’re able to support the rise of these devices and related technologies adequately. The potential benefits and opportunities these tools can provide are too significant to ignore.

READ NEXT >>> 10 quick points to stop BYOD from being a burden

In the press: Intel’s Hybrid Ultrabooks offer hope for the PC brigade

intel hybrid ultrabook

Intel and Microsoft are hoping hybrid ultrabooks will soon be a common sight in the workplace.

The former sees the format as the perfect vehicle for its Ivy Bridge chipsets. While Redmond is looking to use the format to grab a share of the tablet operating system market.

With their touchscreens, intuitive interfaces, instant-on capabilities and portability, tablets have taken the consumer world by storm since Apple launched the iPad in April 2010. While Ultrabooks also benefit from this instant add-on feature they are bulkier and heavier than tablets – which is where the hybrid Ultrabook could shine.

Although tablets are not as prolific in the business world currently, the economic advantages of providing and supporting a single hybrid ultrabook to employees, rather than multiple devices, could attract enterprises.

Robert Rutherford, from IT consultancy QuoStar Solutions, said that Microsoft would be the obvious choice to provide the operating system.

“Windows 8 could allow Microsoft to sew up the mobile market. Which would give Apple plenty to worry about as the market leader in tablets,” he said.

“If IT departments are able to provide their users with a Microsoft product they can easily control, they will.”

Click here to read the article in full on computing.co.uk