Some executives at my keynote presentations say, “I wish AI would give me answers based on what is happening in our company. I would get so much better results than my generic answers now!”

Their wish is granted. Retrieval-augmented generation (RAG) means that AI can retrieve your organization’s information to provide relevant responses, including what’s happening in your organization. The process is designed to keep the information within your company and not leak it to other companies or third parties.

Some newer workplace AI assistants, like the one you may use today, look at a user’s permissions and then access documents, meeting transcriptions, and email messages that the user can access, all in real time. If you remove a file, usually within minutes, the data is no longer available for AI retrieval. The rest of this article will refer to this newer type of retrieval. If your organization uses an internal vector database to store information for AI retrieval, deleting a source file won’t automatically remove the information from AI responses until the tool explicitly refreshes its index.

But the dark side of this fantastic feature is reduced privacy. The AI tools with document or email access permissions are designed to enhance AI’s responses with information from meetings, emails you send and receive, and files you’ve saved. The AI tools examine all information, including files saved in your online storage that have accumulated over many years. If someone with the right privileges asks AI a question about a topic or person, unless you deleted all instances of the old meeting notes, email messages, files, and other sources of information, what you said in a meeting or typed into an email or a saved document might appear in the results. Angry messages, failed plans, and long-forgotten mistakes can be resurrected even though you’ve put them behind you. Undeleted inappropriate jokes a friend emailed you or private conversations with your loved ones through company email could be exposed, too.

Before going any further, let’s explain what this article covers. When people talk about AI privacy, they are often concerned that what they type into an AI chat tool will leave their organization and show up somewhere else in the world. That’s not what we’re covering here. We’re covering the situation where, although the data stays within your organization, other people in your organization might find out more than they need to know, even without trying. Given a request, AI can quickly return data based on the user’s privileges without the user needing to find a specific file, message, or meeting. Unfortunately, they might see content they never expected or intended to see, perhaps private or sensitive information they shouldn’t have access to, a phenomenon dubbed AI “oversharing.”

This article focuses on companies with multiple users sharing data instead of a single user or a tiny office with users not using shared storage. However, everyone, including single-computer organizations, should read the section below entitled “Potentially Dangerous Third-Party AI Assistants.”

Using AI assistants, information stored in your organization may be available to anyone else in your organization possessing the right access privileges. People no longer need to invest energy to search; as long as they have access rights, they can ask a simple natural language question using AI and find the data in the blink of an eye.

It’s becoming apparent that humans will be forced to accept this reality. Humans must be very cautious about what they say in a meeting or type into a file they save or in an email. Of course, you have no control over what information someone could send you in an email, making the situation worse.

The good news is that AI tools cannot retrieve data once it is permanently deleted from all systems and backups, assuming the tool you are using for RAG only accesses current content and does not save old content. As of this writing, most reputable tools from organizations with household names respect that once a file is deleted, it is no longer eligible for access by workplace AI assistants. However, due to the sheer volume of information accumulated over the years, finding and deleting old files, meetings, and messages could be nearly impossible.

Software and operating systems that support gathering your and your organization’s data to provide more relevant answers (RAG) usually include multiple privacy safeguards. However, protections can be bypassed in certain circumstances, such as an official e-discovery.

The way it typically works is for the AI tools to verify the user’s permissions to data before considering augmenting the response with additional information. When a user asks for information, the system is designed to provide information that the user has permission to see, a process called trimming.

For example, workplace AI assistants integrated with your organization’s email applications have access to your messages. When you ask for information, the AI tools are designed only to give you information based on the contents of your email. Unless you’ve delegated email access to someone else, random people in your organization should be unable to receive answers augmented with information from your sent and received email messages.

However, a technology leader at a leading provider told me that their AI tool does not respect the privacy of a user’s email when there is a misconfiguration or the interested party has elevated roles. He explained that all user email content is available to other users with enough privileges. He explained the trade-off between data access and privacy with this metaphor: Before AI augmentation, he said, finding sensitive data in a company was “like looking for a needle in a haystack” – scattered across random files and email messages. Now, he explained, with AI-powered tools, “you find the needle immediately just by asking a question.” He reminisced about asking one of his technical pros, “Show me email messages where anyone praised our competitors.” He said the results appeared instantly, with sender information fully visible. “The AI tool doesn’t give you a haystack,” he concluded. “It gives you a stack of needles.”

A member of my team and I eagerly visited with AI technology leaders, hoping to persuade them to make conversations completely private for sensitive meetings such as coversations related an M&A, personnel matters that require confidentiality, trade secrets, and new competitive products or services that would harm a company if the details are discovered prematurely.  The most senior person we visited, who influences AI privacy at a huge software company, was surprised to hear that I suggested that executives sometimes want discussions in online meetings to remain private forever.

He is not alone in believing that all executive communications should be discoverable. Executives’ knowing that their conversations could be disclosed helps ensure corporate accountability and is a strong deterrent to executive misconduct. Transparency is required by some regulations and even by law in certain circumstances. Some people feel it is unfair for executives to enjoy privileged communications with immunity from e-discovery.

The senior executive with the power to set privacy related to AI emphasized that the whole point of AI ingesting meeting conversations and other data is to make information available for AI processing; any restrictions reduce the tool’s functionality. He explained that this reaffirms the position that productivity outweighs privacy. He acknowledged that there are concerning incidents of oversharing sensitive data to users, and he accurately pointed out that those are often due to their customers not properly preparing, deploying, or maintaining the AI tools and data governance privacy controls.

He retorted that executives who want to have private meetings with undiscoverable content should use some encrypted messaging apps like Signal and not his company’s online meeting platform. He also told me he appreciated my feedback about leadership sometimes needing absolute privacy, and that they’ll consider it.

Yet their position is firm, and companies that use workplace AI assistant tools that access company information must now accept the specific privacy controls of that tool, which may include a significant drop in the privacy of sensitive company information within their company. While I acknowledge that many application providers build in protective controls, the reality is stark: complete privacy of workplace communication is in jeopardy.

There are many examples of data augmentation across the industry. One is Microsoft’s 365 Copilot, which can use RAG to augment responses using information in email, meetings, and files. It provides many advanced privacy controls, including those described below. Some more advanced protections, such as automatically labeling data sensitivity, are unavailable unless your organization invests in the top-tier “E5” license of 365. Companies with the “E3” license must manually label content or risk unexpected disclosure.

