With many companies having no choice but to allow employees to work from home, digital hacking, or hijacking of the software used to connect to work is on the rise. Scammers and hackers are specifically targeting remote workers. As workers leave the safe digital infrastructure confines of their company environment, they become more vulnerable to scams. Companies that were not prepared for remote work or having to allow employees to log in from unsecured personal computers.
Zoom bombing became a new term as remote workers flocked to the free video conferencing software. Zoom provides a meeting URL that can be given out to meeting attendees. However, anyone with access to the URL can drop into the meeting. Many employees found this out the hard way as hackers consistently barged into meetings and disrupted them. Google went so far as to ban its employees from using Zoom.
The Zoom hijacking issue is mainly due to employees posting meeting URLs publicly. Meaning, across social media and other areas where anyone can find them. Companies that are set up for remote work and follow best practices don't have to worry about such issues. Their employees login via a VPN (secure connection) that is not available to the general Internet. Some companies will also only allow connections (remote working) from company procured laptops.
The FBI has taken notice of the hijacking problem and recently released a set of guidelines for defending against video-teleconferencing (VTC) hijacking:
- Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
- Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
- Ensure VTC software is up to date. See Understanding Patches and Software Updates.
Zoom also sent out an email to its customers on how to better secure their meetings. Namely to not give out meeting URLs and lock the meeting once it has started.
There's no doubt that many companies have learned of weaknesses in their remote work strategy. The need for remote work is clear, and now so is the ability to ensure its security.