Protecting your data as more employees work from home
The leading information technology (IT) challenges for nonprofits have changed during the 2020 pandemic as workplace structures, processes and plans have been upended.
As part of the virtual Wipfli National Training Conference, a June 23 session focused on the most common IT issues for organizations. Two areas that are getting a lot more attention than they might have just six months ago are work from home issues and video conferencing, said presenter Durward Ferland Jr., a principal in Wipfli’s risk advisory services.
About 90% of the session’s attendees said they are now working from home. A live poll examined the issue further, showing that 79% of the attendees’ employers had implemented or expanded working from home during the pandemic. Only 17% allowed employees to work from home before the pandemic arrived.
Security at home
Because of this trend, organizations should evaluate the security of their virtual private network, or VPN, connections.
“A lot of these connections were put in place quickly, so that people could get to working from home in a very short amount of time,” Ferland said. “Now that we have that up and we have people connected, this is the time that you should go back and do some vulnerability scanning or penetration testing to test those configurations to make sure that they follow your information security policies.”
When an employer allows employees to use their personal computers and devices, it’s known as “bring your own device,” or BYOD, configurations, Ferland said.
There are several things to consider for BYOD situations. First, check whether the organization’s data is “sandboxed,” or isolated, from the rest of the device, which protects access to the data. Nonprofit data could include your constituents’ demographic information or banking and credit card numbers.
Also check to see whether data can be wiped from those devices by the employer if necessary. Other questions to consider: Do you want to allow employees to print organization data at their homes? Are employees allowed to save data on their personal devices?
“You also want to think about the security of paper documents,” Ferland said. “Are paper documents allowed to be used in the work-from-home environment? If they are, is there secure physical storage when not in use?”
Employers also need to consider the ramifications of “shoulder surfing”— when family members and others in the household can walk behind an employee and read the data. A similar issue is eavesdropping on private work phone calls, again where confidential data might be discussed. Voice over internet protocol (VOIP) phone systems allow organizations to route workplace phone numbers to wherever the employee is now working. “What are you discussing over that phone call?” Ferland said. “Family members, if they’re near you or around you, can overhear your side of the conversation. Are you talking about any private information?”
With more people working remotely, there has been an increased risk in “phishing,” Ferland said. Phishing is when someone poses as a legitimate group or person via email, text or phone in order to trick people into initiating a financial transaction or providing information such as passwords or credit card or banking numbers.
Phishing can sometimes be discovered sooner when employees are in the workplace and have more frequent and organic “watercooler” talk, he said. It’s also easier to be suspicious if an employee receives a strange email supposedly from a co-worker, but that co-worker is sitting 10 feet away.
These issues also make security awareness training even more important. A live poll during the session showed that 26% of attendees’ organizations do not conduct security awareness training. And yet, Ferland said, employee mistakes are one of the main causes of data breaches. Security awareness programs should also include the board of directors and volunteers, not just employees.
“It doesn’t have to be overly technical,” he said. “What you want to do is get employees to change behavior by raising their awareness.”
Video conferencing security
An area that seems to have taken over the workplace during the pandemic is video conferencing and remote meetings. In a live poll, 98% of the session attendees said their use of video conferencing has increased during the pandemic.
“Zoom bombing” spiked at the beginning of the pandemic, with hackers joining Zoom video conferences to post inappropriate images and messages. This shows the importance of making all of your video conference links password-protected. Meeting IDs are not passwords and can easily be guessed by hackers, Ferland said.
In addition, employees should be vigilant about who is sending them video conferencing links. Cyber criminals can send fraudulent links to gain access to user webcams. It’s also important to know that Zoom currently lacks end-to-end encryption, although the company has announced it is working on creating it. Without it, data discussed or shared through Zoom can be accessed by Zoom employees. Microsoft Teams has end-to-end encryption.
When using Zoom, Ferland recommended limiting user privileges, preventing participants from sharing screens or uploading attachments, using password protection and locking meetings once they start. Other considerations are to block webcam feeds, mute participants at certain times and prevent participants from sending private messages.
“With the new world that we are in now (working from home and video conferencing) have gone from being something that’s a little bit more on the fringes with a lot of the nonprofit organizations to being something that became mainstream very quickly,” Ferland said.