Organisations leveraging various online platforms, especially Zoom, for virtual meeting face the risk of data compromise, a cybersecurity expert has warned.
Process engineering analyst at Mi-C3 International, Mr. Adote Rock, who gave this warning during a webinar organised by the Nigeria Internet Registration Association (NiRA), said meetings over platforms such as Zoom could be recorded by anybody who is a participant and the information could be used against the organisation.
“Zoom gives you the false impression that only you can authorise the recording of a meeting but in reality a simple press of the Windows key plus G allows anybody to record all the proceedings. This information could be sold or shared to anybody to the detriment of the organisation,” he warned.
Adote advised that any organisation using the online platforms for meetings should have a pre-written agreement with all participants that forbid unauthorized recording of their meeting.
In a presentation at the webinar themed: ‘Cyber threats and Security in the face of COVID-19,’ Rock noted that data correlated across several threat intelligence platforms showed that since the beginning of the pandemic, there has been an upward trend in attempted COVID-19 themed malware and spam campaigns.
“There have been several phony advisories purporting to provide updates on COVID-19 spread, health updates, fake cures, leading to malware download and ransomware attacks. Some of these attacks if successful could lead to unavailability of critical systems and data,” he said.
He added that the remote working arrangement, which for many organisations is ad hoc, and never fully planned, had increased the risk of loss of sensitive business and personal data.
According to him, the key risk factors include the use of personal devices with limited or no security protection for business, inadequate awareness amongst staff, and inadequate remote access security for critical systems. “As organisations across the world adopt remote working arrangement, there is a widening of the attack surface due to third-party risk.
“Many vendors providing support for critical services also have their employees provide support to clients from home, while some have to engage ad hoc staff to perform services due to unavailability of certain employees,” he said. Highlighting some of the steps organisations could take to reduce the risk to themselves, their customers and their employees, he said businesses must raise the awareness amongst their team, warning them of the heightened risk of COVID-19 themes phishing attacks. “Enhance security awareness to your customers via email and text messages, providing tips on the safe use of your digital channels, and share definitive sources of advice on how to stay safe and provide regular communications on the approach your organisation is taking to the COVID-19 pandemic.
“Make sure you set up strong passwords, and preferably two-factor authentication, for all remote access accounts; particularly for Office 365 access and provide remote workers with straightforward guidance on how to use remote working solutions including how to make sure they remain secure and tips on the identification of phishing.
“Also assess third-party risks of vendors who provide support for critical systems, digital interfaces, and channels and run a helpline or online chat line which they can easily access for advice, or report any security concerns including potential phishing,” he advised.
According to him, organisations would also need to disable USB drives to avoid the risk of malware, offering employees an alternate way of transferring data such as a collaboration tool.