A common theme that will be occurring in the workforce in 2020, at least here in the United States, is that many businesses will soon let many of their employees work remotely – wherever and from ever where that might be.
For example, it could be as simple as working from home, working at your local Starbuck’s café, or even in the jungles of South Africa (assuming that you can get a good Internet connection there).
Allowing employees to work like this can provide many advantages to a business, especially in the way of worker morale, and hopefully productivity. People don’t have to face long commutes anymore or wait in the sub-freezing temperatures in order to catch the train to get to work.
But the problem with this of course, as a manager of whatever department you are in, is making sure that the work gets done and on time.
This can be difficult at times, especially if your employees are 100% remote. But soon, the days the traditional brick and mortar offices will be gone. After all, it is a savings to the company as well – no need to lease out for a long period of time and pay over a thousand dollars of rent each month.
If you really must have an office, there is the virtual office, which you can get for just a couple of hundred bucks a month.
With remote employees, the primary mode of communications will of course be their Smartphone, and laptop. But apart from the productivity issue, the other one that remains, and it is a big one, is that of the security which is involved.
Since you will not be physically seeing your employees on a daily basis, you need to make sure that the equipment that they use are up to snuff with all of the security features that are mandated by the company Security Policies.
This is especially true when it comes to making sure that the latest software patches and upgrades are deployed and installed onto your employee’s devices. One grave area in which these needs attention is in the software applications that they use to conduct virtual meetings with other coworkers from wherever they may be at.
In this regard, some of the typical applications that are used are Skype, WebEx, Go To Meeting, and of course many others.
But the ones mentioned are the most popular brands that are used today. In fact, just recently, the WebEx video conferencing platform developed by Cisco just came under close scrutinization after a very serious vulnerability in it was discovered. What is it you may be asking???
Well, suppose you are logged into the application, and all of a sudden, an unknown entity appears taking over the application, which is a Cyberattacker.
From here, after access has been gained, the Cyberattacker in just a matter of a few seconds deploy all sorts of nefarious Malware onto your device, and quickly disappear without a trace. Then all of a sudden, all of your passwords, and mission critical files to the company could very well be hijacked, causing even more damage in a cascading fashion down the road.
The scenario that I have just described is what the vulnerability is – worst yet, this can even happen when video conference you are having is password protected. The Cyberattacker does not need to even have a password, all they need is just the Meeting ID#, and the related mobile app for either the iOS or Android platforms.
All the Cyberattacker needs to do is to get access to this particular ID#, and from there the web browser will then be initiated to launch the associated WebEx mobile app. But there is a downside to this. The Cyberattacker will appear as a guest in the attendee list as the video conference is session.
So, if the attendee list is small enough, and you know who all the attendees will be ahead of time, you can easily kick this unknown entity out. But even then, the fact that the Cyberattacker can gain access for just a few seconds means that he or she can still do some damage, as mentioned before.
But of course, if the Cyberattacker is witty enough, they can modify their name on the attendee list to match the likeness and syntax of the names of the other legitimate, authentic users in order to avoid obvious detection. The WebEx conferencing applications that are affected include the following:
*The Cisco WebEx Meetings Suite;
*Cisco WebEx Meetings Online sites for versions earlier than 39.11.5 and 40.1.3.
Cisco has apparently provided a patch to fix this vulnerability, and it should be automatically downloaded and deployed. But of course, you the IT Manager, have to make sure that it is actually done, and that you provide the remote employees on how to make sure if the patch has been deployed correctly. Here is how they can do it:
*Log into the Cisco WebEx Meetings Suite site or Cisco WebEx Meetings Online site and navigating to the Downloads tab on the left side;
*Next to Version Information, hover the mouse over the circled “I”.
*Confirm the value displayed next to the Page version.
My Thoughts On This
Luckily enough, this serious flaw was discovered internally by a research team at Cisco; and so far, there have been no confirmed cases of this hack from actually occurring. This received a vulnerability score of 7.5/10, which is moderately severe (I think it is very severe).
It should be noted that this not the first serious flaw for Cisco’s WebEx platform, there are others which have been exposed as well:
*A Cyberattacker could remotely hijack screen controls and kick attendees out of video conference meetings;
*The launching of rogue, malicious commands.
As for me, I am an SMB owner, and from time to time, I have had clients that want to engage me in a video conference call. I try to avoid this as much as possible for the very same reasons listed in this blog. You just never know who could come in from the other side, especially if you are doing a screen share in your video conference meeting. For this, I usually just dial into a conference line number and just hold a normal conversation that way.
If I have to engage in a video conference call, I just use Skype. So, all of this simply goes back to the point made earlier that you have to make sure that all of your employee’s devices that are used for work related purposes are always up to date with the needed patches and upgrades.
With this mind, your remote employees should only use company issued devices, and because of that, regular audits should be conducted to make sure that they are not using their own personal devices.
And of course, you need to stress on a regular basis to your remote workforce of the importance of using a secure Wi Fi hotspot in order to conduct their daily work activities. In regard to this, they should always be using Multifactor Authentication (MFA) and a Virtual Private Network (VPN). You can purchase the latter from most ISPs for an affordable price these days.
In the end, having remote workers will mean greater productivity for your company, but the flip side to this are the greater security risks that are involved, and the administrative time that is required to make sure that they all are and will be in compliance with your Security Policies.