Homeworkers Beware - The Walls Have Ears
We are now at peace but we may still be privy to secrets. The imposition of COVID restrictions led to an essential increase in home or remote working. This means that work secrets may no longer be constrained within the walls of the workplace.
It is unlikely that traditional office work practices will ever return to their pre-COVID levels. The technology to support and secure remote working has performed well to enable and secure the connection. There will always be a risk of appropriate or out of date software not being in place to secure communications. It is, however, reasonable to assume that the transfer of data between the corporate network and the homeworker is secure. There remains the possibility of leaks outside of the secured network pipelines between co-workers.
Lack of attention to what is being said and done on the remote connection can lead to problems. The network security team need to be aware that not all employees may share their dedication to procedures and protocols. In the UK there is no legal constraint on how long a user is allowed to spend in front of a computer screen. There is only the advice that suitable breaks be built into the working day https://www.hse.gov.uk/msd/dse/work-routine.htm . When working remotely it will not be possible for the employer to enforce even those breaks. One possible consequence is that the remote worker does no work, they log in (leaving a secure connection open for anyone passing by) and do whatever else they want. At the other extreme the new regime of office suite work, increased email volume and remote meetings may substantially increase the worker’s daily screen time. The latter could lead to mistakes as the worker is not concentrating on what is seen on screen. The ‘natural’ office routine of short breaks away from the desk and casual chats with colleagues is missing. Overworking does not benefit the business: Instructions might be misunderstood, emails sent to the wrong recipients.
The video meeting is a direct window on the participants’ home-life; able to expose personal and company information. Behind the head and shoulders of the attendees; parts of the room they are located in will be visible. These could lead viewers to make inferences on where the speaker lives, their lifestyle and possible items of value in the room. Information might be built up allowing phishing attacks on the worker or organisation. There are a variety of stage backgrounds available on video meeting platforms. If one needs to be used; choose one that could not possibly divulge anything about the speaker’s personal interests to the other attendees. What one person sees as entertaining or comical might appear flippant or unprofessional to another. A blurred background could be an acceptable choice but as with turning off video may imply that the attendee has something to hide. If a dedicated home work space is available it can be staged to present a background indicating commitment to work but revealing nothing of the worker’s home life.
It is often necessary to turn off a camera in heavily attended meetings as a means to reduce the overall lag and quality of the call. This may not be the best approach for a corporate call as if the video and sound are off there is no guarantee that the attendee is paying attention or is even present in the vicinity of the call.
Any organisation should be aware that someone could be viewing or listening outside of the meeting video area. This might be deliberate with the eavesdropper located outside the camera angle or, if there is no camera engaged, sat at the keyboard. Anyone nearby the remote location, within the building or passing by might also hear parts of a conversation. It is less likely that a casual passer by will be interested in details of corporate systems and security procedures but they might pick up information such as personal details or security vulnerabilities that they could pass on. Although no stored information has been directly accessed, if it is now disclosed to an unauthorised individual a breach of GDPR has occurred.
There is no ‘one stop’ solution to the issue. Business telephone calls are just as vulnerable to eavesdropping as video calls. All participants in a remote session need to consider the relative importance of that session and act accordingly. A working group catch up can be less vigilant than a security debrief. Individuals should always take notice of what other participants are doing within a session and challenge unusual behaviour.