Hackers could be stalking your lax cyber hygiene and plotting to bring down your employer, thus making you jobless!
Nearly two decades ago, this writer worked as a transcriptionist who converted the audio wav files of CEOs and CFOs in conference calls into text. The work entailed repeatedly listening to C-level personnel who made no effort to speak more audibly and clearly.
Being from a developing country like the Philippines, we got paid minimum wage and worked on graveyard shifts, transcribing the files e-mailed by clients from the United States. It was a job that was not without enjoyment: there was camaraderie among employees. If one happened to encounter parts of a speech that seemed incomprehensible, that employee can pass the headphone to a fellow employee.
Background sounds from the conference call would also be recorded in the wav file and this would cause some amusement for the transcriptionist: for example, a woman sneezing while the CFO was speaking. In other instances, a CEO would speak so fast that his words would be mixed up: saying “in the wrong lan” when what he meant to say was “in the long run”.
Tim Mackey, Principal Security Strategist at Synopsys Software Integrity Group, had this to say about the capture of background noise such as sneezes: “We’ve all heard about cameras or microphones being enabled by default for conference calls and capturing unintended background noise, but this is in reality a variant on the ‘open mic syndrome’ politicians are susceptible to. While politicians and corporate executives are often taught to take care around cameras and microphones, when occasional use of remote conferencing software by staff becomes the de facto method for team discussion, then it falls on IT and HR teams to provide a primer to all staff on proper conference settings and etiquette.”
Fast forward to year 2020—clients requiring transcription of conference calls have nearly dried up. Managers are now video conferencing even with their staff. With the COVID-19 virus turning into a pandemic, working from home is an option—sometimes the only option—when an employee has used up his leave credits.
In the Philippines, which has reportedly the second worst traffic in the world, there is even a law: Republic Act 11165—also known as the Telecommuting Act—that was enacted even before anybody ever heard of COVID-19. This writer was offered the use of his employer’s laptop: for drafting and e-mailing letters and other written work.
Over and above the danger of the laptop being stolen, there is always the risk of a sensitive document being accessed by someone other than employee and employer.
Mackey explained: “If the home computer or laptop is shared, it’s entirely likely that the only controls to separate the data from each user are the defaults of the operating system. It’s also likely that practices like locking the device whilst away from the device aren’t common as the device is thought of as for personal use. These realities increase business risk should a sensitive document be legitimately downloaded but become readable by another member of the household. This places the onus on managers to define a set of rules around document management and inform their staff that they should treat the security of any personal device they’re using for work as if it were a company device.”
In the end, Mackey goes on, personal work habits could become the weakest link in the security chain, whether someone is engaged in video conferencing or merely sharing a document. Another expert who chipped in is Brian Trzupek, VP of Emerging Markets at DigiCert. He provided this picture of the risk involved in connected devices used by remote workers: “Someone in your workforce could be using a Windows XP laptop with outdated software, or an outdated and unpatched mobile device. They may use it to access corporate web resources or even the corporate VPN. But the machine may be vulnerable, and simple network access may allow it to be found and compromised because it’s so old and outdated. A hacker could effectively have access to whatever that computer or VPN has access to. It could also lead to additional exposure in your enterprise depending on any additional vulnerabilities a hacker could find in other layers of your network and applications.”
Trzupek recommends digital certificates to prevent man-in-the middle attacks, ensure identity and control access. The same thing can be done for access to VPN and wi-fi networks. Most security professionals agree that a username-and-password combo is not a strong enough method of authentication for enterprise IT assets. But digital certificates can almost be considered to be like very strong (unguessable) passwords (that are cryptographically proven). They provide strong authentication for system and network access.
Meanwhile, Forbes did note that digital certificates can be a prime target, especially in the DigiNotar incident or in cases where administrators mess up.
Moral of the story: spruce up remote-workers’ vigilance in their personal home-working habits, do not take VPN configurations for granted, and use a zero-trust approach if possible.