In Q3 of 2022, an industry analyst published an in-depth look at the secure communications landscape noting ArmorText’s unique commitment to out-of-band communications. This report (which we discussed on our blog here) brought much needed attention to the secure communications space as a distinct offering from collaboration. By omitting consumer privacy focused options like Signal and WhatsApp, the analyst firm offered a first of its kind (in many years) analyst report focused specifically on enterprise-grade secure communications. 

Now in Q2 2024, the same analyst firm has released an updated overview of the secure communications landscape (which interested parties can obtain here) for which participants were asked to self-identify their principal use cases beyond secure communications.

Just as in 2022, ArmorText highlighted our commitment to developing advanced capabilities specifically for incident response, threat intel sharing, and security operations.

When comparing ArmorText with other vendors who may have also self-identified “Out-of-band communications for IR, SecOps” as one of their top three extended use cases, we believe it’s important not to conflate redundancy with resiliency. While it’s true virtually any communications technology could be used as an out-of-band option, including two tin cans and a string, we believe it’s more important than ever for organizations, their C-Suites, Boards, and security teams, to consider what makes an out-of-band option truly appropriate for housing your most sensitive communications — especially during a cyber incident or other crisis. Despite having more cloud-based communications options than ever before across the enterprise, this redundancy, paradoxically, actually increases vulnerability.

Well armed adversaries will exploit the convenience afforded by day-to-day communications apps to gain access to sensitive incident response, security, and executive communications.  This point is underscored by an admission in a recent Microsoft 8-K filing that attackers gained access to “employee email accounts including members of our senior leadership team and employees in our cybersecurity, legal, and other functions”.

While Microsoft emphasized the small number of accounts breached, in such cases it is not about how many accounts are breached, but rather whose accounts were breached.

When incident responders and senior leadership teams cannot communicate, whether due to outages or because an adversary is actively surveilling their communications, they cannot coordinate remediation and response efforts. They may also experience difficulty in collaborating on required breach notifications, e.g. the SEC’s final rule requiring FORM 8-K filings within four business days after a registrant determines that a cybersecurity incident is material.

Their communications matter despite the number of participants being ‘few’ in number. The distinction between Out-of-Band Communications and Secure Out of Band Collaboration is far from academic.

These questions and areas for consideration for enterprises below are explained in more detail in Evaluating Secure Out-of-Band Options: A 3-Point Checklist and covered elsewhere in our Fundamentals series.

• Is the out of band solution able to operate autonomously from your regular network at all times?
• Does the solution insulate you against insider threats, compromised admin credentials or a breach of the third party provider itself?
• Does the solution expose you to liability by not supporting governance and audit trails independent of your network?
• Does the solution provide a network-independent mechanism for larger expansion / rollout in case of business continuity needs?
• Does the solution allow end-to-end encrypted integrations for critical data feeds like OT, iOT, SIEM, sensors, etc?
• Does the solution provide alternative onboarding mechanisms designed specifically for in-crisis onboarding?

These are just some of the additional criteria that should be thought through when considering whether everyone who self-identifies as having a viable out-of-band communications solution truly does, or if they’re simply raising their hand without realizing both what’s at stake and what it means to be secure out of band collaboration ready.