Blog Archives

Over the course of the Pandemic, Zoom, together with other video conferencing applications, has become an indispensable business tool. But the platform has been beset by reports of a number of security and privacy problems.  “Zoom bombing”, where a private Zoom meeting is hijacked by uninvited outsiders (or even invited participants), who disrupt or post offensive material within the meeting, has affected a growing number of users.Better security measures, both within the platform and applied by meeting organisers, seems to have largely resolved this particular problem but others are still only partially resolved, or not at all. A helpful article on the Tom’s guide website (Zoom security issues: Here’s everything that’s gone wrong (so far) | Tom’s Guide) provides a detailed, and quite lengthy, list of the issues and their current status.As with the recent report about the Estate Agent’s video of a house in Devon that showed a large quantity of the personal data of the house owners, using a video conference facility needs some prior thought and planning.  Apart from your personal appearance and positioning, what else is visible on screen when you have your camera on?  If it includes personal material such as family photographs or confidential documents, or items such as an asthma inhaler or a stairlift that would indicate particular heath problems, it would be very sensible to make sure that these cannot be seen.If a business wishes to introduce some new technology it should carry out a detailed data privacy impact assessment.  At a more basic level, some simple pre-planning and checks can and should be applied by individuals as well. Use of passwords and two-factor authentication are recommended.  Of course, these steps will only help if the Zoom bomber is not invited.  It seems that increasing numbers of meeting-disrupters are invited participants, so in those cases there need to be effective steps for such participants to be muted or removed from the meeting.  Since November 2020 Zoom has now improved its functionality on these issues.The article concludes that Zoom is much safer than it was, and that the problems it has experienced and had to resolve have helped to make it a safer and better video conference platform.  So the message is to carry on using Zoom, but just take some sensible precautions to minimise the risks of inadvertent or unauthorised disclosure of personal data.

An interesting article in the BBC news highlights a lesser-known, but potentially devastating cyber-threat for medium to larger businesses – a hack into their computer firmware.  A survey conducted by Microsoft has found that 80% of firms have experienced a firm ware attack in the past 2 years, but less than a third of security budgets are allocated to protect firmware. In addition, the US National Institute of Standards and Technology has recorded a 5 fold increase in firmware attacks in the last 4 years. Covid lockdown has created an environment where the time and trouble needed to arrange such an attack has become much less of a problem for cyber-criminals.Firmware is the inbuilt code which controls each component in a PC.  It is harder to access than software, but if infiltrated it can be almost impossible to detect, and may leave no trace. Regular patch updates for the firmware as well as the software can reduce the risk of an attack succeeding, but because it is more complicated to put in place, it may be overlooked or delayed.While the risk is only likely to be significant for medium to large size businesses, it is clearly a growing threat that should be considered as part of the data risk management strategy of all larger businesses. With more staff working from home and connecting remotely to work servers, each external device which connects provides an opportunity for hackers. Steps that should be taken include a review of how and through which devices employees connect to the central system, a reassessment of technical and organisational cyber-security measures to ensure that firmware protection is given sufficient prominence, and further training for employees to raise awareness of the risks and ensure that they take the necessary steps to keep any authorised personal devices up to standard with recommended protection measures. This last is perhaps the most important, since most cyber-breaches and data breaches occur as the result of human error, inattention or carelessness.