Perform a detailed video conferencing security assessment to ensure your virtual meetings are safe and secure.
It’s been some time now since we all had to begin holding every one of our meetings online, and I’m afraid many organizations are not paying sufficient attention to video conferencing security.
You may have heard of the term “Zoom bombing,” where malicious people are crashing online meetings to shout obscenities or share inappropriate images. As distracting as “zoom bombing” can be, it’s a relatively minor problem. We’re actually seeing instances where cybercriminals enter web conference meetings to steal data, plant malware, and cause serious damage. This can be a mortal threat, unless you take steps to create a web conferencing security policy. It’s a pretty straightforward process.
- Do not share meeting credentials.
Sharing meeting IDs publicly—such as posting an invitation on social media or sending emails that can be forwarded—is a much more common practice than you might think, and it’s more dangerous than it might appear. You understand that your organization’s communications contain information that must be kept secure. Creating a secure protocol for sharing meeting IDs can be an essential step toward keeping bad actors out of your environment.
- Strictly control access to video conference meetings.
Again, this is not a technical security control or feature but is more like the “human firewall” component. At the top of every call, designate someone to authenticate every user. That person will ask “Who is Anonymous User 1? Who is Call-in User 2?” and then change those names. Do this in every online meeting. Make sure the folks on the call are the people who should be on the call. Most web conference platforms, whether it’s Zoom or Webex or GoToMeeting or Microsoft Teams, have a capability to put people in some kind of waiting room or “lobby,” so you can validate that the right people have joined before the meeting starts.
- Don’t allow meeting attendees to do anything they don’t need to do.
Most web conference platforms have features that allow attendees to share documents. Many allow attendees to record the meeting. There is often chat functionality in which all kinds of information can be shared. And, of course, there is the risk that someone will inadvertently say something that should be held confidential. Most platforms also allow the meeting organizer to disable all of these functions. I recommend that this be your default.
- Institute a “least privileges” policy.
In addition to allowing meeting organizers to blanket-disable specific functionalities, most web conferencing tools enable organizers to deploy specific privileges to selected attendees. You do not want everyone on the call to be able to perform functions such as file transfers. You want to put strict controls on who can do all of this from a data-security perspective.
- Don’t leave sensitive data out within view of your webcams.
When we perform on-site visits to organizations, we work with IT teams that of course have a dozen different conference rooms—each of which has a whiteboard. And often, every aspect of their network is drawn up on these whiteboards and has been there in plain view for weeks if not months. That’s dangerous. It’s the same situation with web conferencing. You have to be careful what you have displayed.
- Perform a detailed video conferencing security assessment.
It’s important to know if your video conferencing solution is integrated with programs like Outlook or third-party apps, and it’s essential that you know how all of those applications are secured. I recommend that any organization that has confidential data and data-privacy concerns do a thorough assessment of how their video conferencing security is managed. Lock down how you are deploying meetings, how users are joining, what kind of information can be transferred by whom, and how you’re managing the security for those individuals. Quite simply: how are you managing this crucial new business practice to be certain your web conferencing security position is solid?
Thank you for trusting us to help with your cybersecurity needs.
Contact us any time—we’re always happy to help.