Part 1: updated 4/14/20
Part 2: updated 4/20/20
Starting in March 2020, cities and states across the US began implementing ‘stay-at-home/ shelter-in-place’ recommendations for any non-essential workforce to help prevent the spread of COVID-19, and your average worker has started working at home instead of in the office.
In this 3 part series, we’re going to highlight some of the most common threats people should be aware of when working at home, and best practices to mitigate them.
- Potential threats to personal privacy
- Emerging threats to business security
- Phone/email-scams and solicitations to be aware of
Consequently, the work from home population has at least doubled in the past few weeks (Gallup). Precise numbers of those working from home are unknown, but all indicators suggest that what used to be an occasional practice for 20-30% of the US workforce has become almost full-time for the majority.
This is an entirely unprecedented situation, especially given the open-ended timeframes for this new state of affairs. Many businesses are reconfiguring operations to try and minimize in-person attendance, increasing employee remote-capabilities via expanded access to corporate networks, and replacing face-to-face meetings with online video conferencing.
This explosion in remote-work has come with some obvious associated security and privacy risks for business-information. Tens of millions of people are now treating public networks and cloud-based applications as primary business infrastructure. Enormous amounts of data/communications that would normally be protected within private corporate networks are now traveling through low-security home and public Wi-Fi. And many people are now utilizing software tools for business productivity purposes which have far fewer of the security features or data-protections they may have previously taken for granted.
Many of these same threats to business information-security also create new potential privacy risks for individual workers: risk of exposing private information to employers, coworkers, or creating opportunities for exploitation by malicious 3rd parties.
While some of the latter are versions of already-common forms of threat – such as COVID-specific robocall scams, or email phishing schemes pretending to represent Public Health Agencies – some are novel attempts to exploit specific IT platforms people are utilizing while working from home, such as Zoom, or commonly used VPN/Gateway services.
Corporate Surveillance Continues – Even as a Telecommuter
Working from home, especially if using company-provided equipment, can often involve being subject to even greater personal behavior tracking than while sitting at a desk in an office.
If using a company-supplied laptop, it is very likely that everything done on the computer is being remotely logged in as much (if not more)-detail than when in the office.
This fact is not especially new; but it still may be surprising news to a new telecommuter who hasn’t had years of experience working remotely.
Similarly: even if using your own personal computer, common platforms for worker collaboration – like Slack, Zoom, or Google Hangouts –provide administrators access to all personal-messaging that users do.
No interactions with co-workers using cloud-based platforms are ever more-secure or private than they would be using internal corporate email or messaging platforms.
Further: conferencing apps like Zoom provide employers with behavior tracking of users who are supposed to be attending meetings. Opening a conference in the background and then browsing away to engage in other activities during the meeting will be flagged to employers.
And it is also more likely that employers, worried about the rapid decline in company productivity, and worsening economic conditions, will be looking at these kinds of behavior-tracking data to determine which employees are contributing most during working-hours.
Platforms like Zoom expose PII telecommuters to third parties, not just co-workers
While most people will be cognizant that information they share while video conferencing will be accessible by employer or co-workers, it is not always self-evident how cloud-hosted platforms might make personal data available to 3rd parties. Just last week it was revealed that Zoom was automatically aggregating and sharing user-emails that share similar domain-names via its ‘company directory’ feature. This inadvertently exposed thousands of names, photos, and personal email addresses to anyone who happened to be using similar domain-services. While this may not be a concern for those solely using corporate email accounts, for those using lesser-known email domain hosts, it created a massive privacy breach.
The best practice to avoid this kind of risk is to make sure not to commingle personal email accounts when using any cloud-based platform for business purposes.
Control your background information
For the average telecommuter that is doing video conferencing from home for the first time, it may also be tricky to firewall home-life from what gets shared during conference calls. Many may recall the viral BBC interview where an interviewee was interrupted by his children.
New users of Zoom or other video conferencing tools should pre-prepare for future calls by setting up a virtual-background. This way, the environment you are working in doesn’t become a source of privacy-breach.
Key Privacy Tips that all telecommuters should keep in mind when working at home:
1. Don’t use employer-provided equipment for anything you wouldn’t being doing at the office itself
2. Be aware that ‘private browser windows’ aren’t at all private; browsing history may not be retained by the app, but it will always remain tracked at the operating system level, and can be accessed by administrators. See #1!
3. All collaboration platforms, whether corporate-hosted or cloud-based, log all person-to-person private messaging data and make that information available to administrators, and – potentially – 3rd parties who might gain access to credentials. Don’t share any personal information via shared platform messaging if it is just as easy to send an email or text to someone.
4. Don’t commingle personal files on work computers, or use company provided web-storage for personal reasons; that data will always be archived elsewhere forever and be compromised.
