COVID-19 has forced people from their workplaces and schools. Working from home and homeschooling means that millions of Americans are using video conferencing for the first time. With this surge in new users, there will be many cybersecurity challenges. Here’s some information to help you make sure your online video communications stay secure.
Pick a secure video conferencing service.
Now that more businesses, schools, and organizations are relying on video conferencing software for day-to-day communications, the question of their security, while always an issue, is mission-critical. Software companies have begun offering free, enhanced versions of their teleconferencing apps to facilitate the sudden shift in remote workers.
When selecting a platform, ask the following questions:
- Is free ever really free? When services are free, they are often collecting information that they can monetize. Make sure you go to settings on whatever platform you’re using and set your privacy as tight as possible.
- Does the service allow you to take screenshots or record a session? If so, does it provide notification? Sensitive information can be gleaned from the images generated during a video conference. A post-it with a password on the wall behind your desk, an image from your private life, or an account statement from your bank can be accidentally shared with attendees.
- Does it allow you to record the session? All of the above should be remembered because many conferencing services allow users to record sessions for future reference. Any recordings, yours or that of a colleague, can represent a major data risk.
- Does it allow a virtual background? Virtual backgrounds do more than just hide a messy home office–they allow users to conceal potentially compromising personal details, including usable information, that can be leveraged against them by bad actors. Unless you’re speaking with trusted associates or friends, the fewer attendees are able to see, the better.
- Does it allow you to select a participant and view their video? The worst that can happen is not a creepshot getting posted online. The images saved by a bad actor can be used to figure out where you live and other compromising details.
- Is there known malware and/or poor security associated with the service? Most companies will scramble to patch a vulnerability in their software before they become public knowledge. Unfortunately, a single attendee that hasn’t updated to the most recent or secure version can potentially compromise an entire meeting. Look for a platform that can provide detailed information about their commitment to security, and that requires attendees to upgrade their software.
- Does it provide end-to-end encryption? Public and shared Wi-Fi access can leave user data vulnerable to man-in-the-middle attacks. End-to-end encryption provides an extra layer of security by making conferences and communication significantly harder to intercept. (This does little to prevent anyone within your physical proximity from eavesdropping, so exercise caution and common sense.)
- Does it allow you to change your display name, create a burner number, or otherwise conceal your identity? One of the most effective tricks a hacker has in compromising a business is spoofing (i.e., pretending to be a co-worker, colleague, or associate). Make sure you’re using a platform that makes it difficult to conceal or change your identity and be sure to confirm that the person with whom you’re communicating is who they say they are before sharing any information. It’s good practice to ask every attendee to announce himself or herself at the start of a meeting.
- Can meetings be restricted to attendees with PINs? Access to meetings can and should be restricted to invite-only. A secure platform will also provide a means of authentication. If you’re using one that doesn’t, consider changing to one that does.
- In large meetings, do participants get displayed on multiple pages when attending a large meeting? This matters because often uninvited guests who log in late can lurk there, displaying only a phone number, which is easy to ignore in a meeting with 50+ attendees.
Beware of Phishing Links
The COVID-19 outbreak has meant more people relying on e-mail as a primary source of communication and hackers have taken notice. Be extremely cautious when opening any attachments or clicking on links sent via e-mail or text.
The risks are not new. Ransomware has the potential to effectively sever your communication to your workers, and there will be fewer resources for getting back online.
Additionally, hackers will be looking for opportunities to hack into companies with the mass change of behavior. Other vectors of attack may include phishing via text message (smishing) and vishing, where someone calls and poses as an employee.
Confirm E-mail Communications
A major tactic used in phishing scams is Business Email Compromise (BEC), where seemingly innocuous e-mails are sent from a known co-worker or colleague to get sensitive information such as network access, payment information, or even money transfers.
“BEC is a very damaging form of phishing – one that riffs off the whaling method, where the hacker’s goal is to trick a c-suite employee into clicking a link or opening an attachment,” says CyberScout founder Adam Levin. “BEC turns the whaling method around, spoofing the e-mail of a higher-up and sending an urgent communication to someone in a position to wire money.”
Google and Facebook were both hit with this tactic to the tune of $100 million in 2019 – if anyone in your office gets an e-mail asking for anything potentially sensitive, follow up with a phone call, Slack, text message, etc. Never trust an e-mail, even if it looks legitimate.
How Do Remote Workers Figure Into It?
It goes without saying that everything was not secure or cyber-safe before COVID-19. Any business with at least one computer, mobile phone, or Internet-connected device was and continues to be threatened on a regular basis by a wide array of malware, phishing scams, data leaks, ransomware, and more.
An entire office can operate on a single network with the bulk of its internet traffic channeled through that single Internet connection. This makes it easier to implement a firewall and security software specifically designed to block suspicious traffic and known threats. Also, IT and tech support staff usually have access to all devices connected to a company’s network, and for that reason can ensure software and firmware is patched and up to date. While that doesn’t protect fully against cyberthreats, it provides greater oversight and protection than workers have from their homes.
“This new situation has drastically increased our collective attackable surface,” Levin warns. “A spike in new cyber-attacks is inevitable when an entire workforce is connecting remotely.”
Blog courtesy of CyberScout. ©2020 CyberScout, LLC