Microsoft’s free “Copilot with Enterprise Data Protection” differs from the free consumer version of Copilot in that it requires users to log in with work (Entra ID) credentials. It doesn’t automatically access your organization’s data, and users can only upload files manually for tasks like summarization. Your IT team can configure data loss prevention policies to prevent sensitive file uploads, but the protections aren’t enabled by default, so initially, any file can be uploaded. This free version doesn’t integrate with Microsoft 365 apps like paid Copilot, so it doesn’t provide real-time document editing, Teams meeting summarization, or Excel formula suggestions within your apps. However, it does provide web searches, document summarization, and general chat interactions. While it offers some enterprise protections when configured by IT, it’s not a complete company solution like paid 365 Copilot versions.

Google Gemini is now integrated with Google Workspace and can review and consider information in Google Workspace as it responds to user prompts. Google does not release information to the world by training Gemini on your data, and they provide strong security measures to help keep private data private. But, even with the provided settings, a qualified person in your organization must configure and keep those measures current. Sometimes the default settings favor functionality over privacy, so your team must be familiar with the settings and keep up with them as they change.

From now on, you must carefully choose your words in online meetings and never say anything you don’t want discovered. Content discussed in meetings may be captured in AI-generated transcripts, summaries, or recordings, making even previously casual conversations potentially discoverable in legal proceedings. By default, permissions for AI to return results from the transcript are typically given to all meeting attendees. If someone is invited but late or a no-show at the meeting, avoid the temptation to say something joking or make an offhand comment about them. That person could later want to know if they’d missed anything important and ask AI, “Did anyone say anything about me?” Your comment will be disclosed. Depending on what you said and their level of sensitivity, you might find yourself in an HR nightmare. There is no such thing as ‘off-the-record’ in meetings where AI transcription or summarization tools are active. With some commonly used operating systems and tools, this recording is always enabled and difficult to block.

Distributing AI-generated meeting summaries to participants without a human reviewing them first for accuracy is dangerous. AI is prone to hallucinations and errors in transcription, especially if the audio quality is poor. AI also makes errors when people use ambiguous language, such as “They said it was approved.” Who is “they,” and what did they approve? AI will try to decide, but could get it wrong. Other examples are “We need to address the issue” or “Send it to them.” AI must make a guess, based on the context of the conversation, what “we,” “they,” “issue,” and “it” refer to. Sometimes AI, understandably, guesses wrong, and meeting summaries can include inaccurate information and topics never discussed.

After Abraham Lincoln died, historians discovered in archives that he had written scathing letters to his generals but never sent them. If you sometimes type emotion-filled documents while “venting,” even if you never intend to share the information, the AI tools may index and analyze everything you type in the draft file you save. In an e-discovery situation, or if someone with elevated privileges asks a question, the AI tool could reveal what you never intended to share.

One major provider of applications automatically saves a version history of the previous content, but their tool will use only the current content of the file to respond to a question entered by someone with a high enough security level. Break any habits of saving individual files in names such as “AngryLetter-v1,” “AngryLetter-v2,” etc. If you update a file for tone or accuracy, do so in the current file or delete old versions to keep previous content from showing up in AI answers. These strategies only work if your workplace AI assistant tool only accesses current data and does not store old content. Remember that if your system makes backups of your files, and someone with the capability restores a file you deleted or restores a version before you removed objectionable content, the information in that restored file may be available as if you never erased it.

Removing old email messages from showing up in responses can be slightly trickier since AI may respond with information stored in your deleted items folder. You must remember to empty your deleted items folder, or your IT team can set up specific retention policies that permanently delete email messages after a set date or message age. Of course, as with files, if the email messages are backed up somewhere and restored, the restored versions may appear in responses to AI prompts. And this also assumes that your workplace AI assistant tool does not save old messages elsewhere for retrieval. As of this writing, one of the largest workplace AI providers respects that boundary and doesn’t save snippets of data after the source is deleted.

The goal isn’t to scare people away from using AI tools. It isn’t easy to turn off AI’s reading and recording anyway. Your safest bet is to behave as if everything you type or say will be available for easy retrieval by unexpected people.

Let’s cover some things you can do.

Be sure your IT team uses governance and privacy protections such as:

DLP: Major enterprise software providers have highly effective data loss prevention (DLP) tools that help keep private information private and allow access only to people with specific or enough privileges. However, DLP systems are only as effective as their configuration and upkeep. IT professionals, compliance officers, and other privileged users typically have access to the DLP system and can circumvent restrictions and access data anyway. If users save documents in unprotected locations, DLP might be unable to protect the data.

Data Sensitivity Labeling: Most enterprise AI assistant providers explain that their tools respect file permissions and features like Data Sensitivity Labeling. You and your users can specify data labels for your content, such as “private” or “confidential,” to further restrict who can see what data. However, if someone opens an e-discovery, all undeleted data is potentially available. Thus, nothing you say or type is wholly protected if the data still exists.

Retention Limits: A representative from a major tech company suggested that executives can avoid e-discovery exposure of what they say in sensitive topic meetings by setting retention limits on meeting notes, files, and email. After the retention period, the system will erase the data after a mandatory holding period. Erased data will no longer appear in results if your AI assistant doesn’t save snippets of data elsewhere. However, it can be frustrating not to have access to old documents and meeting summaries after a retention policy triggers their deletion. He pointed out that if a meeting attendee puts notes or a summary in the meeting chat, that chat information will not be purged. If someone asks about the meeting in Copilot or during an e-discovery, the process will access the data saved in the chat. Remember to ensure the automatic deletion includes deleting all logs, training data, and monitoring records when setting retention policies. These may contain sensitive data in prompts or summaries, even after the original content is deleted.

Why Deletion May Not Be Enough: As mentioned throughout this article, remember that one of your best protections is deleting files, chats, messages, meetings and backups you don’t want AI to use in responses. However, the effectiveness of this strategy depends on whether the tool’s RAG features save information elsewhere even after you’ve deleted it.

Potentially Dangerous Third-Party AI Assistants: An IT Professional at one of our best customers called me last week in alarm because he noticed a new app on their system had rights to scour their email messages and file storage. What used to be a third-party meeting assistant tool has “upgraded” its feature set to include a system that performs an AI search across documents, notes, and email messages. When a third-party meeting tool accesses your file systems and mailboxes, do they save any snippets of your information on their company’s servers? If so, do they encrypt the data and automatically erase the data from their systems when you delete a sensitive file or remove an email from your account? Can they provide a log or audit trail of who accessed your data? Do they train their tool based on your data, potentially exposing your data to their other customers? What happens to your data if you stop using their product? How do they define what data is yours vs. their data? The tools may also offer to gather information from other third-party note-taking tools, CRMs, and users using other operating systems. From a functionality perspective, there is great allure to having an AI assistant so familiar with everything in your work life. However, it is also a privacy nightmare if the system ever over-shares sensitive information, if the third party gets compromised by threat actors, or if your organization loses visibility into where your sensitive data is stored and who can access it. Before enabling tools like this, you must thoroughly vet the third party to determine if they have the necessary security controls in place and will maintain the security of your data. Remember the saying, “your organization’s security is only as good as your third party’s security.” To help stop employees from unknowingly giving outside apps access to your company’s emails, files, and other sensitive data, ask your IT team to change the “Allow User Consent” Settings from the default to require administrator approval before any third-party app can access company data.

