Signal's mobile app offers end-to-end encrypted voice and video, without you needing to do anything.
It requires the other person to also have Signal.
You need a mobile phone number to set up Signal but, if you do not have a mobile phone, or do not want to give our your actual mobile phone number, you could rent a mobile phone number and use that to set up Signal. You should keep renting that phone number for as long as you use Signal with it.
You can download it here.
If you don't mind giving data to Facebook, WhatsApp offers simple end-to-end encryption.
Like Signal, it offers group messaging.
As well as text-based messaging, you can share files, and make encrypted audio and video calls.
You need a mobile phone number to set up WhatsApp but, if you do not have a mobile phone, or do not want to give our your actual mobile phone number, you could rent a mobile phone number and use that to set up WhatsApp. You should keep renting that phone number for as long as you use WhatsApp with it.
You can download it here.
Jitsi is an online encrypted audio and video conferencing platform, suitable for multiple simultaneous users. Unlike Signal or WhatsApp, which offers a telephony-like experience, Jitsi is more suited to scheduled meetings, where everyone dials-in to a conference bridge.
It can be used with Firefox and Chrome browsers without installing any additional software, and there are iOS and Android apps for use on mobile devices.
Each meeting can have a unique URL, to prevent someone from trying to join (maliciously or by accident), and you can configure it to require someone to enter a password before “opening” the room.
If you have a SIP phone system, you can integrate it with your Jitsi installation and enable phone dial-ins, to offer a completely self-hosted conferencing system.
For conferences with more than two parties, it offers encryption between each person's browser and your server, meaning that someone spying on your, or their, Internet connection cannot listen in to your call. It is not end-to-end encrypted, and so interception on your server would be possible — because of this, you need to be confident of the security of your installation.
I find I get better performance by disabling p2p mode: it places more of a load of the server, but the resulting experience is better.
If you are using Nextcloud for file synchronisation or sharing (as an alternative to email), it also offers encrypted audio and video chat.
I find the interface less pleasant to use that Jitsi, but you might find it works for you.
Not all cybersecurity advice is technical. There are some behavioural tips and tricks which can help keep you, and your firm, more secure.
When you receive a phone call, you'll often be shown the number of the person calling you. If that matches a number in your address book, you'll probably be shown the name of the person in your address book, rather than the number.
This is convenient, but the downside is that it is easy for someone to make a phone call display any number they want, thereby pretending to be your friend.
There's nothing you can do about this at the moment (although some work is under way to try to improve the current insecurities), other than to be mindful that a call from your boss, or your client, or your finance team, may not actually be from them.
It should go without being said, but here we go: you can have the most secure, highly encrypted, voice communications system available, but it is of little use if you are going to have a conversation loudly or in a public place.
Trains, coffee shops, the Law Society's Reading Room… no matter how good your cryptography is, if you can be overheard, you're vulnerable.
A reasonably common scam is someone calling up, pretending to be from a technical support team, claiming that there is a problem on your computer. They want to get access to your computer, and then either install malware, or else find a (non-existent) problem and try to bill you to fix it.
Don't get into a discussion with them, or try to lead them on or waste their time. Just put the phone down.
If it's actually, genuinely your IT support team, they'll appreciate your security-aware stance.
If you think you have been scammed in this way, or are in the process of being scammed, get off the phone, disconnect your computer from the Internet quickly — pull out your Ethernet cable, or turn off the Wi-Fi adapter — and get your machine checked.
If the system you are using permits it, add a unique password to each call, and ask invitees to keep it private.
Some systems let you choose your own meeting ID. Do not use anything common, or containing identifying information. Instead, use a long meeting ID which is unlikely to be guessed or generated. Since most people are going to click on a link rather than try to type it in by hand, it is unlikely to matter how long or complicated it is.
You could use a “UUID”, which is a string like EF2B283C-3E5E-445C-8CC4-2BB363C00EA. You can either generate them on your computer (e.g. by running uuidgen if you use macOS) or else use a free online service.
Alternatively, you could use a sequence of random words (such as bodiment-semifloscule-hapteron-praesternal).
If you can, reserve moderator / admin functions — such as the ability to mute people, or kick people out of a call — to yourself.
Not all services support this, so you might want to establish some ground rules at the beginning.
You wouldn't carry on an offline meeting if someone unknown walked into the room, so don't do it online. If someone joins, and you don't know who they are, pause the meeting, and find out. If you are still not comfortable or satisfied, postpone the meeting.