Many companies, looking to cut the cost of their employee’s tech use, now operate a bring your own device (BYOD) policy. This has obvious benefits, not least of which is the reduction in capital cost of buying smartphone technology for their employees. However, this can open up a potential can of worms in terms of securing information. Fears have been fueled in recent years as government agencies have shown how easy it can be to listen in to personal telephone conversations made from mobile devices. This in turn has created an increased demand for easier ways to secure phone calls and protect the commercially sensitive information potentially being discussed.
Writing for SearchSecurity, Michael Cobb discusses whether installing encrypted calling apps can help secure communications and if this is something enterprises should be including in their BYOD policy.
Organizations for which highly sensitive information is discussed by employees should assess the products available to first ensure they meet their security requirements. One major stumbling block is that all participants in a call usually need to have the same call encryption app installed – making calls to suppliers or customers less than straightforward.
There is also the problem of people nearby eavesdropping, for which no app will protect the potential leakage of information. To help users fully benefit from the security features offered, an acceptable usage policy needs to be established.
For example, this should stipulate that any calls where sensitive information is being exchanged should take place in a private room, away from public, and prying, ears. Furthermore, security awareness training can cover how the particular features of any app are used. It is important to remember that for encryption to work, it must be protected through the whole lifecycle, meaning any call encryption software has to be part of an integrated plan for data security.
It is also important to be aware that governments often have legal avenues to gain access to encrypted data, though any such request would notify the company that its data is being targeted. There is also the problem that, for a call to be completed, a valid phone number or OP address has to be sent in plaintext. This helps anyone in a position to carry out traffic analysis to see where calls are coming from and going to. Though for extra layers of security, calls can be routed through Tor to help disguise the metadata associated with a call.
Most of the time, encrypting voice calls is probably still an unnecessary step for most BYOD users; at the very least not being a cost-effective measure. For some however, senior executives or employees traveling abroad for example, this may be a valid, extra security control in certain commercially sensitive situations.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”