Outside Parties: Another risk is that if any of your workers sent the data or made it available to an external person, it might be in their system too and be exposed by their AI someday.

AI Incident Response Plan: Develop a thorough incident response plan for AI incidents. Plan now how you will manage situations related to AI crises, such as unauthorized data leakage, undetected hallucinations, discrimination (bias), security issues such as prompt injection, and insider misuse. Include your legal and regulatory advisors during planning, as they can address their appropriate obligations.

Security Considerations for Incident Response, HR Investigations and more: Many organizations use ticketing or helpdesk systems that weren’t originally designed to handle sensitive issues, including cybersecurity incidents, HR complaints, and insider threats. Examples include Jira, ServiceNow, or Teams/Outlook. Those systems are integrating AI features. If you allow AI tools to automatically index your primary helpdesk system, they may unexpectedly augment responses and disclose sensitive investigation content to unauthorized users. This creates risks such as exposing privileged communications with legal counsel, compromising the integrity of confidential evidence, and disclosing sensitive employee information. Instead, use a completely separate access-controlled case management system for incident response, HR investigations, and other sensitive matters. Ensure this system is excluded from AI indexing and augmentation. Work with your legal and compliance teams to isolate the systems, enforce strict access policies, and apply appropriate retention and audit log controls.

In case it comes up in a conversation with your IT pros, Microsoft allows administrators to configure “Azure AI Search” indexing restrictions to help prevent AI from accessing specific data, such as files, emails, calendar events, and meetings. However, blocking indexing has negative consequences such as breaking searches for text in email message bodies in Outlook on the web, content inside documents such as Word, Excel, and PDFs in the web apps, and Teams online.

Know that your IT team is already very busy, and adding AI governance to their responsibilities may require removing something else or outsourcing.

As time passes, AI will gather more information from your existing documents and data (this gathering is called RAG), including what AI thinks was said at all meetings. People will become more aware of the new normal in privacy. Unless you are positive that you can and will permanently delete all history, be careful about anything you say in online meetings or type into documents or email. Use words and sentences that will reflect well on you and others in case someone with enough permissions asks AI what you said.

For better, worse, or both: AI is listening. Protect your privacy before it is too late.

The post AI is Listening: What Executives Must Know about Privacy in the Age of Workplace AI Assistants appeared first on Foster Institute.

AI chatbots – ChatGPT, Claude, Gemini, and Perplexity – bring unique strengths to business tasks, from data analysis to strategic communication. Why have just one star player on your team when you can have several? While many executives have found remarkable success with one platform, utilizing multiple chatbots can unlock even greater value. As you become familiar with more chatbots, you will naturally develop your preferences for example, you might choose:

• ChatGPT for versatile tasks and data visualization
• Claude for emotionally aware communication
• Gemini for technical troubleshooting
• Perplexity for research

The goal here is to inspire you to explore chatbots you might not have used.

Introduction:

When associations and organizations hire me to present about AI, audiences frequently ask me which chatbot is best. After presenting to thousands of executives across diverse industries, I’ve discovered something fascinating: each person develops their own preferences based on their unique needs and experiences.

There are many chatbots, each trying to earn your favor. If you only use one, you will benefit tremendously from trying others.

A great strategy is to give the same prompt to several chatbots and see which response you like best. Enter a prompt into one chatbot, copy it to your clipboard, and then paste it into other chatbots.

Capabilities change frequently with updates, so what works best might change tomorrow. As of today, here are some specific benefits you might appreciate as you multiply the number of chatbots on your team. Please adapt the example prompts to your specific industry or goals:

Expert Strategy:

For the best results, always give the chatbot context and detail. Describe yourself, the interests relevant to the project, your role, your audience, and what you want to accomplish. For example, instead of asking, “Review this email draft,” tell the chatbot your industry, what your organization does, your role, and the challenges you’re addressing. Then say something like, “I wrote this follow-up email after yesterday’s board meeting. Review it and suggest if there are clearer ways to explain our quarterly results. The board members reading this want both the wins and challenges clearly explained, and they prefer brief, to-the-point documents.” The difference in response quality will amaze you. You can attach examples of previous successful communications you’ve written and tell the chatbot to use a similar tone and style.

ChatGPT: Amplify Your Productivity:

Chatgpt dot com. Almost everyone has heard of this popular chatbot’s vast range of capabilities. In addition to what it has always done, I use ChatGPT when processing documents and generating or analyzing graphs.

• Manufacturing: “Generate a workflow to reduce downtime by analyzing machinery data and prioritizing maintenance schedules.”
• Healthcare: “Create a patient satisfaction survey based on current trends in healthcare delivery.”
• Finance: “Summarize key takeaways from a quarterly earnings report for a stakeholder presentation.”
• Distribution: “Using the attached spreadsheet, generate a graph of Lead Time (Days) vs. Monthly Usage (Units) with data points colored by criticality. Label the material names using a large font.”

For executives on the move, ChatGPT’s voice mode transforms travel time into productive strategy sessions. While driving, you can brainstorm solutions to business challenges, rehearse important presentations, or analyze competitor strategies – all hands-free. You have a knowledgeable thought partner ready to explore any topic. For safety, please only use voice mode while driving.

Claude: Transform Your Business Communications:

Claude dot ai. For written conversations and reviewing documents, Claude often causes me to pause and think, “Wow! That response is surprising in a good way!” Experienced business people know success comes through professional relationships. Claude seems the best at considering human attitudes, sentiments, and reactions. If you want to write a persuasive document, Claude might help you best refine the text you’ve already written.

• Manufacturing: “Refine a message to factory staff emphasizing the importance of new safety protocols while maintaining morale.”
• Healthcare: “Draft a memo to staff addressing a sensitive policy change with a positive and empathetic tone.”
• Finance: “Rewrite an investment pitch to highlight potential ROI while addressing client concerns about risk.”
• Consulting: “Analyze this email conversation and tell me how this person feels frustrated, and gently suggest benefits to them by sharing examples of how other professionals have benefited from our practices. Do not strive to convince them since they will push back harder.”

Think of Claude as a collaborator. Converse back and forth about how the recipient or audience will react to specific words and phrases and refine them accordingly. Ask Claude if there are parts that can be left out. This process can produce emotionally intelligent content that produces results.

