Used in critical contexts, out-of-band communications contribute to protecting exchanges and ensuring the continuity of business activities for organisations in crisis situations.
Definition
An out-of-band communication refers to communications made outside of the usual networks. It uses reserved and secure channels to remain operational at all times. For example, in case of a cyberattack or a failure on the main network. In this out-of-band setup, the flows of audio, video, and data communications are generally encrypted end-to-end. This protects confidential or highly sensitive exchanges from any eavesdropping.
Use cases for out-of-band communications
Multi-factor authentication (MFA)
Multi-factor authentication involves verifying a user’s connection request before granting them access to a resource. To do this, it uses at least two factors, one of which typically involves an out-of-band communication. Indeed, after entering their credentials (first factor), the user will receive a verification request (second factor) on, for example, an encrypted application. To send this request, the MFA will use a different network. The aim is to limit the risk of data interception in the event of vulnerabilities on the network used for the initial connection.
Sensitive communications
Moreover, in the context of remote or hybrid work, collaborators use communication tools that are not always secure. However, within sensitive organisations, such as Essential Service Operators and Vital Importance Operators, protecting critical communications is a fundamental criterion. For their confidential online meetings, involving classified subjects or benefiting from a protective designation, the use of out-of-band communication systems is essential.
Business continuity
Furthermore, as European organisations are required to enhance their cybersecurity with the NIS 2 directive, crisis management and business continuity policies are becoming major topics. The deployment of out-of-band communication tools addresses these challenges. Indeed, in the event of a crisis, teams benefit from dedicated and secure communication channels. They can thus respond to incidents and ensure business continuity.
In public administrations, which rely on traditional communication means, the implementation of a communication system outside traditional networks has numerous benefits. It especially guarantees the continuity of public service.
Secure video conferencing for out-of-band communications
End-to-end encrypted secure video conferencing is suitable for setting up out-of-band communications internally. In sensitive contexts, collaborators particularly need to use a secure communication solution that is accessible at all times outside of traditional networks.
Tixeo offers a secure video conferencing solution, certified and qualified by ANSSI
Its end-to-end encryption, from client to client, prevents any interception of audio, video, and data exchanges, regardless of the number of participants in the online meeting.
In the on-premise version, the solution is deployed on a company’s dedicated server, without impacting the general network security policy. In case of a crisis, Tixeo can operate without an internet connection, isolated on the company’s infrastructure. This allows internal use only, for critical communications, and ensures the continuity of activities. Secure video conferencing thus helps to strengthen the cyber-resilience of organisations.
Security certification for digital products and solutions is a hallmark of reliability. What does this certification entail, and how does it ensure a high level of cybersecurity?
Definition of a Security Certification
Security certification for computer solutions and software involves evaluating a product according to specific cybersecurity standards. This process is now crucial for ensuring the protection of data and systems in the face of increasing cyber threats. Security certification also supports businesses in their search for secure digital solutions for their strategic and sensitive uses. It ultimately helps to harmonize the security levels of solutions and contributes to the creation of a trusted digital system.
Types of Security Certifications
Product Certifications: Focus on the security aspects of a specific product. They assess whether the product meets the required security standards and can resist potential cyber attacks.
System Certifications: Evaluate the security of an entire system, including the products, processes, and people involved. This type of certification is broader and considers the systemic aspects of cybersecurity.
There are various security certifications internationally and in Europe. Here’s an overview:
International Cybersecurity Certifications
Common Criteria (CC)
Common Criteria is the international standard for cybersecurity certification of information technology. Also known as “Common Criteria for Information Technology Security Evaluation”, this international standard (ISO/IEC 15408) allows for the assessment of IT product security by accredited and independent laboratories based on demanding technical and organizational criteria. The certificates are internationally recognized by the signatories of the Common Criteria Recognition Arrangement (CCRA), which includes ANSSI in France.
FIPS 140-3
Developed by the National Institute of Standards and Technology (NIST) in the United States, the FIPS 140-3 standard is specifically concerned with verifying the security of encryption modules. Essential for products used in government and sensitive environments, the standard analyses in particular :
– the features and capabilities of the encryption module
– interactions with other systems
– management of access and authorised operations
– software component security
– secure maintenance and updates
– measures against various forms of potential attack.
This standard proposes four qualitative levels of security (basic to very high), adapted to different applications and IT environments.
