One of the many things the global shutdown exposed was the critical need for robust, flexible collaboration and unified communications solutions. It took a pandemic for the world to fully realize their importance. There was literally an overnight need to provide remote workers with access to email, voice calls, messaging services, videoconferencing and collaboration tools — all from a single platform and accessible from anywhere. It meant workers, regardless of country, industry or job title, could remain productive while staying safe from home and away from others.
An unfortunate offshoot that resulted from the growing demands placed on unified communications platforms was what it meant to the attack surface, which expanded by orders of magnitude. Workers logged onto the internet and accessed corporate intranets with computers, smartphones and tablets. Some were company-supplied, many weren’t. IT departments quickly learned that security ostensibly protecting their UC platform was fraught with gaps. It left their organizations open to threats capable of shutting down communications and grinding productivity to a halt in a matter of seconds. Bad actors launched attacks to take advantage of the security gaps, like denial of service (DoS) attacks, thefts from illegal or scam calls, hacking of VoIP systems and mobile threats that exposed the largest of infrastructures through a single device.
While the rest of the world fought the coronavirus, IT leaders battled cyber threats, which had increased exponentially due to the new norm — scattered workers logging onto networks with multiple devices through whatever Wi-Fi network they could find.
Re-Thinking Security to Include Unified Communications
If you’re not taking advantage of unified communications, you’re likely either out of the workforce or haven’t entered it. Just a couple years ago, Microsoft Teams was a platform many may have heard about, but few had a clue how it could elevate productivity. Now, Teams is as common as its Microsoft brethren Outlook, Excel, Word and PowerPoint. But its move into the mainstream meant malicious actors took notice. They knew more connectivity and collaboration meant more data and more opportunities to steal it. Security needed to ramp up, and fast. It needed to do more than just extend to cover unified communications platform. It needed its own security plan.
First, Create a Unified Communications Security Plan
The following components should be part of your unified communications security plan. But first, you need to understand the threats from which you’ll be protecting your organization. As Sun Tzu wrote in The Art of War, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
Along with the previously mentioned threats — DoS, illegal and scam calls, VoIP system hacking and mobile threats — there are many others to which unified communications networks are susceptible. These include reconnaissance scans, eavesdropping, session hijacking, session overload, media injection, protocol fuzzing, man-in-the-middle (MITM) attacks, and more. It’s important to understand each to best protect against them.
- Identity and Access Management
For all logins, make sure to use multi-factor authentication. It means users will have to do more than just type in a password. That’s just a single factor. When they correctly enter their password, they’ll also have to plug in a code sent to their mobile phone. A password and a code — multi-factors. It’s another padlock on the gate.
Also, deploying least privilege access is another great security option. It means users are only allowed access to what’s needed and necessary for them to perform their job or a task. It’s also known as minimal privilege.
- Encrypt By Default
Whether referring to a connection or data, remember this — encrypt it. And encryption shouldn’t be something you have to choose; it should be the default.
Encryption is simply the scrambling of content that can only be unscrambled, or decrypted, with the right key or code. For Teams customers, Microsoft uses industry standards SRTP and TLS to encrypt all data.
There are two types of encryption — symmetric and asymmetric. The former requires both sender and recipient to have the same key. The latter requires a pair of keys — one for encrypting a message, another for decrypting it. The owner has a private key and authorized recipients get a public one.
- Trust in Zero Trust
Regarding network access, zero trust means just that — you have zero trust in any user until they prove otherwise. It’s denying everything to everybody. The implicit trust companies have relied on for decades should be a thing of the past. With zero trust, identity validation occurs at each stage of the digital journey. Zero trust is a notion that makes some uncomfortable; it even sounds a bit brusque. If that describes you, you need to get over it. It comes down to ensuring communications and data aren’t open to outsiders.
- Don’t Ignore Patches
When vendors issue patches, apply them. Don’t put them on the back burner. A security patch repairs a just-discovered vulnerability or flaw. You’re inviting risk if software isn’t patched. What many don’t realize is that attackers study patches to learn the vulnerability(ies) the vendor has discovered. They’ll launch attacks knowing there are users who have taken an I’ll get around to it approach to patch management.
- Tie Your UC Platform Into your SIEM Platform
Make sure to connect your UC platform to your SIEM (security information and event management) system. Auditing logs to quickly understand if security-related issues have occurred needs to extend to your unified communications platform. Think about what UC comprises — voice, email, messaging, collaboration, file and screen sharing, calendars, scheduling and videoconferencing. To secure it all, you’ll need all the insights, guidance and help you can get.
- Train, Teach, Repeat
While you may be tired of hearing that employees pose the greatest security risk to a company, it simply can’t be stated enough. And hopefully your employees are getting tired of taking cybersecurity training. While some may roll their eyes at the thought of it, repetition is what creates habit. The goal is for employees to know what to do and what not do without having to think about it. That’s a habit. Just make sure security information about unified communication is included in the cybersecurity training, as well.
More Questions? Reach Out to the Experts
If you have questions about collaboration solutions, including unified communications, contact the experts at Netagen. Since 2001, Netagen has been helping businesses and governments meet their goals by relying on our unique, personalized approach to providing communications solutions.
And to learn how to protect your collaboration solutions from malicious actors laying in wait to exploit any or all vulnerabilities, reach out to the cybersecurity experts at our trusted, longtime partner Radware. I know they would love to hear from you.
About the Author
Mr. Curry is the Vice President of Client Solutions at Netagen and has extensive knowledge in UC, networking and design. He has over 35 years of experience in the technology sector. Mr. Curry has demonstrated a commitment to interacting with multi-disciplined professional teams in design, implementation, network integration and training. He has a consistent record of achievement with major technology companies and a strong sense of purpose regarding career development.
Mr. Curry’s responsibilities at Netagen include overall ownership of the converged practice, including Pre-Sales Design, New Product Introduction, Research and Development, Marketing and Digital Transformation.