I find that Claude often provides unsolicited suggestions that are very helpful. For example, while reviewing a business proposal, Claude will often point out valuable opportunities to strengthen the key benefits. Claude often thinks beyond the immediate request, offering insights and recommendations as a trusted strategic advisor would.

Gemini: Solve Technical Challenges:

Gemini dot google dot com offers another option for technical information and troubleshooting steps. Many users appreciate Google’s extensive data repository for technical questions.

• Manufacturing: “Provide troubleshooting steps for a PLC system showing error codes X, Y, and Z.”
• Healthcare: “Outline the process to integrate a new Electronic Health Record (EHR) system with existing software.”
• Finance: “Explain how to configure advanced security settings in a new financial analytics platform.”
• IT Director: “Identify potential pitfalls in the transition to cloud-based services.”
• Executive on the Weekend: “I am a non-technical executive, and my help desk is busy. Walk me through setting up a mail merge using a list of contacts and a form letter.”

Perplexity: Power Your Strategic Research:

Perplexity dot ai excels at providing stunningly useful results searching the web. Other chatbots can provide citations for where they obtained their information, but what attracts me the most to Perplexity is how quickly it allows you to access the sources and see summaries of the content if you click the “show all” citations button.

• Manufacturing: “Find and summarize case studies on how AI optimizes supply chain management.”
• Healthcare: “Research emerging telemedicine technologies and their potential ROI.”
• Finance: “Identify recent regulatory changes affecting the fintech industry and summarize key implications.”
• Expanding your AI Toolkit: “What are the best AI tools this year that will help me (fill in the rest, such as analyzing trends in my inventory turnover to identify ways I can improve my supply chain)?”
• Strategic Planning: “Research top competitors’ strategies for market expansion.”

Perplexity has almost replaced my use of search engines since I receive the answers I need and can drill down to sources when needed. The sources earned their place in the list based on their content rather than which sites use the best search engine optimization techniques.

Perplexity is excellent at crafting documents and generating lists of instructions, too.

Free vs. Paid:

All these chatbots have free and paid versions. Some chatbots have elected to provide advanced features to free accounts, limiting the number of times unpaid users can use those features per day. As you use chatbots, evaluate the time savings or added value to decide when to upgrade to a paid version. Many executives find the ROI on paid versions substantial.

Risks:

Chatbots can produce inaccurate results, known as hallucinations. For example, when generating financial projections or analyzing marketing insights, they might fabricate results. Always verify chatbot-generated information and avoid expensive mistakes.

Feel free to challenge the chatbot’s biases. Sometimes, a good argument can be constructive.

Always use privacy settings to help ensure sensitive data isn’t stored. Understand the chatbot’s privacy policies.

Customization:

Some chatbots allow you to preload information about yourself and your company in settings or attached files.  Sometimes, you can generate custom profiles or unique chatbots. This can be very productive, saving you time and achieving specific results.

AI Ethics and Integrity:

Excellence in AI requires the same principles that guide all business practices: honesty, integrity, and ethics. Just as we use presentation software to communicate clearly and CRM systems to build stronger customer relationships, AI tools help enhance our natural capabilities. They can analyze data more quickly, provide valuable insights, and help us communicate more effectively with our teams and customers.

Any powerful business tool, from email to social media, can be misused. However, responsible leaders use AI to enhance human judgment and creativity. Use AI tools to create value, improve efficiency, and drive success for your organization and the people you serve.

Conclusion: Using Multiple Chatbots is a Force Multiplier:

Issue your prompts to multiple chatbots to see which resonates best for specific tasks. Remember that chatbots are continuously improving. If you keep experimenting with all of them, you might update your preference for specific tasks. Other fabulous chatbots are available, too; don’t feel limited to the four I discussed here.

I’d love to hear about your journey with AI tools. Whether at a conference where I’m speaking or through email, share which chatbots have transformed how you work and how. Your insights help me bring fresh perspectives to organizations worldwide, and I might feature them in a future blog. As chatbots continue to evolve, I’m committed to helping executives and their teams unlock the full potential of these powerful tools!

Subscribe to maximize your executive potential with Foster Institute’s E-Savvy Newsletter, packed with practical IT security solutions and actionable strategies for success: https://fosterinstitute.com/e-savvy-newsletter/

The post Which AI Chatbot is Best? The Executive’s Guide for When to Use ChatGPT, Claude, Gemini, and Perplexity appeared first on Foster Institute.

While VPNs have long been a staple for securing connections in coffee shops and other public networks, by integrating advanced security measures, you can fortify your organization’s defenses and stay ahead of emerging threats.

The goal of this article is to empower you with insights and strategies to bolster your IT team’s efforts. By equipping them with cutting-edge tools and knowledge, you can elevate your organization’s cybersecurity posture. Remember, cybersecurity is a dynamic, ever-changing domain that demands continuous adaptation and vigilance.

Introduction:

A VPN, a virtual private network, is designed to provide privacy of traffic across untrusted networks and through the Internet by encrypting data between the user’s device and the company network. It functions as a network connection from one point to the other. In the case of a remote access VPN, those two points are the user’s laptop and your company’s VPN terminus in your data center or elsewhere.

Some companies commonly allow or encourage remote users to connect via VPNs while out of the office, under the impression that the VPN alone protects remote users from security risks on a public network.

While a VPN can protect data in transit, it does not protect against all threats on the local network, such as those present on a Wi-Fi network at a public location. The evolving nature of cybersecurity threats means additional measures are necessary.

The often-overlooked risk is that when connected to a public network and using a VPN, the user’s laptop remains exposed to network sweeps, vulnerability scans, and other network attacks. VPNs still play an essential role by encrypting traffic.

Ideally, users should avoid connecting to public networks. If connecting to a public network is necessary, it is crucial to implement additional cybersecurity controls, such as using a properly configured physical hardware firewall, to protect against network attacks.

Real-World Ways Attackers Breach VPN Users on Public Networks:

Here are three notable examples of how threat actors attack workers who connect to a public network using a VPN:

Attacking a VPN Client via Airport Wi-Fi:

Advanced Persistent Threat (APT) groups are targeting enterprise VPN vulnerabilities. A recent example is the 2024 VPN attacks against Ivanti. For example, an employee connects to their corporate network using vulnerable VPN software at an international airport. Attackers exploit the VPN vulnerability, bypass encryption, and install malware on the employee’s laptop. This allows them to infiltrate the company’s network, stealing proprietary manufacturing processes and trade secrets, causing significant financial losses and requiring a major incident response.