European cybersecurity certifications
The European Cybersecurity Certification project
The EUCC certification scheme is based on the international Common Criteria scheme for certifying ICT products, their hardware and software (firewalls, encryption and electronic signature devices, routers, smartphones, bank cards, etc.). In October 2023, a first draft implementing act for the EUCC was published by the European Commission and opened for comments.
EUCS (European Certification Scheme for Cloud Services) under study
In the same vein as the EUCC, EUCS certification is aimed specifically at approving the security of products and services hosted in the cloud. The proposed text is now being studied by the European Cybersecurity Certification Group (ECCG) and will help to strengthen the security of cloud computing in Europe.
As part of the NIS 2 directive and the Cyber Resilience Act, these European certification projects aim to harmonise the security levels of IT solutions.
In France: ANSSI security certification
The security certification issued by ANSSI (Agence nationale de la sécurité des systèmes d’information) is a benchmark in France and throughout Europe. Based on the Common Criteria international certification standard, this national certification scheme assesses the robustness of a specific version of a product at a given time, based on the state of the art of cyber attacks. To award it, the approved laboratories and experts analyse a number of security criteria, including :
– Compliance with current national and international information systems security standards and regulations
– Technical and organisational security measures
– Resistance to attacks, including attempted intrusions, hacking and exploitation of vulnerabilities.
– Access management and authentication to control access to data and resources.
– Encryption and data protection
– Resilience and incident management
– Security maintenance and updates, to respond to new threats and vulnerabilities.
The ANSSI is also offering security qualification for digital products and services intended for critical and strategic sectors (OIV and OSE). This qualification will meet specific regulatory requirements, such as the French military programming law. The ANSSI’s security qualification attests to the suitability of the solutions for the sensitive needs identified by companies. The publisher must prove that it can meet its commitments over the long term.
Which products are eligible for security certification?
A wide range of IT products and solutions are eligible for security certification if they expose data and/or are used by sensitive organisations. Here are some of the types of products covered by security certification:
IT hardware: servers, routers, firewalls and other network equipment, etc.
Software: operating systems, applications and databases, etc.
Cloud Solutions: Cloud computing services, storage and cloud-based applications…
Mobile Security Solutions: Security applications and infrastructures for mobile devices…
Industrial Control Systems (ICS) and Internet of Things (IoT): connected devices in various industrial sectors…
Tixeo, certified and qualified by ANSSI for over 5 years
Tixeosecure video conferencing software has been certified and qualified by ANSSI for over 6 years. Thanks to its end-to-end encryption and its on-premise version, it offers businesses in critical sectors total confidentiality for their exchanges and, above all, a high level of operational resilience. Through its certification and qualification, the French government recommends its use for sensitive applications. Other European labels confirm the security of its solution.
Cyber espionage attacks by state or para-state entities are on the increase, targeting European companies. They mainly target organisations that are essential to a country’s functioning or economy. Consequences of geopolitical instabilities An upsurge in state...
Employees no longer work solely in the office, and companies need to adapt their organisational and management models to teleworking, to put trust at the heart of collaboration.
Hybrid telework: the fragmentation of the office.
Remote work, whether partial or complete, has profoundly transformed employees’ relationship with work and the organizational structures of companies. Even though 47% of French companies had adopted remote work by 2023 (source: INSEE), its implementation and especially its sustainability are still in question today.
Indeed, the diversification of work locations marks a break from the traditional model where all employees gathered in a defined office space. With hybrid remote work, the office extends to various locations, impacting the way teams are managed. In this context, some companies struggle to adapt and to trust their teams for successful remote collaboration.
Three main axes to improve trust
Training in best practices for remote work
If its implementation is not supported, remote work can lead to difficulties for employees and, in the long run, result in failures.
Horaires et flexibilité
Remote work introduces a certain degree of freedom for employees. Working from home allows them to take more regular breaks or even adjust their schedules to fit their family life. This flexibility is valued in some companies that practice remote work, as it promotes a better work-life balance for employees. Consequently, employees enjoy a certain level of autonomy in completing their tasks, far removed from the pitfalls of presenteeism in the office.
In this context, to strengthen trust between managers and employees regarding this aspect, the first step is to clearly communicate, from the beginning of the collaboration, the norms regarding working hours and how flexible these are. These norms can be shared in the form of a general information sheet about the organization or in a welcome booklet provided during onboarding. Once these are understood, more personalized discussions can take place to adapt these measures according to the needs and constraints of each individual. The objective is to clarify the subject to avoid misunderstandings and frustrations.
