In 2023, the nexus of technology, collaboration, and compliance has never been more critical. As organizations harness the power of UC and collaboration tools to connect globally — especially across hybrid and distributed workforces — the need to fortify security measures and maintain regulatory compliance intensifies.
New opportunities and challenges emerge on an almost daily basis in this space, from bad actors that range from malevolent individuals to malicious nation-states, to how AI can potentially revolutionise how businesses manage their security and compliance needs.
With our latest Round Table subject, “Security & Compliance”, we spoke with experts and executives from Allendeveaux, Theta Lake, and Cisco about the major challenges threatening cybersecurity in 2023, how organisations can ensure security around data storage and transmission, how to enable seamless collaboration while maintaining compliance, and how will AI impact cybersecurity moving forward.
What are the major challenges and bad actors threatening the cybersecurity of organizations in 2023?
Javed Khan, Senior Vice President and General Manager at Cisco Collaboration
Khan said that as technologies like AI are integrated into UCC tools, the cybersecurity landscape evolves in response to how these technologies may surface new security threats, including advanced scams and convincing deep fakes.
“There is an enormous opportunity to leverage emerging technologies to enhance hybrid collaboration experiences,” Khan elaborated. “Yet, at the same time, organizations must explore ways to safely and intelligently integrate these technologies to mitigate potential harm.”
To introduce or preserve a healthy cybersecurity culture through continuous and rapid technological change, Khan suggested that organizations could begin by investing in essential foundations for effective security. Such examples include a hybrid cloud strategy, a zero-trust approach, and a modern network.
“Updating and maintaining network infrastructure is fundamental and should not be ignored,” Khan added. “In addition, having honest conversations with employees across all levels is critical to providing education on navigating and identifying potential new concerns and hazards as technologies mature and become more integrated into UCC platforms.”
Dr. Scott Allendevaux, Practice Lead of Law and Policy at Allendevaux
For Dr Allendevaux, the evolving threat landscape and sophisticated bad actors present multifarious cybersecurity challenges for organisations, including ransomware attacks. “Ransomware attacks remain predominant, with attackers targeting critical infrastructure and demanding hefty ransoms,” Allendevaux explained.
Meanwhile, Allendevaux highlighted that craftier phishing schemes and social engineering tactics exploit human vulnerabilities, resulting in unauthorized access and data breaches. Attackers are also increasingly targeting supply chains, Allendevaux said, exploiting vulnerabilities to compromise interconnected systems. Lastly, Allendevaux underlined that malicious or negligent insiders pose significant risks, producing potential data leaks or system compromises.
Among the bad actors threatening cybersecurity are nation-state actors, who engage “in cyber-espionage or cyber-warfare, they aim to steal sensitive data or disrupt services”, explained Allendevaux.
Other bad actors include hacktivist groups who are “driven by ideological motives,” Allendevaux detailed. “These actors engage in attacks to promote their agendas, potentially causing organizational harm.” Organised crime-based cybercriminals engage in illicit activities, including data theft and ransomware attacks, for financial gain.
Lastly, amateur hackers, often named “script kiddies,” explore “vulnerabilities and launch attacks, often without a specific agenda but causing potential disruptions”, Allendevaux said.
In the era of remote and cloud-based work, what measures should organizations take to ensure the security of their unified communications and collaboration tools, especially around data transmission and storage?
Dr Scott Allendevaux, Practice Lead of Law and Policy at Allendevaux
For Dr Allendevaux, organizations should prioritize multi-faceted security strategies written into a data protection program to safeguard UCC tools, particularly focusing on data transmission and storage.
“Firstly, robust encryption should be enforced for data-in-transit and data-at-rest, ensuring confidential information remains secure from unauthorized access,” Allendevaux said. “Leveraging advanced encryption standards such as AES-256 can substantially bolster data security.”
Furthermore, Allendevaux added, organizations should comply with recognized cybersecurity frameworks, including NIST and international data protection standards such as ISO 27001, ISO 27017, ISO 27018 and ISO 27701. This stresses a systematic approach to managing sensitive company information, such as personal data, Allendevaux said.
