How to Avoid A Video Conferencing Security Mishap

So, you’re safely self-isolating, but still in need of some social input. You’ll doubtless be joining the army of people using video conferencing services to stay in touch. We’re hearing from people who use it for everything from daily executive huddle meetings through to virtual pub meets at the end of the day.

When it comes to security, though, video conferencing has its dark side, as the FBI highlighted at the end of March. Its concerns focus on Zoom, which along with other such services has enjoyed a rise in usage volumes during the health crisis.

Zoom now has the questionable honor of having a new cyber-attack named after it. The FBI's Boston arm has warned of ‘Zoombombing,’ in which uninvited people hijack meetings. It reported two local incidents, both involving schools, where attackers invaded Zoom meetings and used profanities and displayed white supremacist imagery. There have been other incidents, too. In Norway, a naked man Zoombombed a school session. In the US, trolls predictably bombed public video conferencing meetings proudly organized by Los Angeles and Davis City councils.

The problem here is that organizations rushing to remote working during the health crisis don't know what they're doing, and they're making serious mistakes. Even Boris Johnson slipped up by publishing the ID number of his first digital cabinet meeting, while also using Zoom against the MOD's advice.

Zoombombing isn’t the only danger. Others include divulging sensitive information to other authorized participants, or not properly managing meeting recordings after the event.

How can you protect yourself? Walk, don't run, into a videoconferencing choice. Choose your platform wisely. Rather than jumping for the first available solution, check news articles for past security incidents and see if the vendor has fixed them. Have a list of security requirements. What does the platform offer in terms of permissions and controls to ensure that only the right content gets through?

The National Institute of Standards and Technology (NIST) has published a set of tips to help organizations prevent eavesdropping and protect privacy during virtual meetings. This includes being sure that everyone uses the company-approved online meeting platform, limiting meeting recordings only to those that are absolutely necessary, and imposing strict identity checks for meeting participants. They even suggest using pre-conference 'green rooms’ for them so that people don't compromise themselves or others by disclosing sensitive information on a hot mic.

Perhaps the best advice is to condense these practices into a guidance document and ensure that employees follow it. Having a competent facilitator that understands how to set up a secure meeting is an important part of the process. Don’t just throw an untrained office administrator in at the deep end.

It’s nice to think that those companies getting video meetings right will use them more after this crisis has subsided. It will save valuable commuting time and give people more work-life balance. However, a lot depends on laying the right foundations now to avoid security problems and create a solid foundation for a productive future of remote working

What’s Hot on Infosecurity Magazine?