Cyber Hygiene
Trust in hybrid remote work also involves adhering to security rules. As cyber threats affect many sectors, especially leading up to major events, cybersecurity must be one of the essential aspects to consider in remote work. Training and awareness on the subject are indispensable, particularly on:
Internet connection security and VPN
Password management and authentication methods
Phishing, ransomware, and other common cyberattacks
The use of personal devices or BYOD (Bring Your Own Device)
Protection of IT equipment at home and on the move
Or the use of secure software (against shadow IT)
However, IT security and hygiene rules must also be clearly defined. For example:
Never connect to public Wi-Fi networks,
Do not download software or applications not approved by the IT department,
And do not connect external devices to your professional equipment (USB keys, hard drives, etc.).
The manager’s role is crucial for the success of teams in a hybrid remote work environment. To maintain the connection, frequent video conferences or calls can prove counterproductive and stressful for employees. The hybrid manager should maintain regular communication while promoting accountability. These two aspects will facilitate mutual trust with employees and prevent isolation and disengagement.
To achieve this, develop a culture of feedback by encouraging employees to provide regular feedback on their work. This helps foster spontaneous exchanges while contributing to continuous improvement.
Certain video collaboration tools ensure the continuity of the office environment, regardless of where the employees are located.
This is the case with the Tixeo solution, which allows teams to work and interact in a virtual open space. In the form of bubbles, employees can see each other and work quietly on their own. To chat with a colleague or hold a meeting, a simple click on one or more colleagues’ bubbles is enough. The result: better communication between teams and improved trust.
Due to a lack of trust in their employees, some companies resort to using “bossware.” Installed on the workstation, this spyware collects a maximum amount of data on the worker’s activity, providing an overview of their productivity.
Heavily used since the widespread adoption of remote work in 2020, these types of software are now being enhanced with the integration of AI modules. However, their use can harm the respect for privacy and personal data of employees, especially if the employees are not informed about their usage.
It is therefore preferable to implement processes and management methods that create a climate of trust at work rather than using software that could damage the professional relationship.
Hybrid remote work combines remote and in-person work. Employees alternate between working from home and the office, transforming traditional organizational models.
How can trust be strengthened in hybrid remote work?
It is essential to train employees on best practices for remote work, maintain regular communication, and use suitable collaboration tools like Tixeo.
Why is it important to train employees for remote work?
Proper training reduces obstacles, improves productivity, and strengthens trust by clarifying expectations and the flexibility allowed by remote work. Additionally, training addresses good IT security practices and reduces the risk of cyberattacks.
What are the security challenges associated with hybrid remote work?
Cyber threats require comprehensive and specific measures for remote workers, such as using VPNs, multi-factor authentication, good password management, and awareness of phishing risks.
How can employee isolation be avoided in remote work?
Maintain regular interactions without being intrusive, encourage feedback, and use video collaboration tools to create an interactive virtual workspace and strengthen the connection between employees.
Why should the use of spyware (“bossware”) be avoided?
Spyware can violate employee privacy and degrade trust between employees and management. It is better to adopt management practices that emphasize transparency, autonomy, and responsibility.
What is trust in a company, and what are its key elements?
Trust in a company is based on three fundamental elements: performance measurement, autonomy, and regular communication between the employee, their team, and their manager.
What are the pillars of trust identified by Harvard Business Review?
The three pillars of trust are: positive relationships, recognized expertise, and consistency. Managers must establish reliable relationships, fairly evaluate performance, and be consistent in their actions and decisions for their team.
How can companies establish a climate of trust for remote work?
Companies should:
• Measure performance based on results rather than hours worked • Avoid excessive employee monitoring, especially through constant calls • Focus on achieved objectives • Support employees through skill development and regular feedback
Intrusions into videoconferences expose sensitive information and can sometimes have numerous repercussions, including diplomatic ones. A recent case in point is the leak from a WebEx videoconference. Here are the main types of online meetings to prioritise securing and the precautions to take.
Remote executive committees
This type of online meeting involves the presence of senior executives, managers, and members of the executive board. It is a key appointment in the life of a company, which could be targeted for espionage.
The use of a videoconferencing solution with end-to-end encryption technology is therefore essential. However, it must offer client-to-client end-to-end encryption, meaning no decryption phase of the communication streams at the server level. Thus, the audio, video, and data exchanges remain inaccessible to external parties.
Opt for “Enhanced Security“
In addition to this end-to-end encryption technology, Tixeo offers an enhanced security feature: during an online meeting, participants can enter a secret code, previously chosen among themselves, to enter a highly secure and invisible communication tunnel to anyone else.
