With COVID-19 concerns canceling face-to-face meetings, be aware of the security risks of videoconferencing and how to easily overcome them.
At the time of writing one-third of the world’s population is enduring restricted movement to stem the spread of COVID-19. The lockdown has driven huge swaths of the working population to become remote workers, many for the first time. The sudden surge in employees, students, teachers, and many other professionals working from home is driving a huge increase in demand for videoconferencing, online collaboration tools and chat systems.
On March 11th, Kentik (a network operator based in San Francisco) reported a 200% increase in video traffic during working hours in North America and Asia, and this was before the official lockdown in California or other locations took effect.
Last week UK Prime Minister Boris Johnson shared a picture of himself chairing a cabinet meeting via the Zoom app, demonstrating social distancing even in the highest levels of Government.
The decision was a wise one as he has since tested positive for the coronavirus. However, a meeting at this level over a public conferencing system raised questions about security and the UK’s National Cyber Security Centre confirmed there was no security reason why conversations below a certain classification could not take place this way.
If a UK Government meeting is authorized to be held online using a freely available videoconferencing tool, then companies forced to quickly adapt to employees working from home can probably do so with some confidence. However, that does not alleviate the need to understand the built-in security and the need to control how videoconferencing is conducted by using the features available.
Below we outline some key considerations.
Check your environment to ensure that the video stream you are sharing does not contain sensitive information. A whiteboard behind you may have the remnants of a previous meeting, make sure all confidential or sensitive material is removed from the camera’s scrutiny. And while we’ve probably all laughed at cute viral videos of pets or toddlers entering a streaming video interview or meeting, consider the effects such interruptions could have on your meetings and ensure suitable mitigations are in place before starting your meeting.
Most videoconferencing platforms allow for the creation of groups of users or the ability to restrict access by internet domain so only users with an email address from your company would be able to join the call. Alternatively, only allow attendees that are invited by adding their email addresses to the invite when scheduling the call.
Set a meeting password, typically an option when creating the meeting, which adds a randomly generated password that invitees will need to input. A numerical password can be used to authenticate users who connect by phone. Do not embed the password in the meeting link.
Holding participants in a “waiting room” and approving the connection of each one gives the host ultimate control over who is in the meeting. To handle this for larger meetings you may be able to promote other trusted attendees to an organizer or moderator role.
Communication and file transfers
Enforce encrypted traffic. Do not take it for granted that systems have this option enabled by default for video communications. Some services encrypt chat by default but not video unless specifically requested.
If third-party endpoint client software is permitted, then ensure it complies with the requirements for end-to-end encryption.
If file transfers are needed, then consider limiting the types of files that can be sent; for example, don’t allow executable files (such as .exe files).
Manage engagement and attendees
It’s easy to get distracted on conference calls, email and other notification pop-ups and migrate your attention to the content rather than the call in-hand. The host, depending on the platform, may have the ability to request notification when the conferencing client is not the primary (active) window. If you’re a teacher, then this feature may be extremely useful if you want to ensure the attention of all your students.
Monitor who joined the call, either by enforcing a registration process to connect or by downloading an attendee list after the call. This is also likely to include the connect and disconnect time, showing whether the user was engaged for the whole call.
Limit the ability for screen sharing to the host, or to a person the host selects. This removes the possibility of someone sharing content by mistake.
When screen sharing, only share the application needed, as opposed to the whole desktop. Even an icon or name of a file on a desktop can give away sensitive company information.
Apple’s iOS takes screen snapshots used when task switching between apps. To protect against this inadvertently including the capture of sensitive information, check to see if the conference system can blur this image.
Forewarned is forearmed
Take the time to step through all the options in the settings of the videoconferencing system you may already have or are thinking of using. As you can see from the snapshot of considerations above, there are many settings and finding the right configuration for your environment is an important task to undertake to ensure company communications remain secure.
If you want to learn more about the increased cybersecurity risks associated with teleworking, as well as about ways to counter them, you may want to read these articles:
Protect yourself from threats to your security online with an extended trial of our award-winning software. Try our extended 90-day trial for free. written by Tony Anscombe, ESET We Live Security