Working from home has gone from being a luxury to a necessity because of the COVID-19 pandemic. Usually, we talk about disrupting technology, but this time, we have an external non-controllable factor that is causing the disruption. The challenge is not limited to only some enterprises, as almost all organizations have been impacted to various degrees. This one-time shock has triggered some trend-setters, which in turn impacts risk going forward and thus the domain of information systems audit.
Video conferencing telecommunication technologies remain at the core of the movement toward greater adoption of remote work. The ability to talk to one another by telephonic links, including conference facilities, is a familiar part of our technological toolkit. We think very little about the security of our telephonic communications, particularly when they occur within the confines of our offices. Cellphone conversations in a crowded coffee shop or airport lounge are in a different category, as confidential information can sometimes be overheard, leading to a security breach. But information broadcast in audible form just disappears in most cases—it is generally not preserved electronically or recorded in a manner that is easily stored, accessed or transmitted to a potential adversary.
Likewise, remote document-sharing systems have also been part of our electronic toolkits for some years now. Document-sharing via email remains common, but other technologies offer features to make document-sharing more convenient (particularly for large files), secure and reliable. Permissioned access enhances the enforcement of privacy and security restrictions and enables users to track who has accessed and modified documents. Features that track document changes and modifications not only facilitate collaboration, but also add to the integrity and security of those documents. Encryption can also be added to the layers of security provided by passwords, which can be made more robust by dual authentication.
Early mistakes that expose vulnerabilities in these systems have probably been addressed. While cloud sharing platforms are not foolproof—no system is—they are reasonably strong and reliable. Market forces have produced competitive products that meet the needs of the marketplace, including security requirements. And it stands to reason that security features will continue to improve as new threats emerge.
Video meeting technologies enable us to combine voice, video and document-sharing possibilities to enhance meetings and collaborative efforts. But these technologies are in their comparative infancies as compared with components that permit voice and document-sharing. Moreover, widespread use of these technologies during the pandemic-induced lockdown highlighted security vulnerabilities. Some simple practices, such as restricting access to those holding passwords or permissioned meeting access through host review of all guests, have emerged as baseline best practices. But concerns about vulnerability have caused some sensitive users, including government and defense contractors in the United States, to ban employees from using certain of these technologies.
The human side of technology use is a major influencer of risk in working from home. Lax password protection, inadequate disaster recovery measures, exposed personal equipment touching the boundaries of the employer’s systems, social engineering of the attackers and poor or nonexistent protocols all contribute to the new risk of working from home.
We suspect that these security concerns in video conferencing platforms will eventually be resolved based on the competitive nature of this marketplace. But in the meantime, it is important to review your challenges of risk management on the work from home front. Does your organization (or clients of your organization) impose any restrictions on video conferencing platforms based on security concerns?
Editor’s note: For further insights on this topic, read Vasant Raval and Edward Morse’s recent Journal article, “The Practical Aspect: Working From Home—Reassessing Risk and Opportunities,” ISACA Journal, volume 5, 2020.