Communications and collaboration tools: understanding the risks and opportunitiesBy Eric Lebegue & Lilian Gaichies, Streamwide
As private and public entities are being forced by the coronavirus to move their communications and file sharing to online collaboration platforms, they should be aware of the potential security threats they face and of the need to use professional tools in order to ensure the security of their IT environment and compliance with data protection regulations. In addition to addressing security concerns, professional communications tools currently offer a wide range of functionalities which enable organizations not only to improve information flows but also to automate processes, keep control of their data, facilitate reporting and maintain visibility over their mobile workforce at all times.
The use of audio and video technology to communicate with people who are not physically present in front of us is nothing new. In most countries, Customs frontline officers have, for some time now, been using digital communications tools that enable them to talk to and exchange data, including audio, photos and videos, with their head office. This trend has accelerated since the COVID-19 pandemic began in early 2020. With governments requiring people to work from home wherever possible in order to prevent the spread of the virus, virtual communications have become the norm.
Some of these communications tools provide customized and professional solutions, but employees have frequently been left with no other alternative than to rely on mass-market applications. Given that employees, companies and organizations are likely to continue these new working practices, even once the pandemic is over, in view of the benefits they offer, it is crucial that the security risks attendant with the use of these tools are fully understood. Mass-market applications are simply not designed to be secure at user level, and their users risk exposing themselves to serious cybersecurity and privacy compliance issues.
Customs administrations using these kinds of tools could put themselves at risk in terms of, for example, data leakage or security breaches. Lone worker safety, confidentiality of negotiations, product and transportation safety, and operator trust and confidentiality are at stake where unsecured telecommunications systems are in use.
Another reason why private and public entities, especially those for which collaboration is essential in view of their highly distributed and mobile workforce, should turn to professional applications to secure their communications channels is that such tools currently offer a wide range of functionalities which enable these organizations not only to improve information flows but also to optimize processes, keep control of their data, facilitate reporting and maintain visibility over their staff at all times.
There are three majors problems related to the use of mass-market products as opposed to professional applications.
- Security vulnerabilities: The IT security and privacy measures or certifications the service provider has in place may not be sufficiently robust to ensure that outsiders are prevented from accessing their systems. Popular consumer messaging apps, for example, do not contain the critical encryption and security protocols required to lock down communications. This also applies to mass-market video-conferencing tools. Meeting links can be intercepted, allowing unauthorized individuals to execute automated attacks, and, if no password is required to join a meeting, the intruder will be instantly added to the call. Hackers can impersonate legitimate business accounts, phish user credentials, steal data and infect employees’ computers with malware in a matter of minutes.
- Data sovereignty: This concept poses another challenge, as data are subject to the laws of the country in which they are physically stored. Messaging or video-conferencing applications collect, store and process data. In general, organizations using mass-market applications do not know exactly where their data is being processed or stored or by whom, which might result in their infringing data protection laws. For example, organizations established in the European Union must comply with the GDPR which requires that all data collected on EU citizens must be stored either in the EU or within a jurisdiction that has similar levels of protection.
- Too many applications and systems: Most mass-market communications and collaboration tools serve only one or two functions, and organizations therefore often must subscribe to multiple platforms to cover all their needs. The use of different applications and tools is time-consuming and generates inefficiency, which ends up frustrating employees and increasing the risk of errors. Employees spend more time managing applications than they do getting the work done. In addition, most service providers offer tools designed for personal use, with basic subscription plans and very little support. There is often a limit on the number of licences, and the pricing policy is generally not flexible enough to adapt to operational needs. Such a situation ultimately lends itself to less than adequate security practices. Organizations must realize that they are taking risks by failing to adopt a comprehensive approach towards their business communications and collaboration technology strategy.
Organizations, especially those with a highly distributed and mobile workforce, therefore need to have a clear strategy in place and to provide employees with professional tools in order to combine collaboration, productivity, security and compliance. Use of a single secure and professional communications and collaboration tool is preferable. It is possible to replace existing cloud-based and mass-market applications with a solution that is kept under the control and management of the organization using it.
