12th April 2020
With millions of office workers currently based at home, video conferencing collaboration tools have fast become the new norm as a way of conducting calls and business meetings.
Many organisations have opted for popular free conferencing services. Zoom, in particular has seen a huge increase in usage. Since lockdown began, 60% of US Fortune 500 businesses have reported using this platform alone. Even the UK Government used it to conduct it’s first lockdown cabinet meeting.
Whilst video conferencing is extremely effective at helping us stay connected, it is important to understand that the associated risks and how they can be mitigated.
Video Conferencing Risks
Snooping
Some popular free video-chatting services aren’t end-to-end encrypted. This opens your organisation up to the possibility of snooping – when criminals spy on your conference and glean sensitive information for the purpose fraud or industrial espionage.
‘Zoom-bombing’
There have also been cases of ‘Zoom bombing’ reported. This is where hackers have successfully infiltrated business conferences and disrupted them with slurs, inappropriate material or threats.
Phishing attacks
Criminals have been buying domains related to popular video conferencing services on mass. There are now over 70 sites impersonating Zoom alone, with the sole intention of capturing and stealing personal information.
This means that the risk of phishing attacks when trying to download a video conferencing service, for example, are on the rise.
There are key steps your organisation can take to mitigate these risks when you select, configure, implement and use video conferencing.
You’ll want to ensure that both your video calls and other data, such as messages, shared files, voice transcriptions and recordings, are protected.
Firstly, consider if a video conferencing service is included in your existing business software implementation and re-examine any previous due-diligence or security risk assessments you may have performed. The potential benefits of this approach:
- staff could already be familiar with the software, so training requirements will be reduced
- they should automatically be included in your authentication configurations
- straightforward integration into your existing management systems and data compliance
Considering new services?
You should perform a security risk assessment across a shortlist of providers, which will enable to evaluate how secure the service is; where your data will be stored and how it will be used.
The National Cyber Security Centre (NCSC) provides excellent Software as a Service (SaaS) guidance. When handling data in regulated industries or personal data, you should also follow the NCSC’s 14 Cloud Security Principles. These offer a greater level of detail to help you understand how the service is built and managed by the provider. Some cloud providers publish a response to the principles so you can understand exactly how their service meets the security goals.
Whilst assessing new suppliers, consider paid options that provide additional features such as enhanced security, configuration and privacy features. Also consider that some services provide full end-to-end encryption whilst other’s specifically encrypt data between user devices and the service to allow them to provide richer, server-side functionality.
Whichever model your chosen provider implements, you must have confidence that this has been designed and implemented as described and to a high standard and that they store your data robustly.
When dealing with personal or classified data, you may also have to consider where services store their data in order to comply with Government regulations.
Configuring video conferencing services
Company-wide defaults and controls should be set where possible. Settings should be configured in such a way so as to balance user needs with security, so think carefully about which to enforce and which to set as a default that can then be overridden on a per-meeting basis. For example, the ability to share screens may be appropriate for some audiences, but not others.
User accounts
Staff will need to log into the video conferencing service to be able to schedule meetings. Some also allow or require users to authenticate to join meetings. We recommend an integrated single sign-on with existing systems where possible so that the video conferencing inherits the same identity protections as your other corporate services. This will reduce the number of times that authentication is required and significantly improves user experience.
If this is not possible, then ensure you implement good password practice and include 2-factor authentication (2FA) where feasible. Additionally, apply the concept of least privilege access as standard, offering enhanced access only to those requiring it.
Access
Controlling who can join or initiate meetings will help protect your meeting confidentiality and prevent unwanted interruptions. Participants usually join meetings arranged in advance by clicking on a link, or by entering a unique code.
Guests specifically invited to the meeting should be allowed straight into a meeting, whilst unauthenticated users should be prompted to enter a password and be held in a waiting area until their identity has been verified by a trusted participant.
Some video conferencing services allow users to make calls to users both inside and outside of your organisation without arranging it in advance. Where possible, consider blocking calls that originate from outside of your organisation if they are not in a user’s contacts list. If you do not block such calls, we recommend that the service is configured to block calls from unidentified and/or unauthenticated users as a minimum.
Enhanced features
Services can often include extra features such as file sharing, screen sharing, instant chat, automatic call transcripts and remote control of another participant’s device.
We recommend disabling these features unless required. Even then, they should only be used with suitably trusted providers and opted-in to on a meeting by meeting basis.
Apps and software
We recommend following the NCSC’s third-party apps guidance to help you decide whether you should deploy specific apps on your devices in the first instance.
Video conferencing apps should only be installed on approved devices, either from it’s app store or via an enterprise management tool to avoid any risks associated with phishing. Some can be configured at an organisational level to constrain the app’s access to sensitive data. Failing that, configuration should be uniform across the organisation, taking into consideration the requirements for different types of equipment.
Other organisations you work with may use a different video conferencing services. Whilst you should ensure that those services can be accessed via your user’s web browsers, we recommend avoiding installing extra apps to minimise resource, configuration and maintenance overheads.
Security Training for Staff
Provide clear user guidance to staff, particularly those who are not accustomed to home working and video conferencing services.
For staff attending meetings
To ensure your staff aren’t risking your or their privacy:
- ask them to test that the video conferencing service is working before using it for real meetings.
- ensure they are familiar with how to mute their microphone, turn off their camera and deactivate these when not in use.
- suggest they use background images for extra home privacy where available.
- consider supplying staff with a physical shutter for their camera lens.
- only allow meeting organisers or senior members of staff to distribute meeting joining details.
For staff organising meetings
Ensure only meeting organisers or hosts have administration controls. Keep a record of these users and review their privileges on a regular basis.
Ensure meeting hosts:
- provide training to participants from outside your organisation. A test meeting will enable external delegates to familiarise themselves with controls such as approving participants in the lobby, removing participants from the call and muting individuals.
- consider carefully which features (such as screen sharing and file sharing) are appropriate for each delegate/meeting.
- when passwords are in use, they should only be shared via direct communications such as email and not within calendar appointments.
- ake responsibility for verifying the identity of all participants on the call, approving participants being held in the lobby and removing participants that have not been successfully identified.
For more advise on secure home working, visit our Business Support Hub.
