Coronavirus and the social distancing required to help contain its spread have caused the rapid expansion of the use of videoconferencing as a business tool, replacing in-person meetings and travel. Of course, this has been accompanied by a corresponding increase in the exploitation of security gaps in videoconferencing platforms by malicious actors seeking access to sensitive data.
As we conduct a greater volume of business via videoconference, we more frequently may be sharing data that may be subject to various governmental and privacy regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act of 2002, which require medical providers, financial institutions, and other companies to secure all digital data associated with patients and customers, as well as the EU’s General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). This means we need to be much more aware of the purpose of our videoconferences, proposed attendees, types of data we plan to share, and whether meetings are recorded.
Videoconferencing security is a responsibility shared between a company and its employees. It begins with understanding whether equipment and software are supplied and controlled by the company versus by the employee in a Bring Your Own Device (BYOD) environment. Larger companies may have the wherewithal to have a sizeable and sophisticated technology department that configures hardware and software and monitors use to ensure that software updates are installed automatically and unauthorized applications are not loaded onto hardware. Smaller companies may outsource the technology function, or not have one at all, leaving the employee responsible for managing their own risk.
Either way, a company needs to have Work From Home (WFH) and Remote Worker policies that are regularly communicated to its employees. These policies should identify the types of videoconferencing software that are acceptable for use, as well as the settings that should be used to ensure sufficient security for the purposes of the meetings being conducted. Your security measures should be consistent with the type of videoconference or subject matter. For instance, if you are running a remote fitness class, you may not need the layers of security required for a divorce mediation session, where confidential information is being discussed and shared.
Most videoconferencing platforms have a multitude of settings that you can use to customize your meetings and level of security. Configure your videoconferencing software as securely as possible without compromising needed functionality. Some options to consider include the following:
- Require an access code or password to enter the meeting, and do not use the same one for multiple meetings;
- Use a waiting room so you can screen attendees prior to admitting them to the meeting;
- Don’t allow attendees to enter the conference before the organizer arrives;
- Lock the meeting after all of the intended invitees have joined;
- Set audio to mute and video off as the default when attendees enter the meeting; and
- Limit the types of files that can be shared.
In addition to configuring the software’s settings appropriately, consider adopting some of the following videoconference hygiene habits:
- Perform a roll call to confirm that all attendees are authorized to participate;
- As a participant, consider using a virtual background to prevent possible social engineering attempts (malicious actors learning more about you through the items surrounding you in your WFH environment);
- Be aware that an attendee could share a malicious link in the chat box;
- Be cautious about screen-sharing and file-sharing during videoconferences – you don’t want to inadvertently share sensitive information; and
- Don’t record videoconferences unless necessary and have a retention policy. Also notify the attendees that the meeting is being recorded.
Of course, you want to make sure that your remote workers have changed any default passwords to access their routers and home networks and are using strong passwords that are changed regularly and not shared with friends and neighbors, as well as having anti-malware/anti-virus software installed on their systems.
For further information, the Center for Internet Security recently published a Videoconferencing Security Guide, which includes guidance for addressing your risks, as well as a comparison of the security feature settings of four popular videoconferencing platforms – Cisco WebEx Meetings, Microsoft Teams, Zoom, and BlueJeans.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has also published guidance on secure video conferencing.