Attacking and Breaching VPN Users on Public Library Wi-Fi:

A severe security flaw known as PrintNightmare can be exploited by threat actors against computers, even those of users connected to a VPN over a WiFi network. A typical instance is an employee of a prestigious law firm working remotely from a public library, using the corporate VPN to access internal resources. Attackers on the same network exploit the PrintNightmare vulnerability, executing malicious code on the employee’s laptop. This breach allows the attackers to move within the firm’s network, accessing confidential client information and case details. This leads to legal repercussions and reputational damage, prompting a thorough overhaul of its security practices.

Tech Company Infiltrated via Coffee Shop Wi-Fi:

Threat actors can utilize Mirai malware that spreads to devices on networks, including public WiFi networks, affecting users even when they are utilizing VPNs. A case in point is an employee of a tech company connecting to their office VPN from a coffee shop’s public Wi-Fi network. The network contains compromised devices infected with Mirai malware. The employee’s laptop, running outdated Windows, becomes infected. The malware uses the VPN connection to infiltrate the company’s network, leading to data theft and unauthorized access to sensitive projects. The company must enforce strict security protocols and undergo a comprehensive network data discovery and clean-up.

The Core Issue with VPNs on Public Networks:

VPNs play a vital role in encrypting data and maintaining privacy by encrypting data in transit. They do not fully protect you from local threats found on public networks like those in coffee shops, hotels, or airports. Complementing VPNs with additional tools, such as travel routers or cellular hotspots, as explained below, can significantly mitigate these risks.

Simplifying the VPN Concept:

Some think of a VPN as a tunnel through the Internet that provides a network connection. This tunnel can allow you to work as if you were connected in person at your office, but remember, the VPN provides privacy for your data but not comprehensive security for your laptop.

Understanding the VPN Paradox to Prevent Breaches

The common belief that a VPN alone guarantees security in a coffee shop scenario is not only incomplete – it’s potentially dangerous. Addressing this belief is crucial for your company’s cybersecurity.

The Danger of a False Sense of Security

When workers believe that a VPN makes them secure, they may unknowingly increase their risk by connecting to insecure networks, thinking they are safe. This false sense of security can lead to substantial cybersecurity incidents within an organization.

Solutions for Executives to Consider:

Two relatively simple solutions to help remote users be secure are to prevent them from connecting to the coffee shop, hotel, or other network and connect with a mobile phone or cellular hotspot. Alternatively, the user can be provided with and trained to use a properly configured small hardware firewall to help protect their laptop from the risks of the public network.

Addressing these challenges with your IT Team can strengthen your defenses against sophisticated cyber threats. Implementing portable hardware firewalls or alternative connectivity options can bolster users’ security as they work remotely.

Introduction to Ways to Help Keep Remote Users and VPNs Secure:

What follows is detailed information, described in plain English, for executives and IT Pros who want more information about the risks and how to protect remote users connecting through a remote access VPN connection. Allowing users to use a VPN on a public network could result in a breach at your organization, hence the reason for this document.

Actionable Steps:

This article’s purpose is to highlight the potential security enhancement provided by eliminating the incidence of users connecting to the public network or, if they do connect, using a hardware firewall to isolate them from the public network.

A threat actor doesn’t need to be in the coffee shop; the attacks can originate from an innocent user’s laptop that they do not realize has been compromised by a threat actor or a malicious program or service running on another computer connected to the guest network.

To avoid connecting to the public network, users can use their properly configured phone or a cellular hotspot to connect from the coffee shop, hotel, or other public area. Cellular networks can have security concerns, too. Fake cellular towers or insiders working at the cellular company are examples of threats, but cellular connections are arguably more secure than public WiFi networks. The benefit of this method is how quick and convenient the connection is. Drawbacks include the need for a reliable cellular signal and potentially increased recurring data charges by the cellular carrier. Additionally, if the user exceeds the carrier’s data limit for the month, the carrier might throttle (slow down) the user’s data rate for the rest of the month.

If the user doesn’t have access to a cellular connection, wants to avoid wireless carrier fees, or wants to connect to the public network for any other reason, they could use a portable firewall, commonly known as a travel router, to help isolate them from the risks of the public network. Useful travel routers are available for a one-time purchase for less than $100. Keep in mind that the user’s data rate will be restricted to the data rate of the public network or slower if the user uses a VPN across the public network. Public network speeds can vary greatly, as can cellular data speeds, even during different times of day.

It is essential to note that while travel routers and firewalls can help mitigate many risks, they must be appropriately configured to be effective. Their configuration screens can be complex, potentially leading to insecure configurations. A user with an improperly configured travel router connection is dangerous since the user might have a false sense of security. It is essential to involve your IT Team in the planning, configuring, and deploying travel routers, as well as the necessary training for users to use the devices securely.

Using a travel router requires additional user training for them to complete three steps. After powering on the firewall device, the laptop user must first connect their laptop to the travel router as if it were a cellular hotspot or another Wi-Fi connection. This is a relatively simple process and will likely be the same routine for the life of the travel router. Many travel routers accept wireless and wired connections. The second step is for the user to use a window in their browser to connect the travel router to the public network’s name. This step is potentially precarious due to the complexity of the configuration screen on some travel routers. Your IT Team must be involved in creating precise documentation, user training, and configuring the devices. Third, the user goes through the process of logging into the public network if the public network requires some kind of login process, such as a room number and last name at a hotel. If the user doesn’t see the hotel login screen, they can open a new tab in their browser to neverssl dot com or nossl dot com, and the hotel login screen will usually pop up.

Typically, the public network recognizes the firewall as if the user is connected directly from their laptop. Now, the user does their work as usual. The travel router acts as a firewall between the laptop and the potentially risky public network.  The connection process is usually speedy if the user frequents the same public hotspots. Even at a new network, if the user is trained, going through the three-step process usually takes five minutes.

VPNs are essential for encrypting data and protecting privacy, including the sites users visit while connected to a network. Users wishing to use a VPN to control privacy can use the VPN client on their laptop as usual. This applies whether the user uses their cellular connection or a travel router. Many travel routers include a VPN feature, too. Secure Access Service Edge (SASE), pronounced sassy, is a technology that provides a more comprehensive approach to secure access that can sometimes replace traditional remote connection strategies. Everything in this article about protecting a user’s laptop from security threats against the public network connection still applies in SASE.

Technologies that sound like alphabet soup and are explained below, such as IDS (Intrusion Detection System), IPS (Intrusion Prevention System), EDR (Endpoint Detection and Response), and XDR (Extended Detection and Response), can help protect the laptop against threats potentially lurking on public networks. However, attackers also obtain these protection tools. They are constantly probing for weaknesses they can exploit, so you must continue to use additional tools and techniques to protect your organization in a layered approach.  And the necessity of maintaining and monitoring those technologies can create a significant burden on your IT Team. More on that below.

