Security implications of the work-from-home digital transformation, what should be in remote workplace security policies, and the nascent threat of AI meeting assistance. These stories and more in this week's ISMG Security Report. Hello, I'm Nick Holland. It's week four, or five perhaps, I'm not entirely sure, of working remotely for a great many of us.
And clearly the adjustment to this new normal of social distancing is far from over. That's not to say we're being any less social, though, as the rapid adoption of messaging apps, notably Zoom, has been for many of us a lifeline to both the workplace and our family and friends. However, this rapid transition to WFH, as it's known, and to the new digital tools, has come with a number of notable security problems. In this week's podcast, we'll hear Jeff Green of NIST discuss implementing security policy for the remote worker, and Steve Marshall of Bytes Technology in the UK talk about a new threat from AI meeting assistants.
But first, here's an excerpt of an interview that ISMG's SVP of Editorial, Tom Field, conducted this week with an illustrious panel of experts. Edna Conway of Microsoft, Michelle Dennedy of Drumwave, and Wendy Nader of Cisco. I'd urge you to view the complete interview, which is available on ISMG's website. It's really fantastic.
But I particularly liked this excerpt where Edna Conway discusses how home and work are fusing, as are information security and physical security, with a final comment from Wendy Nader. Enjoy. So you know, we were talking earlier and Michelle, you said we all get to bring our whole selves now. I think there's something else interesting, which is, you know, for years I've been talking about thinking about this in a holistic way.
You can't segregate information security from physical security. And we live right now in a world where, you know, home is now your office, your partner's office, your elementary school child's classroom, your teenager's dating application. And grandpa, you know, he's taking up a new hobby in the back room. It's day trading and we're all working on the same platform at the same time.
So starting to think about what do you need to do to lock things down? How often should you change that password as an enterprise? How robust is the VPN? Should all of us, quite frankly, be using different kinds of things like how about a USB data blocker?
We don't take them with us in our travel bag. Should we be using them regularly? And more importantly, you know, I had a New Hampshire is an interesting small rural community. I had a neighbor who called me the other day and she said, I'd like to tell you that I think you're making a terrible mistake.
I said, what is that? She said, I saw the cleaning person come to the house. You should not be allowing him to come into the house. And I said, well, I did a database risk analysis.
I know him. I know his children. I know his family. I know the kind of products that he used.
I also understand how important it is to clean the house. And I made a risk-based choice that he should come in. But thank you for your concern. That kind of a thing is something that we bring to the table every day in work.
But we're now bringing our algorithmic thinking, our security practices, our are you watching your neighbor? Are you paying attention to whether there was a child I know who at some point hasn't tried to get into their parents computer? Right. I mean, my son, I'm an IP lawyer.
My son used to put copyright notices on his paper starting in fifth grade. And he was at a public school for a while, but then he was in a Catholic school and the nuns had to have a few words with me. I said, no, no, copyright law is alive and well in the U.S. Bring that to the table today and every day.
Use this as an opportunity to change the way we operate. Think holistically. Bring your whole self. Yeah.
And the other side to that that I was talking about in actually my keynote at RSA is that now that tech has become democratized and work and life are all mashed up, that people are starting to worry about whether their employers are going to try to exert control over their private lives because you can't really separate them anymore. And of course, that's gotten even worse now that we're working from home. Read a lot about employers worrying about whether the people are actually working and how they want to control that. So, again, I think our feet are being held to the fire over that controversy of, yes, as an employer, you have the right to ask certain things of me, but you don't get to infringe on my personal life just because I'm at home right now.
You're listening to the ISMG Security Report on ISMG Radio. ISMG, your number one source for information security news. With the COVID-19 pandemic obviously forcing large portions of the workforce to shift to telework, CISOs need to rethink corporate policies on the use of video conferencing platforms and other communication tools. Jeff Green of NIST recently wrote a blog post about the challenges of securing a newly mobile and remote workforce and how the cybersecurity policies that work for CISOs within the confines of an organization's physical walls just no longer apply.
ISMG's managing editor of news desk, Scott Ferguson, conducted an interview with Jeff on this very subject. Here's Jeff. The goal of any security policy that's going to be in a security tool that's going to be really effective has got to be ease of use because once you start making security too much of a burden, people just won't follow it. So it is really important to be thinking about the policy as you're creating one from the perspective of the end user, keeping it relatively simple to read.
You don't want 10 pages on virtual meeting security. Think about how people use the tools. My mother was an English teacher and she always told me to write to the lowest common denominator as long as I was continuing to make my key point. And I think that should be true here.
In terms of the pieces that you should have in it, first is trust in people, but really making sure people are aware of the risk. Think about your virtual meetings, your con calls, the way you do any data. Tiered approach is what we would suggest. Low, medium, high.
Then you apply the different security layers depending upon the sensitivity of the meeting you're going to be discussing. And it's also going to depend upon what tools your organization has in place to have these virtual meeting. So you're going to have to tailor it to that and make sure that in fact what you want to do is available and that people have the opportunity. Biggest thing from my perspective is know the risks you're taking.
And by that I mean if you're going to reuse the conference call number, if you're going to record a meeting, if you're going to share a screen, make sure that's all a conscious choice. It's not things that we're doing by default. You want to knowingly assume whatever risk you take on. If you have limited time or resources, I would suggest focusing initially on the most sensitive of the calls.
Some suggestions there are the most obvious is don't reuse a conference call number. If you think about how many times you've sent an invite out to meetings for people both inside and outside of your organization, you don't want to be using that one on a very sensitive business or company call. Use a dashboard to see who's on. A lot of services will have a green room or a waiting room so you can actually admit people individually to control who's in there.
You can lock the call on a lot of them once you have everyone you want. I mentioned recording a moment ago. If you're going to record it, make sure that recording is encrypted and know if it's stored locally or in the cloud. And if it's going to be in the cloud, it might not be held by your provider.
Know how long you're going to hold it. For the really most sensitive meetings, you can look into multi-factor authentication. Again, sticking with the sensitive side, one-time PINs, identifiers, or codes, I think, are essential. And you can also, through some services, distribute a personalized link that only that one person can join from.
At the other end of the spectrum, if it's truly a routine or not a sensitive call, probably okay for reusing the number. But again, be aware of what you're doing. Last thing I'd say on that is if we put out a blog, people look up NIST Cyber Insights. You can find a blog we did on remote virtual meeting security.
And there is a graphic in there that has 12 or 15 different security options that will walk you through from our suggested steps from low to medium to high. You can pick and choose. You don't have to follow our order. And it gives you a sense of what the options are potentially and how you might want to apply them.
Finally, a new threat to surface and exploit the ever-present and pervasive use of messaging apps, social media, and even common or garden phone calls are rogue AI meeting assistants. UK-based Steve Marshall, CISO of Bytes Technology, came across this new threat in a recent company meeting. Here he describes what happened. It was a really interesting case because it was one that we hadn't come across before.
If you don't know what an AI meeting assistant is, it's a clever piece of technology that you can invite to a meeting. It will record the call, the chat, and the video. It will then transcribe what's said during that meeting and provide outputs in a format that you can search and mine for information. Now these are very useful tools and lots of companies use them now in order to be able to add them to a meeting, take the information from the meeting in a digital readable format that they can then push into their CRM system, mine the format and the data that comes back, and add that