Such business applications should:
- use advanced encrypted communications and protocols preventing vulnerabilities and protecting the data privacy of all users;
- provide secure URL links;
- offer on-premises and SaaS (Software as a Service) solutions;
- when delivered as SaaS, ideally store data on servers located within the customer’s own jurisdiction, making him subject only to his domestic privacy laws;
- replace multiple applications with a secure, all-in-one business solution to enable the user to save time and effort;
- allow sessions with no time limit.
In terms of functionalities, some tools enable teams located in different places both in and outside a country to communicate easily using instant messaging, whiteboarding or call conferencing. Of particular interest to Customs administrations are push-to-talk (PTT) communications which work similarly to classic radio communications devices. PTT applications can turn any smartphone into a virtual radio device capable not only of mimicking the use of a walkie-talkie, but also of interconnecting different radio networks. Users who are required to switch to such networks can do so using their smartphone and do not need to carry additional radio equipment.
When using PPT, all you need to do is press a button in an app, and you can instantly talk to whomever you want. There is no need to unlock your phone, enter your access code, scroll through your contacts, wait for the phone to connect and then inevitably leave a voicemail for a colleague who does not answer, leaving you with no real confirmation that they will actually receive the message.
In addition to PTT, professional communications tools include all the functionalities officers need, whether they work at their desk or in the field: screen sharing on a mobile device or PC, chat groups, exchange of documents, photos, videos or any other content in real time, and video streaming from a variety of different sources (drone, camera, PC, etc.).
Furthermore, the following functionalities are of particular interest to organizations such as Customs administrations with a mobile workforce:
- Real-time localization and communications: Officers working in a control centre should be able to see field officers’ locations in real time and to identify which employees are the closest to a given address on a map. If a state of emergency is declared, control centre officers should be able to use a PTT app to contact employees or a mobile team who are near the scene of an incident, and the team in the field should be able to transmit live video stream to the control centre.
- Safe reporting process: When officers are on a mission abroad and are unable to use a private network to communicate, they can use the Internet to connect from any device to a secure “mission platform” where they can prepare and share confidential reports and other information.
- New telephony software: The latest telephony software can turn any electronic device into a fully-fledged, integrated system, bridging the gap between smartphones, desktop phones, computers and radio equipment.
In most countries, there are two types of communications networks available to public entities:
- Legacy narrowband professional mobile radio (PMR) networks are mainly private networks reserved for government use. They are built to meet the specific coverage area and capacity requirements of a particular business or organization. Organizations usually invest in PMR networks because communications are a business or a mission-critical tool. Aside from public safety agencies, which include law enforcement agencies, this may apply to transportation, utilities, oil and gas, petrochemicals, mining, logistics and industrial concerns. Such networks are driven not just by coverage (including inside buildings, basements and tunnels) and capacity, but also by availability. An emergency alert or call simply must get through every time, so minimizing network downtime is paramount.
- Long Term Evolution (LTE) networks are generally built and operated by mobile network operators (MNOs) and are largely aimed at serving a mass-market consumer subscriber base. MNOs deploy their networks under a licensing agreement entered into with the government and provide a “best-effort” service designed to balance the business requirements of their shareholders to maximize returns while still meeting their licence obligations. These networks can be public or private. Entities other than MNOs can also install and operate a private LTE.
In the past, Customs administrations had to cope with the limitations of each system. Nowadays, however, the mobile communications landscape is changing. A new industrial standard for mission-critical push-to-talk communications is now shaping the future of public and private networks. The cellular mobile phone standards specification body, the Third Generation Partnership Project (3GPP), has been developing standards (known as MCPTT standards) to introduce the unique attributes of mission-critical PMR technology into the 4G LTE standard and on into the 5G standard. This will bring traditional PMR-type functionalities into the mobile cellular domain, while ensuring that security requirements are met. For example, mission-critical push-to-talk technology over LTE provides the same functionalities as over PMR with the same level of security. 3GPP standards for mission-critical services (MCS) now cover video, data, messaging and location services.
These standards help technology service providers to develop communications solutions that enable government agencies to use public cellular networks where available and their private compatible networks where necessary, and allow officers to use a single type of device covering all their operational needs.
The ability to communicate from any place, at any time and on any device is crucial for all organizations. However, in deciding which solutions to use, they should give equal priority to security and functionality. Fortunately, professional messaging and collaboration solutions currently exist that remove barriers to collaboration while offering secure and efficient workplace communication tools.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).