Multi-factor Authentication is Not a Shield:

Multi-factor authentication (MFA), such as a text message or authenticator app, is an essential part of your cybersecurity strategy that you must adopt immediately if it isn’t already in use. While MFA helps secure the authentication process, it does not address network attacks or other ways that could allow an attacker to compromise the laptop. If attackers compromise the laptop, they can bypass MFA by utilizing the user’s active session. The attacker can wait for the authorized user to log in using MFA on their behalf, and then the attacker can have the same level of access as the authenticated user. The point is that MFA is an essential, if not mandatory, cybersecurity control, but it does not protect the user against network attacks on a public network.

For those of you familiar with my articles, you know my focus is to present cybersecurity topics in non-technical terms. The following section is more technical than usual. Consider passing this along to your IT team if they want more technical details.

The Technical Details to Protect Yourself and Your Organization

In the next portion of this document, we’ll explore configuring the data center’s networking environment and the remote hosts to make using a remote access VPN safer.

Quick Definitions Used in this Document

• Remote Access VPN: This type of VPN allows individuals to connect to their company’s network, unlike site-to-site VPNs, which connect two office locations or data centers.

• Unmanaged Computer: A computer not maintained by your IT professional who uses specialized knowledge and tools. These endpoints are more vulnerable.

• Public Network: Think coffee shops, cruise ships, resorts, hotels, airports, etc.

• MFA (Multi-factor Authentication): This adds a layer of security for the authentication process beyond just passwords. Examples of MFA include a text message or an authenticator app on your phone. However, MFA doesn’t shield you from threats of malicious signals on a network scanning your laptop for vulnerabilities and security misconfigurations.

The Core Issue with Remote Access VPNs

A significant concern with remote access VPNs is that attackers gain the same access as the remote user if a remote host is compromised.

Protective Strategies

Please keep reading to learn how to safeguard your network and host computers, ensuring they don’t become conduits for attackers to infiltrate your network.

Part 1: Fortifying User Devices Against Infection: Such as Protecting the User at the Coffee Shop

While a VPN doesn’t inherently secure a device on a public network, the following measures can bolster your device’s security:

• Fundamental Cybersecurity Controls on Endpoints: Use core cybersecurity controls for laptops. For example, regular critical security updates should be applied soon after release. To help stop attacker programs, restrict what applications can run using application control. Prevent users from installing applications by controlling their permissions or using third-party tools. Restrict enabled services to essential functions only that the user would use. Close all open ports. Follow other cybersecurity best practices.

• Endpoint Protection: Some organizations deploy Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) on remote users’ devices. Using Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), or Managed Detection and Response (MDR) agents on the laptops can increase security by monitoring for malicious behavior known as an indicator of compromise (IoC). EDR/XDR tools provide many benefits, including continuously monitoring network devices and watching for suspicious activities or evidence that an attacker is compromising a system. EDR/XDR is designed to identify, isolate, and mitigate threats. Response options include stopping the threat actor by shutting down processes and services or, as a more comprehensive response, quarantining the remote device until the IT Team can investigate. The thorough response would be for the IT team to erase and reload the workstation if there is any indication that the device was compromised. Some organizations use automated means of initializing workstations to facilitate this reloading process. IDS, IPS, EDR, and XDR must be effectively monitored, managed, and updated. One way many organizations ease the burden on their internal IT Teams is to utilize a third-party MSSP to perform these tasks. Managed Detection and Response (MDR) means you pay a third-party provider to manage your EDR/XDR. One key point to remember is that attackers can obtain these protection tools, too, and are always looking for ways to bypass the tools. We perform Red Team Exercises at companies to test the capabilities of the EDR and XDR protections. Do not make the common mistake of letting your guard down in other security areas after implementing EDR or XDR.

• Shielding from Public Networks: Equip remote users with a filtering device, such as a portable firewall or travel router, to act as an intermediary between their laptop and the public network. In some cases, these devices can establish VPN connections directly to the data center, offering an added layer of security since the laptop is shielded from the network. Proper configuration of travel routers is crucial. They should be set up to help ensure secure connections, such as using the most secure Wi-Fi security protocols, regularly updated with the latest firmware to protect against vulnerabilities, secure configuration policies, and other steps to enhance security.

• Alternative Connectivity: When a secure filtering device isn’t available, it is recommended that remote users connect via a cellular network to avoid the risks of public Wi-Fi. When you are disconnected from public Wi-Fi, you are also disconnected from potentially harmful devices on that network.

By implementing these practices, you can significantly enhance your security posture against the potential risks associated with remote VPN access.

Part 2: Securing Your Organization’s Network Against Compromised Users’ Laptops on a Remote Access VPN: Protecting the Organization from the User at the Coffee Shop

To help prevent unauthorized network access through a compromised VPN user’s device, consider these strategies:

• Restricted Access: Restrict VPN use to company-issued computers only. Your IT team must manage robust security measures like patch management, EDR/XDR solutions, stringent configurations, and more.

• Ban Personal Devices on VPN: Consider prohibiting the use of family or personal devices for VPN access. These unmanaged devices are more susceptible to malware, which can spread to your corporate network.

• Network and Firewall Strategies at the Data Center:

• Server Segmentation: Isolate RDS and file servers in separate network segments or VLANs. This approach allows for tailored security policies and mitigates the spread of potential breaches.

• VPN Traffic Isolation: Create a dedicated network segment for VPN traffic to act as a buffer zone, keeping incoming connections separate from the core network.

• Firewall Implementation: Place firewalls strategically to monitor and control traffic between the VPN and other network segments. Implement Firewall Access control Lists (ACLs, a.k.a. Firewall Rules) to define and enforce permissible traffic types, sources, and destinations between these segments.

• Traffic Protocol Rules: Specifically, allow only necessary protocols like RDP and file-sharing through the VPN to the designated servers, using protocol filtering and port restrictions to enforce this.

• Session Management: Configure firewalls to limit session numbers and durations, reducing the risk of prolonged unauthorized access.

• Deep Packet Inspection: Employ firewalls capable of DPI to scrutinize traffic content, ensuring it aligns with expected patterns.

• Vigilant Monitoring: Set up logging for all traffic passing through the firewalls and regularly review these logs for anomalies.

• Firewall and Infrastructure Firmware Patches and Updates: Keep firewall firmware and configurations up to date to counter emerging threats.

• Regular Audits: Conduct periodic audits to validate the effectiveness of your security measures.

