As work-from-home grows, so do risks – the digital kind – lurking in all those home office connections
The sudden onslaught of the COVID-19 novel coronavirus has slammed the world’s economies into reverse, and left many companies and millions of employees scrambling to find ways to sustain business through the months of social distancing, isolation and remote work. With US employers ordering “non-essential” staff to continue working from home, technology has been pressed into service as never before to prop up a flagging global economy.
The sliver of a silver lining in all this is that two trends are converging to make work-from-home more feasible than ever. First, over the past several decades developments in connectivity and computing solutions have become more widespread. The second, related change is that, since the capabilities are there, a significant and growing proportion of the workforce is already on board with this mode of work.
However the sudden surge of work-at-home participants also opens the door to a host of unintended consequences, both for workers and their employers. Among the most obvious are some cyber risks that may be well controlled by the company’s IT security measures, but wide open in a home office environment.
The latest headline-making example is so-called ‘zoom bombing,’ a play on the ever-popular prank of photobombing (except a lot worse) combined with the name Zoom, the free video conferencing software (although these unwelcomed intrusions can apply to any hijacked video conference, regardless of platform). The interruptions often take the form of the unwanted participants posting lewd or offensive content.
But such intrusions into serious group meetings are more than just infuriating. They may indicate underlying security flaws in the platform that make the user’s computer or mobile device susceptible to other kinds of attacks. In an April 1 blog post regarding the issues, Zoom founder and CEO Eric S. Yuan pointed out that the platform was initially designed for large corporate users with robust IT security capabilities, not for the “new, mostly consumer use cases” that have exploded along with the coronavirus lockdowns.
Yuan said Zoom is “shifting all our engineering resources to focus on our biggest trust, safety, and privacy issues.” The platform already has some security features that can help thwart zoombombers. Among them:
•Avoid sharing private meeting links on social media or other public forums; anyone with the link can join the meeting.
•Don’t give up control of the screen. Use the host controls in Share Screen settings and then Advanced Sharing Options. Under “Who can share?” choose “Only Host.”
•Manage participants. Allow only signed-in users to join and lock the meeting after it starts. Turn off file transfer to keep out unsolicited content. Turn off annotation for the same reason.
•Try the Waiting Room to guests from joining until the meeting is ready to start.
Mind the Gaps With the necessity for remote connectivity blossoming, the problems with video conferencing platforms have captured the attention of states’ attorneys general – as possible criminal matters – and even the FBI. The Boston field office recently reported several incidents of educational institutions and social groups being crashed by lewd and threatening content. In a statement, the Bureau warned, “As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts.”
Sound advice, and not only for video conferences but for all manner of online remote working technology, especially with wide-open home office portals tapping into sensitive corporate IT systems. In fact, the sudden upsurge in employees working from home – lacking more sophisticated cyber countermeasures in place back at the office – has made enterprises large and small more susceptible to attack.
According to research from Kapersky Labs, 90 percent of corporate data breaches in the cloud happen due to social engineering attacks which target customers' employees and not because of problems caused by their cloud providers. No doubt employee negligence is a threat to business security, according to Daniel Markuson, digital privacy expert at NordVPN Teams, a cybersecurity solution for business from VPN service provider NordVPN.
However the good news is, the risk can be controlled. While there are a variety of cost-effective digital tools and security systems on the market, the key to effective cybersecurity as Markuson points out, starts with the right employee mindset – and that begins with communication and training.
Here are some fundamental weak points which cybersecurity experts are urging every employee in the remote office workforce to get a handle on:
FIREWALLSHome office devices need firewalls – they are the first line of cyber defense. Experts advise making sure router and modem firewalls are enabled and property configured. Change default administrator usernames and passwords on routers/modems, and don’t forget any connected devices like video doorbells and garage door openers.
PASSWORDSMost people wind up using the same passwords for different accounts and changing them infrequently, if at all. “Weak and reused passwords are easy to hack. The best solution is to help your staff build a habit of using password managers,” Markuson says. Passwords must be changed from periodically and shouldn’t be shared among coworkers.
FRAUDULENT E-MAILPhishing scams and other attacks carried out via e-mail are the most common means of exploiting employee vulnerabilities. Cybersecurity training should include strong warnings about fake e-mails. Always double-check the validity of links – or better yet, don’t click on them at all. “Just one reckless click on a phishing link or one download of an infected attachment can compromise your entire system,” Markuson explains.
VPNConnecting to unsecured networks can make business data more vulnerable to hacks. The best way to keep online traffic private is by using a virtual private network. A VPN creates a secure encrypted tunnel that protects the connection from bad actors trying to breach the system. It allows employees to safely access their work accounts while working from home or using public WiFi – or even when we eventually get back to traveling.