Audit or budget meetings
Videoconferences discussing financial information, with participants authorised to carry out transactions, are particularly targeted by attacks. Recently, a president scam using deep fake video and audio during a videoconference targeted an employee of the financial department of a multinational company based in Hong Kong. The malicious use of AI during this attack made it perfectly effective. Therefore, all meetings on contracts, budget forecasts, financial results, or audits must benefit from the highest protection. The organiser must carefully control participants’ access to their online meeting.
With Tixeo, after connecting to the software via their secure user account, participants send a participation request to the meeting and wait in a virtual waiting room. Meanwhile, the organiser checks their request and approves or denies it. They can then proceed to verify the identity via a phone call and/or sharing a secret phrase. Thus, identity verification takes place upfront, before the participant enters the meeting, and not belatedly during the exchange. Strategic discussions are thus preserved from any external infiltration.
R&D (Research and Development) meetings
This type of online meeting circulates sensitive information about technologies, innovations, or technical patents. Within strategic sectors such as industry or energy, this information constitutes the nation’s scientific and technical potential and must be effectively protected from espionage. The only barrier: genuine end-to-end encryption technology and the choice of a sovereign videoconferencing solution.
Choose a sovereign videoconferencing solution
To prevent the leakage of sensitive information, companies must choose a secure but above all sovereign videoconferencing solution. Indeed, most collaborative applications host their data outside the European territory and are then subject to lenient extraterritorial data protection laws. This is the case with the Cloud Act in the United States: this series of extraterritorial laws allows American authorities to compel publishers located on American territory, to provide data related to electronic communications, stored on American or foreign servers. Corporate communications relating to R&D must therefore absolutely be held on a videoconferencing software compliant with the GDPR, to avoid any information leakage.
Tixeo is also the only secure videoconferencing solution to be certified and qualified by the ANSSI for six consecutive years.
Meetings with external collaborators
Online meetings involving suppliers, clients, or partners expose sensitive information (contractual information, client data, budgets…). Vigilance is paramount regarding the protection of videoconferences: the solution deployed and used by both parties must absolutely be secured, to prevent any data compromises.
Cyberattacks on subcontractors or suppliers working with strategic organisations are common. Indeed, generally, these intermediaries possess sensitive information, without necessarily having a sufficient level of cybersecurity. They thus become ideal targets. This vigilance concerns even more the sectors of Defense and Industry, which collaborate with numerous partners.
In its 2023 cyberthreat overview, the ANSSI reported having dealt with “the compromise of network equipment of an operator, conducted by a state actor, likely for espionage of telecommunications purposes.” The Agency thus reminds that “operators must be particularly vigilant to stop using weak administration protocols, while their clients cannot assume default security and must ensure end-to-end encryption of their communications passing, even partially, via insecure protocols.”
Crisis management meetings
In the event of a cyberattack, IT and crisis management teams need to stay in contact, just like collaborators, to ensure the continuity of business. Within public administrations, the emergency communication tool ensures the continuity of public service. For this, a secure videoconferencing solution that can operate outside traditional networks is necessary.
The on-premise secure videoconferencing version of Tixeo is deployed on a dedicated server of the company, without impacting the general network security policy. In a crisis, Tixeo can thus operate without an internet connection, isolated on the company’s infrastructure. This allows internal use only: teams can therefore continue their exchanges under all conditions.
Furthermore, choosing an on-premise secure videoconferencing software limits the organisation’s technological dependence on external providers. It thus improves the control of its security policy and strengthens its sovereignty.
Another precaution to take to secure online meetings
Connect on a secure network
Besides the security of the videoconferencing software, the internet connection used for online meetings must be perfectly secured to limit the risks of data theft. Using a robust VPN enhances the protection of the connection but never constitutes an insurmountable barrier for cyberattackers.
Tixeo uses cookies in order to provide you with the best possible user experience. Tixeo does not use advertising cookies. For more information, please read our privacy policy.
Spoken language (Cookie strictly necessary)
The site uses a cookie allowing the user to choose the language of the site and to keep his choice. This is a strictly functional cookie.
If you disable this cookie, we will not be able to save your preferences. This means that each time you visit this site, you will have to enable or disable cookies again.
Statistics
The site uses the cookie "Google Analytics" only to carry out statistics of frequentation of the site. The refusal of the cookie has no consequence on the navigation on the site. The data is not transferred to a third party. Setting this cookie helps us to improve our website.
Please activate the strictly necessary cookies first so that we can save your preferences!