Part 3: Don’t Provide an Easy Path for Attackers to Access Your Files

• Omitting Drive Mapping to Remote Hosts: Consider alternative solutions for file sharing rather than mapping server drives for remote VPN users. If you share a drive through the VPN and an attacker compromises a host, the attacker can access the drive. The mapping makes it easier for the attacker to encrypt or delete files on your servers.

• If you won’t map drives, and the remote users need direct access to the exact instances of the files local users have, strategies include:

• Cloud Storage: To avoid drive mapping, the files could be stored in a cloud location, from Microsoft or a third-party solution, for all users to access.

• File Synchronization Considerations: If cloud storage is not an option, and the files must be stored on traditional servers for local users, some form of file synchronization could be utilized to copy the files to a hosted location accessible to remote users. This would be effective if remote users only read, not edit, the files. If multiple users edit files simultaneously, data inconsistencies are likely. The synchronization would need to consider the possibility of a local user editing a file while a remote user editing a file in the shared storage environment. In this case, the synchronization process would need to know which saved version to preserve and what to do with the conflicting version. It should also alert the users that they could have lost their edits.

VPNs and MFA: A Misunderstood Safety Net

In my experience, some well-meaning IT professionals proclaim, “If you are in a coffee shop, you can protect yourself from the security risks if you use a VPN backed up with MFA.” This well-intentioned advice, however, needs a deeper dive to uncover the whole truth.

MFA and VPN Security:

Multi-factor authentication (MFA) significantly enhances security by helping ensure that only authorized users can access VPNs. However, it’s crucial to understand that while MFA helps in securing the authentication of users, MFA does not safeguard against attacks exploiting vulnerabilities on devices connected to the public network. For example, MFA cannot protect against an attacker scanning for open ports on a laptop connected to a compromised Wi-Fi network. These attacks can occur independently of the authentication process that MFA protects, highlighting the need for comprehensive endpoint security measures and robust authentication protocols.

To guard against a wide range of threats, organizations must implement a layered security approach that includes strong authentication measures like MFA and endpoint protection strategies. This should involve regularly patching and updating software and operating systems, closing unnecessary ports, employing host-based firewalls, and continuously monitoring suspicious activities. By addressing device-level security with authentication controls, organizations can provide a more robust defense against attackers’ diverse tactics.

Consider Alternative Solutions for Remote Access:

A Remote Desktop Services (RDS) gateway can allow remote users to access internal network resources without requiring a traditional VPN connection. This approach can reduce the network’s attack surface by not providing a tunnel for attackers to exploit. However, RDS gateways come with other security challenges and require robust configuration and protection. User devices using RDS still need robust security measures to help protect against potential compromises, including an attacker compromising a remote user’s laptop.

Similarly, allowing remote users to operate cloud-based virtual desktops, such as those provided by Windows 365, can eliminate the need for drive mappings to the remote user’s computer.

However, it is essential to recognize that if the remote host system—whether a cloud-based virtual desktop or a machine accessed via an RDS gateway—is compromised, an attacker may still be able to hijack a user’s session. This potential risk underscores the necessity for robust security measures, including continuous monitoring and response strategies, to quickly detect and address any such compromise.

In Conclusion:

VPNs provide significant security benefits by encrypting data, which is crucial for privacy and protection against eavesdropping. However, they should be part of a broader security strategy that includes secure endpoints and awareness of public network risks. An attacker, physically present in the coffee shop or remotely controlling another patron’s device, could exploit open ports, unpatched vulnerabilities, or other security loopholes. This is where malware, often lurking unnoticed, can exploit weaknesses on your laptop.

Threat actors rely on the misconception that using a VPN is the only cybersecurity control necessary to protect users on public networks. Some of the most significant cybersecurity predictions relate to threat actors attacking VPNs. Additionally, using a VPN with drive mapping is a common practice for remote work but includes significant inherent risks.

Bolster your organization’s security by empowering your users to avoid connecting to a public network and consider some form of securely configured cellular connection. If they connect to the public network, consider facilitating their security with a properly configured hardware firewall to help isolate their laptop from the public network.

Combining multiple tools and best practices is essential for a layered security approach. As always, regular user training is an essential component of keeping your organization secure.

Note: This document provides guidelines for enhancing remote access security through VPNs and alternative methods. It does not address the security specifics of the VPN client application or browser plugins. Readers are encouraged to follow cybersecurity best practices for those components as well.

Disclaimer: The information provided in this blog is for general informational purposes only. Technology changes constantly, and some of this information might become obsolete or incorrect. We do not endorse or receive compensation for mentioning products, services, or brand names. Any outbound links provided are for your convenience and to get you started, but we cannot guarantee the security or safety of those external websites. Conducting your research and making an informed decision about any products or services mentioned here is essential. We shall not be held responsible for any actions taken based on the information provided.

The post What Executives Must Know: VPNs and Public Network Security appeared first on Foster Institute.

The attacker does not need to know any passwords; they do not even need a username. They plug in a cable, and 3 seconds later, they’ve completely compromised your network. An attacker posing as a visitor, a copier repair person, or a member of a cleaning crew can all compromise your organization. They can steal sensitive information, install ransomware, and can shut down operations entirely. They bypass the majority of, if not all, of your other protections because now they’re a Domain Administrator.

This exploit is so severe that the Department of Homeland Security directed all federal agencies to apply the patch in accordance with the Federal Emergency Directive 20-04.

Take these three steps ASAP:

First, ask your IT team if they’ve backed up your Domain Controller servers and applied Microsoft’s patches that address the Zerologon exploit CVE-2020-1472. They must do this immediately. Be compassionate if they’ve not. IMPORTANT: Realize that if an attacker already took over a network, the patch doesn’t help.

Second, if you have Domain Controllers using operating systems older than Windows Server 2008 R2, your IT professionals must shut them down for good. Be sure to migrate any mission-critical services to other servers.

Third, does your organization rely on third parties to support you? What if one of your major suppliers, a distributor, or your biggest customer falls prey to an attack? Prepare your organization now for an interruption of their operations. Be sure their executives know about this flaw and these three steps. You do not want a catastrophe at their organization to domino and cause a disaster for you, even though you’ve protected your systems.

Additional steps:

Inform your work-from-home team members that, in some cases, the attacker can take over your network using a VPN connection. Do you have an armed guard at every work-from-home user’s home to watch visitors? Of course not. But your entire organization might rely on their security. What if a teenager’s friend feels like playing around, experimenting, with this new cool exploit on a mom or dad’s computer?

The patches only protect you from attacks from Windows devices. If an attacker accesses a network port or cable with a non-Windows machine, the attacker can still take control of your network. Microsoft will release a second patch on February 9, 2021. Ask your IT team to configure alerts now to monitor security log events 5827 thru 5831 to see when connections are allowed or denied.