5. If you can avoid it, never resort to public Wi-Fi for work purposes. If using your own home Wi-Fi network, make sure it has WPA or WEP security features enabled.
6. Don’t share personal information on collaborative work platforms. This includes your phone number or private email or any details you’d prefer 3rd parties not have access to.
7. Mute your phone and/or microphone unless actually speaking in any public conference; any information that may be shared in the background may become public knowledge.
While personal privacy risks are often the focus of our users, we also think it is important to consider that heightened business-security risks can create significant personal liability, especially now that most of us are working at home.
No one wants to be the person who accidentally shared corporate VPN login-credentials, or whose conference call gets hijacked because you sent invites to the wrong email-address.
Enterprise-level businesses have had decades of experience with remote employee-access, and usually have very robust VPN/Gateway services, as well as encrypted email platforms that ensure information between worker and home-office remains secure.
However, this is less often the case with smaller companies that rely on cloud-based collaboration platforms like G-Suite or Slack, or a mixture of cloud-based and client-based applications. Risks of data exposure/loss, or providing inadvertent access to malicious actors, becomes far higher, especially when large numbers of people with little experience with these tools begin using them for the first time.
There are also millions of people now working at home who may be relying solely on public email platforms rather than company-hosted Office 365-suites, and cloud-based document-sharing rather than a company intranet. While most companies will make do with whatever is necessary to keep businesses running, consequences for any eventual breaches of privacy and security will first fall on individual users.
Secure Communications Tips for Working at Home
- As with our general-privacy tip to “don’t commingle personal information on work platforms”: don’t mix work communications between your company-provided email and a personal one.
Some people may find it time-consuming to log-on to a secure company computer every time they need to send an email, and choose to send business info via a Yahoo or Gmail account. It is better to resist this temptation unless you’ve been given explicit instruction to do so.
- Make sure you have all your most frequent and important contacts verified in your email address-book; there has been a boom in the spoofing of company names/email addresses, where hackers send messages from what appears to be a co-worker’s account, sending links/docs which can infect work-computers. This can be especially important when switching from business email to a personal account, which may not have the same address-book details for co-workers.
Secure File-Sharing Tips When Working at Home
- Keep business documents off phones. While the power of modern smartphones can sometimes make them temporarily effective as an ad-hoc office-computer, devices get lost, or can be compromised easily. Files stored on mobile devices become accessible to a wide range of 3rd party background apps and services, including data backup services that copy all your files and store them remotely.
- If sharing company files on a cloud-based platform, zip, encrypt, and password-protect those files, and send the passwords in secure emails, separate from the links you send to the documents. Additionally: delete files from these platforms after your co-workers/clients have confirmed receipt
- Be wary of thumb-drives: They’re a popular tool to distribute malware, and old thumb drives can sometimes carry malicious code which leapfrogs from one computer to another whenever used. If you do need to use them, format the drive entirely before use, and erase any proprietary company files from drives as soon as you no longer need them.
Video Conferencing Privacy and Security Tips for Working at Home
One example of the heightened risk environment has been an increase in hackers targeting conferencing platforms like Zoom. Forms of malicious exploitation have ranged from ‘spoofing sign-on forms’ so that unwitting employees share corporate credentials; mailing of malware-ridden zoom-links to company domain names at random; or logging into ongoing conferences when users share links or credentials in insecure platforms, and surveilling corporate communications, hoping to gain proprietary information.
The potential privacy and security holes in the zoom platform have multiplied by the week; only a few days ago it was revealed that the service was automatically aggregating and sharing user-emails that share similar domain-names via its ‘company directory’ feature. This inadvertently exposed thousands of names, photos, and email addresses to each other without knowledge or consent. These and other emerging concerns recently prompted the New York City Schools commissioner to order a halt in use of the platform.
Some tips to ensure new Zoom users minimize these forms of risk:
- Make sure you can verify who is sending you conference links; be wary of conference invites sent via text, instant messaging platforms, or emails from unknown @zoom addresses.
- The same goes for sending conference invites. Use the ‘Invite by mail’ feature provided by the platform, rather than instant messaging or ‘invite by contacts’. Copying conference links and sending them in secure emails to attendees is considered best-practice.
- Make sure those working at home and hosting conferences know how to adjust privacy and security settings to ensure conferences remain private. Most commonly used privacy and security settings include:
- ensuring ‘only authenticated users can join’;
- requiring password for all conference attendees;
- disabling auto-saving of chats
- disabling ‘Join before host’
- make sure only hosts can screen-share
- share with attendees instructions on how to use virtual backgrounds
Additionally, consider using Waiting Rooms to ensure that the identity of every conference attendee is verified before allowing them access