As the New Zealand Herald reported, Zoom has some serious security issues in its Windows client that can be “used for limited remote code execution and, worse.”
And for many of us this means about the same as E=MC2. What does this mean for us non-cybersecurity folks working from home during the COVID-19 lockdown? And how can you explain that to your mum, eh?
Here are our top five tips about working from home, video conferencing and staying safe.
Don’t talk to strangers
Businesses tend to use video conferencing solutions that allow anyone with a valid company email to join freely. If this sounds like your place of work, then stick to that. It means anyone from outside the company can’t join your discussions.
Some video conference solutions allow you to dial in from a mobile phone number as an alternative way in – if you see an unknown number pop-up on your chat, challenge them to make sure there aren’t any lurkers.
But for the rest of us, make sure the platform you’re using has an option to set an entry password that you can share separately with all attendees. That way you won’t have any random stranger suddenly pop-up in the middle of a shared lunch. Take advantage of the waiting room feature if it exists. You can vet and approve unexpected attendees prior to them potentially wreaking havoc.
Of course, there are those platforms that actively encourage people to drop in – Houseparty is one good example where you can issue an open invitation to anyone in your address book. If you are using these services, be aware that people you might not want on the call can join in. While that is unlikely to be problematic for your children’s schooling, Aunty Jean might think she’s joining a family dinner and a boozy flat game of virtual Truth or Dare might not be her cup of tea.
Do you even know what a .bz2 file is?
It’s simple. If you don’t know what a file is and if you don’t know how or what to use to view it, do not click on it, do not open it, and do not share it. If someone sends you a weird link over a video conference session, double-check that it is a real thing they’ve actually sent to you and not something that will hijack your computer. If you think dealing with tech support is hard work in the office, when you’re working remotely it’s doubly difficult. If the person is known to you, but there are attachments, check with them first – and not by email! Their account might have been hacked.
And of course, if you do need to share a file with your colleagues, then use file encryption, encrypted email, or whatever your company uses for secure file sharing. Emailing databases about the place is not considered smart, and certainly is not good practice.
Big brother may not be watching, but your housemate might be listening
Chances are your partner or flatmates find your work calls boring but you might not realise that your voice carries to the neighbours. Always consider who else is around when you’re on that conference call, especially if you’re working with sensitive information. Someone might be recording the call without your knowledge or just interested to find out about that big company deal you’re helping put together.
The lesson here is watch what you say. Check the participant list. Consider alternative communication channels for highly confidential conversations. The same applies for screensharing. Close your documents and shut down any irrelevant applications. And in the interests of not driving your family and flatmates nuts with your calls, get a good quality headset rather than shouting at your laptop. Trust me on that one.
You know what they say about repetition…
It might be boring, but it pays off. And so does accessing any system or application with more than one type of login.
Hopefully, your company has already introduced multi-factor authentication (MFA), which will require you to check your phone for a code before logging in to any vital system. But in case they haven’t, many platforms allow you to enable MFA yourself. This reduces the chances of someone using your stolen credentials to hack your account and again, wreak havoc. Again, if you think having to change all your credit card details and passwords is a pain when you’re able to move about the city, it’s doubly difficult when we’re all in lockdown, so avoid giving the bad guys access to your details.
If it smells funny, don’t sniff
Just because we are talking about video conferencing, doesn’t mean emails suddenly aren’t relevant. If you receive any unexpected emails or an expected email that seems ever so slightly off, don’t click on any links or open any files. Notify your IT team and delete the email. Always check before following those important orders you received from YourCEO@gmail.com, or similar that arrived in the dead of night, and need you to urgently pay an invoice or similar. It might be from your boss, but equally it might not.
Most importantly, remember to strike a balance between risk and benefit. Good cybersecurity is not about stopping business activity, but about using appropriate tools for appropriate tasks. Houseparty is a great tool for remote classrooms, but not for executive communications. And finally, find a way to incorporate the norm into the new norm. Have fun with your calls, be kind to your colleagues, and screenshot the awkwardly frozen faces. Most certainly report back to your entire team when a colleague spontaneously decides to flash during your team catch up call.
When we all get to go back to the office, it’ll be good to have a little something up your sleeve for your next performance review.