#Working From Home: When Employees Get Too Personal
During video meetings, remote workers often reveal personal information that can be used as an attack vector on the corporate network.
Many employees are now aware that they should minimize the amount of personal information they share on social media to avoid making themselves vulnerable. What few people think about is the private data they reveal via video calls or other means from their home office. After all, it’s supposed to be just the two of you in that team meeting, after all, only trusted colleagues are in the virtual room. Few people realize that cyber-attackers roaming undetected on the corporate network or sneaking into a call could be looking over their shoulders.
Not only do they give their colleagues a glimpse of what goes on in the home office, but they are often used by fraudsters, blackmailers and scammers to perform social engineering.
Social engineering is nothing new. What is problematic is the new quality that has emerged as a result of increasingly decentralized work combined with greater openness. The isolation in the home office during the pandemic years has, among other things, led to people being more open and giving more insight into their private lives out of a desire for more contact. They use hashtags like #WorkFromHome, #WorkingFromHome or #HomeOffice to show how and where they work, not just on social media. And they reveal valuable information to criminals, intentionally and often unintentionally: Their home, furnishings, family, pets, hobbies, or even when they are on vacation.
Such information is no longer hidden in videoconferencing, but is increasingly displayed intentionally. For example, wallpaper or photos in the background reveal a lot about family and personal preferences. Other criminally relevant information, such as birthdays, addresses, diplomas, and hobbies, can be easily found in video backgrounds, social media, and private homepages. For example, the user may have a concert poster of their favorite band or soccer team hanging behind them; the desktop background may show a photo of their children; an envelope with their home address may be on their desk in view of the webcam; a birthday coupon may be on the bulletin board in the background, and much more.
This is problematic because passwords often contain private references, such as the birthdays of children or partners, the names of pets, or favorite artists. What’s more, typical password reset security questions ask for exactly this kind of personal information: the name of your pet, your first car, or where you were born.
Security lock on the door, but crooked windows?
What good is it if the IT department equips remote workstations with every security feature imaginable, and only allows access to the corporate network via VPN – but home office workers give information away without a second thought?
It is frightening how little information experienced hackers need to use password cracking tools and social engineering to obtain sensitive credentials. Often all it takes is an email that appears to be from a colleague, addressing the recipient personally and promising a hot tip about their hobby – and they carelessly click on a link or open an attachment.
Best practice
To avoid inadvertently providing valuable information to cyber attackers in video calls, follow these three rules
- Make sure that nothing personal is visible in the background during video conferences: no photos of your family, nothing that reveals your hobbies, etc.
- Remember that modern webcams provide high-resolution images that an attacker can zoom in on to decipher things that are supposedly unreadable (such as addresses or phone numbers).
- It is best to set up a company-supplied background image or have the conferencing software blur the background so that nothing is visible that could be useful to an attacker.
#Work from home without risk
Remote working brings with it a whole new set of security risks – not just the obvious ones, but also those you might not think of at first. Video calling via Teams, Zoom or other solutions is one such potential vulnerability. The only thing that can help is to make employees aware of the dangers of carelessly or intentionally exposing private data. And it’s not (only) about not wanting colleagues or customers to see the pile of laundry in the background…