The average time for IT Professionals to apply critical security patches is five months, but you need to help yours be above average. Ask them what you can do to help them have time to test and install all critical security patches within 14 days or sooner. They might want to have a patch management tool. They might need more time to devote to applying updates.

Confirm that your IT Team disconnects or disables all unused Ethernet ports, including those in conference rooms. Lock doors to any offices and conference rooms that contain active Ethernet ports. Train everyone to be proactive and remove opportunities for anyone, including guests and repair people, to plug a device into a network port.

Keep in mind that 911 systems, airlines, governments, and every organization that you depend on are at risk for Zerologon exploit CVE-2020-1472 until they take action too.

Please forward this to fellow executives you care about so they can support their IT Professionals successfully backing up servers and applying the emergency patch.

The post Attackers Can Take Control of Your Network in Three Seconds, and How to Stop Them appeared first on Foster Institute.

When another family member shares a work-from-home computer, it magnifies your risk exponentially. If users already work from home using personal home computers, there are potentially cost-free steps to help protect your organization. Consider allowing them to take their work computer home. If their work computer doesn’t have wireless access, you can provide an inexpensive USB wireless adapter.

Allow your IT professionals, or IT consultants, to monitor and maintain the security of those computers. Many protection tools support remote users, so you might already have what you need.

Dedicated work computers must remain off-limits to other family members. Set a firm boundary that your workers are not authorized to use the computers for any purpose other than working.

Please forward this to your friends, so they know this cost-free way to help protect work-from-home users.

The post One Nine-Year-Old Checking her Email can Breach Your Entire Organization, and How to Protect Yourself appeared first on Foster Institute.

Believing that small to mid-size businesses are not targets helps business owners and executives sleep better at night. The thought is comforting.

However, the reality is that instead of choosing targets based on organization size, the majority of attackers choose soft, easy to breach, targets. In particular, that category includes work-from-home computers.

In our consulting business, we’re seeing many firms suffer major breaches that originate at an unsuspecting work-from-home user’s computer.

Please forward this to your friends so they know that it may feel comforting to believe attackers only go after the big companies, that belief is putting their organization at tremendous risk.

The post Be Smart and Avoid This Comforting Belief appeared first on Foster Institute.

You’ll make your computer less attractive to attackers, and it limits the window during which they can attack. You have nothing to lose, and you might even reduce your power bill!

Please forward this to all of your friends, so they know this simple step to protect themselves.

The post Power Down to Boost Security appeared first on Foster Institute.

Use at least two monitors. You can often separate the presentation so that you see slides on one screen and all the participants’ faces on another. When you buy new, seek 4K resolution. Investigate 15-inch portable monitors if you need to move around, or 27-inch screens if portability isn’t necessary.

Second, straining to hear someone’s voice over a poor connection is very distracting. Rather than using your computer’s built-in mic, consider using a suitable USB Microphone. Position the mic close to your mouth. Some people prefer headset mics – especially if they are in a noisy environment. I wear a wireless lapel mic when presenting online keynote speeches and webinars. All of those provide better sound than a laptop’s built-in mic.

Please forward this to everyone you know because, when their video conferences run smoothly, they can pay more attention to security and being mindful of what they say. Stay safe!

The post Two Tips to Make Your Online Meetings Better appeared first on Foster Institute.

Here is another essential tactic to help protect your remote workers.

There’s a company in Saint Louis that ran into a problem your organization might face too.

Their remote workers must attend many video conference calls, online meetings, webinars, and online training sessions. Their IT Pro doesn’t want to install different programs on his users’ computers if he can avoid it.

As you know, a significant way to improve cybersecurity is to uninstall nonessential software, not to add more programs.

The company’s savvy IT Pro discovered an excellent solution. He found that all of the video conferencing and training tools his team needs can run inside their already-installed browsers. They don’t need to download and install extra software. They have Zoom already, but workers use their browsers for other kinds of meetings. They may not get all the advanced functionality, but they can still participate in the sessions just fine.

Please forward this to your friends so that they know, to improve cybersecurity, avoid installing software or apps whenever possible. Their IT Pro may find that workers can participate in many meetings using their browser only, without needing to increase the attack surface by installing more software.

The post Video Conferencing – Avoid Installing Meeting Programs When Possible appeared first on Foster Institute.

To help address the security problems, Zoom now offers a reward for anyone who finds a way to break in. The payoff, for bad actors and researchers, is enormous. A sobering thought is that maybe the attackers already have full control over Zoom. However, they might have complete control over GoToMeeting, Microsoft Teams, Skype, TeamViewer, WebEx, and any other virtual meeting platform. I certainly hope not.

Zoom is Making Improvements

Zoom says they’ve configured the system to avoid sending meetings through China’s servers. Otherwise, the Chinese government might require disclosure of your communications.

If you use Zoom on a Mac, then if a bad actor has your computer, they could take over your camera and microphone. Additionally, Zoom exposed information that could reveal Windows passwords. Zoom says they fixed those problems.

After Consumer Reports raised red flags, Zoom improved its privacy policy and practices. Zoom still has problems. A notable issue is that there is no end-to-end encryption during meetings. Security best practices dictate protection from each participant to every other.

You and Other Companies can Help Protect Meetings

For example, if you permit your users to record the meeting, encourage them to password protect the recordings, especially if they upload them to a cloud storage service. Otherwise, anyone with access to the recording can play it back.

Require passwords and require waiting rooms per new default settings. The goal is to stop intruders from interrupting a Zoom meeting with disruptive or disgusting content.

Configure the meeting so that only the host can share their screen. Then intruders cannot share theirs.

Never use a personal meeting room ID for scheduling meetings. Use the default setting to generate a meeting ID randomly.

Alert users to expect fraudulent email meeting invitations attempting to trick users into typing their Zoom username and password.

Enable two-step login requirements to protect accounts even if a bad actor does discover usernames and passwords.

Or, you could ditch Zoom all together. Options include FaceTime, Signal, Teams, and many others. But who knows which one could get hacked? No matter how secure it is, all it takes to destroy security is for one person on the call, or an attacker with remote access to their computer, to record the conversation using third party screen recording software.

To help protect your Zoom meetings, watch other videos that concisely cover the security settings available in a paid Zoom account, configuring the two-step login feature, and a run-through of paid account settings so you can follow along:

Zoom Security – Set Up Two-Step Login

Zoom Security Settings – The Concise Details

Zoom Security – Follow Along to Set Settings

The post Zoom Security Issues – Protect Yourself appeared first on Foster Institute.