“Implementing comprehensive access control mechanisms is equally vital, allowing only authorized personnel to access sensitive communication and collaboration tools, thereby minimizing weaknesses,” Allendevaux continued.
“Regularly conducting risk assessments, vulnerability assessments, and penetration testing (VAPT) can help in identifying and mitigating potential risks proactively. Furthermore, adopting a zero-trust security model, which necessitates strict identity verification for every user and device accessing the UC&C tools, can significantly enhance organizational cybersecurity posture.”
Allendevaux expanded by suggesting that by amalgamating these security practices into a data protection program, organizations can build resilient and layered defence mechanisms, “ensuring that their unified communications and collaboration tools remain secure, reliable, and resistant to evolving cybersecurity threats”.
Garth Landers, Director of Global Product Marketing at Theta Lake
For Landers, it’s crucial that user actions, both negligence and malfeasance, are addressed and accounted for.
“Policies and guidance about usage related to approved tools/platforms and security, such as the use of VPNs, should be outlined, updated and enforced in conjunction with awareness training,” Landers expanded. “In conjunction, policy enforcement tools should be adopted for safeguarding, securing and recordkeeping of data.”
Javed Khan, Senior Vice President and General Manager of Cisco Collaboration
Khan highlighted that, as the world continues to transition into the era of hybrid work, organizations need to equip themselves with advanced security protections that safeguard employees and assets. “Everything from databases, networks, and unified communications must be protected to ensure that security is not compromised to allow for flexibility,” he said.
“‘Zero trust’ approaches are more important than ever to reduce the risk of breaches,” Khan continued. “Attack surfaces have increased as more people work from home and outside the office, utilize managed and unmanaged devices, and collaborate across company lines. When embracing flexible hybrid work cultures, organizations can adopt a zero-trust approach that offers an additional layer of security to ensure the hybrid experience is secure at every endpoint.”
Khan underlined that customers entrusted Webex with their mission-critical collaboration, meetings, messages, calling, and data for exactly this reason because Webex “provides extended security options, advanced privacy features, and built-in compliance options for industry and regional requirements so customers can meet and collaborate securely – regardless of where they choose to work”.
How can organizations balance the need for seamless collaboration with the imperative to maintain compliance with various regulations and standards, such as GDPR or HIPAA?
Garth Landers, Director of Global Product Marketing at Theta Lake
Landers highlighted that AI in its version form of machine learning and natural language processing is a critical part of security and compliance platforms like Theta Lake.
“For example, we apply these technologies to identify potential risky behaviours and policy violations,” Landers said. “This assists compliance personnel in filtering through the high volume of textual, video, voice and whiteboard communications that can seem overwhelming to compliance review teams.”
Landers stressed that the end product is that organizations can feel confident in adopting new technologies and “unleashing end-user productivity without overwhelming their compliance teams and missing potential compliance violations and subsequent fines”.
Javed Khan, Senior Vice President and General Manager of Cisco Collaboration
Khan emphasised that maintaining regulatory compliance is essential to empowering seamless, secure collaboration.
“Protecting customers, users, and their communications and data must always be the top priority,” he said. “From product development to operations, use, and every place in between, privacy and security must be embedded everywhere by design.”
“Seamless collaboration requires robust security and privacy and compliance with GDPR, HIPAA, and other privacy and security laws to set a baseline for how to treat personal data and sensitive health information,” Khan continued. “Webex by Cisco, for example, goes far beyond the legal minimum to meet customer demands for secure communications and collaboration.”
Khan highlighted that Webex has implemented a wide range of measures to ensure “collaboration without compromise”, “from end-to-end encryption to ensure confidentiality of data to data loss prevention and built-in mobile application security controls to protect data on personally managed devices”.
“Webex also adopts ‘secure by design’ and ‘private by default’ principles that help analyze entire attack surfaces and build controls and mitigations for any security concerns even before a feature is built,” Khan added.
Dr. Scott Allendevaux, Practice Lead of Law and Policy at Allendevaux
For Dr Allendevaux, ensuring seamless collaboration with compliance is critical in today’s digital landscape, and to fulfil this ambition, organisations must be “acutely aware of the array of regulations that pertain to them”, he stressed.
