The explosion in home-based video conferencing and online messaging has introduced new security risk factors that many organisations are not taking into account. Alan Field considers some of the issues that may need to be managed.
Although many lockdown restrictions have now been lifted, a lot of people, especially those with office-based jobs, are still working partly or fully from home. This has been facilitated by the use of video conferencing and online messaging technologies.
Even when there is a wider return to offices and other premises, at least some organisations will keep an element of remote working. The genie is out of the bottle — virtual meetings mean productivity can be maintained, and can be more convenient and cheaper for all concerned.
However, not every organisation has thought through the safety and security implications of using video conferencing and similar technologies.
Employee risk assessments
Before the Covid-19 pandemic, organisations with some elements of remote working (be this employees working from home, at customer premises or travelling) had risk assessments in place for these work environments.
Those that do not already have them should check that they do have suitable and sufficient risk assessments in place, especially if there was a sudden move to remote operations during Covid-19. The Health and Safety Executive (HSE), on its webpage Protect home workers, points out that for those working from home on laptops or computers on a long-term basis, workstation assessments must be done. However, it states “there is no increased risk from DSE for those working at home temporarily. So in that situation employers do not need to ask them to carry out home workstation assessments”. It is recommended that employers support employees in carrying out a basic checklist and consider supplying DSE equipment where required.
As part of their consideration of DSE risks, organisations should think through whether the extended use of video conferencing and other software creates additional DSE risks or exacerbates existing ones. There might be, for example, an increase in eyesight-related issues due to extended use video conferencing — particularly where charts and other documents are regularly shared onscreen.
As with everything in health and safety, conducting risk assessments so that you have identified the major issues and possible controls, helps to mitigate the risks for all concerned.
Issues of personal security
It is worth drawing up a brief policy on video and audio conferencing for your organisation. All staff, including the most senior, should be briefed on what is and is not acceptable when conferencing from home. This could cover issues relating to business relationships as well as information security.
For example, young children allowed regularly into the meeting may be endearing to many attendees but, for some meetings, might be an unwelcome distraction. The almost obligatory bookcase or work of art in the background on video calls might display something of a religious or political nature that causes unintended offence. With some systems like Microsoft Teams, one can either blur or change the screen background.
There are also staff considerations — some individuals are uncomfortable about their homes or members of their family being seen by other parties, some of whom they might not know well or not at all. Also, some organisations may require formal dress for video meetings although, it must be said, these are likely to be in the minority now.
This may all seem relatively trite, but most organisations aim to maintain professionalism and avoid unnecessarily annoying customers or other stakeholders. Virtual meetings should be no different. These reasons are often why some organisations ask staff to switch off video images unless they are sharing screen with virtual meetings.
Issues of data security
Unlike in an office or laboratory — where the security of data can be better assessed — every home is different. In a city centre, staff are more likely to be in a house share or living with parents. This means that others may have access to wi-fi routers or even the member of staff’s laptop. All staff need to be reminded to password protect their laptops (or use other agreed verification systems) and never leave them in a way that allows a family member or others to access them.
There is a risk to the security of data in terms of video images, especially if an attendee (perhaps without the knowledge of the others attending) records the meeting. In other words, the usual email rules apply: try to avoid saying anything that could lead to legal action, create reputational risks or, again, cause unnecessary issues with customers or colleagues.
The same rule applies to staff who work from customer premises or elsewhere — assume there may be eavesdroppers — innocent or otherwise. Where a virtual meeting takes place, it often impossible to know if there are others listening to the conversation, even if they can’t be seen or heard.
The extent to which these are all real issues depends on what is being discussed. Where there are definite data protection issues, such as GDPR requirements where personal data is being exchanged, the fact that it is a video conference (and not an email or a telephone call) doesn’t make any difference at all. Compliance requirements still apply and risk assessments for data protection need to take into account any virtual meetings occurring away from the business premises, which includes employees’ homes.
Some meetings may also have sensitive commercial information being discussed. Again, there needs to be consideration of this in terms of security countermeasures and a simple briefing to staff. For example, participants should be advised to think carefully before asking for confidential information that isn’t obviously necessary for the decision in hand.
It is worth setting boundaries as you don’t know who may be listening. Some virtual meetings can, in theory, be hacked and some more basic video conferencing software has anecdotally, on occasion, even brought in unintended attendees for a period of time.
Considerations in terms of software
Where encryption systems are available on some video conferencing options, these should be evaluated for any limitations and staff reminded to use them. For example, one can use a “secret conversation” option with Facebook Messenger, which gives end-to-end encryption. However, this wouldn’t prevent one of the participants taking screenshots and this risk applies with most video conferencing tools, encrypted or not. Therefore, it is advised that the screen sharing of confidential documents should be kept to a minimum.
Similarly, some software applications include administrator rights, which allow the actual participants, times and duration of meetings to be monitored and analysed, even though the content of the meetings are unknown. Could that analysis be of interest to unauthorised parties? Something to consider. (The now famous codebreakers at Bletchley Park in World War II developed this very technique of metadata gathering — which they named traffic analysis — and many “cookies” used today to track online information for marketing purposes operate with a similar goal in mind).
The flip side of this is that may also be the possible to apply administrator rights to restrict actions, such as the ability to record meetings. If this is done, then all staff should be told they are only to use company video conferencing software and not to be tempted to circumvent this by using their own domestic applications. Beware that it is a balancing act, however: the more restrictive an organisation is in terms of applications, then the more likely it is that clever people will look for workarounds and so inadvertently create risky scenarios that can’t be mitigated. Just what hackers and those involved in industrial espionage want to see.
The benefits of virtual meetings conducted from home, is something that is here to stay in some shape or form — as can be seen by the expediential growth of those using video conferencing software. To protect themselves, organisations should identify the security risks this brings and decide on the appropriate countermeasures to mitigate them. Then, once your cybersecurity policy has been established, this needs to be communicated clearly to staff. In so doing, safety and information security approaches can come together in such a way that all stakeholders rights and interests are better understood and protected.