These regulations are influenced by several factors, including geographical considerations, as the location of an organization’s offices and data centres dictates the legal landscape. “For instance, European entities must adhere to GDPR, while those operating in California need to consider the CCPA,” Allendevaux explained.
Then there is data subject geography. “Beyond just where a company operates, it’s essential to recognize where the data subjects reside, as regulations like GDPR extend protections regardless of where the processing occurs,” he said.
Third, is industry-specific regulations, as there might be unique requirements specific to the sector, including MiFID II for financial services, HIPAA for healthcare, or GLBA for financial institutions.
Lastly are contractual obligations because “some contracts demand certifications to standards like ISO 27001 or NIST SP 800-53, ensuring a baseline of security measures”, Allendevaux elaborated.
Allendevaux emphasised that while ISO 27001 remains a revered standard, it’s generally considered the foundational layer in today’s complex environment.
“Cloud service providers, in particular, might layer additional frameworks like ISO 27017 for cloud-specific security, ISO 27018 for personal data protection in the cloud, and ISO 27701 for privacy information management, offering a comprehensive shield,” he said.
“In conclusion, a deep understanding of applicable regulations, combined with a multi-layered standards approach, ensures both fluid collaboration and stringent compliance. Every data protection program should begin by identifying, understanding and complying with laws and regulations applicable to the organization.”
What role does an emerging technology like AI play in enhancing the security and compliance features of unified communications and collaboration platforms?
Javed Khan, Senior Vice President and General Manager of Cisco Collaboration
Khan argued that integrating emerging technologies like AI can “greatly enhance the security and compliance” of UCC platforms.
“For example, AI can be used to monitor and control data transfers across UCC platforms,” Khan continued. “If sensitive information is being shared outside of the organization, AI can either block the transfer or notify administrators.”
Khan concluded by noting that UCC platforms can leverage natural language processing tools to review transcripts of communications for sensitive information or non-compliant content, while “AI can also be used to scan shared files, images, and messages for potentially harmful or non-compliant content”.
Dr. Scott Allendevaux, Practice Lead of Law and Policy at Allendevaux
Dr Allendevaux agreed that emerging technologies are critical in reinforcing the security and compliance of UCC platforms.
“AI stands at the forefront, enhancing anomaly detection and automated compliance monitoring, ensuring swift identification and mitigation of non-compliance issues,” he said. “Blockchain ensures authenticated user identities and the integrity of transmitted data, fostering trust and transparency.”
Allendevaux also highlighted quantum cryptography as a valuable emerging technology, as it introduces sophisticated encryption, safeguarding data transmissions against advanced threats.
“Zero Trust Architecture (ZTA) elevates security postures, demanding verification for everyone accessing network resources, never assuming trust,” he explained. “Edge computing facilitates localized data processing and compliance, optimizing real-time communication platforms by reducing latency and improving user experience.”
Finally, Allendevaux pointed out that 5G technologies promise to accelerate UCC capabilities with faster and more robust connectivity, enabling “enhanced real-time threat analysis and immediate response mechanisms”.
“Together, these technologies collectively fortify UCC platforms against evolving cybersecurity challenges, ensuring robust security and strict compliance adherence,” Allendevaux said.
Garth Landers, Director of Global Product Marketing at Theta Lake
Landers noted that Theta Lake observes this dilemma in financial services regularly.
“There is a push/pull between UCC stakeholders and compliance leaders about new technology adoption, such as the use of virtual meeting platforms and their numerous features and potential compliance risks,” he explained.
“Obviously, the ideal outcome is for firms to adopt these technologies and use them without restrictions,” Landers continued. “Our research shows that 74 percent of fin serv firms are turning off features to avoid compliance risks. To be successful, you need a solution that can capture and retain all of the textual, visual and audio communications across 100s of integration points that are available today; no easy task.”
To complement these processes,es organisations have to surface all potential risks across hundreds of thousands of users on mobile, desktop, remote and hybrid scenarios. “Theta Lake accomplishes all of this on a modular basis without disrupting your current IT environment,” Landers added.
from UC Today https://ift.tt/sXwtyg4
0 Comments