April 28, 2020//Tony HowlettLast Updated: November 19, 2020
Since the world-wide spread of the COVID-19 virus over the last two to three months, many challenges have been thrown at organizations of all kinds and sizes. With much of the country and world under “shelter-in-place” or similar orders from governments, many workforces, especially white-collar ones, have gone to near 100% work from home. This has necessitated the rapid deployment or increase of video-conferencing and other collaboration tools practically overnight with little thought given to security.
In a pre-coronavirus world, these types of mass deployments would be studied over many months and deployed in a much more rational fashion. But the exponential spread of the virus did not allow for typical corporate IT risk assessment and technology vetting processes.
The much-publicized security flaws in the popular Zoom and subsequent incidents have shown how these “flash” deployments, while born of necessity, aren’t always the most sound, security-wise, right off the bat. The fact of the matter is that these platforms, while conveniently available, were typically used for one-to-many webinars and other types of presentations and were not necessarily purpose-built for highly confidential internal business meetings or other sensitive environments.
Since the media buzz around Zoom, the company has both responded and created patches for the flaws. To ensure that your organization is staying on top of cybersecurity with the increased use of video conferencing tools, here is a list of best practices for operating these platforms for the full breadth of your business operations.
First of all, you must make sure that your teleconferencing applications are fully supported. That means paid, corporate versions; now is not the time to be a cheapskate. You must also make sure they are patched up to the currently available stable versions, on both server and client-side (depending on if you are using SaaS or in-house infrastructure). Like we stated above, Zoom has patched most of its issues, but you only benefit from that if you are up to date. Make sure your user base has the latest version, ideally with enforced updates.
Beyond patching, make sure that you take full advantage of built-in security features. Previously, in Zoom, many of these features were disabled by default to make it easier for large numbers of people to log into online seminars. However, for regular use for internal corporate meetings, you should definitely have passwords required. Also using the waiting room feature in Zoom and similar features in other platforms, you can vet any entrants to your meeting to make sure you don’t have any uninvited guests or eavesdroppers.
As far as policies around your use of video conferencing technology go, don’t make a habit of sharing your meeting ID liberally. This can be used to enter your meetings and do other reconnaissance. And when sending out passwords for the meeting, now that they are required, send them separate from the initial meeting and RSVP and only to registered attendees. Not allowing sharing and reuse of meeting passwords is a big step towards securing your online meetings.
Finally, make sure everyone in your organization is aware of video conference phishing scams. Some new techniques that hackers are using are sending you a meeting invite from a spoofed co-worker. Once they click on the meeting link, the malware is launched. Beware of meeting invites that don’t make sense or aren’t expected. You can also mouse over (don’t click!) the actual links to see where they lead or what they are launching. The bottom line is to be more vigilant about these kinds of links in emails. Also, when it comes to user education, it is not a bad idea to create a short email or Wiki article to inform your employees how to use them properly, especially since many employees who would never be setting up these kinds of meetings before are now using them for their one-on-ones and other daily interactions
This is not an exhaustive list of video conferencing security tips; each platform has its own features and settings that can be adjusted. When using video conferencing for all internal business, you need to be more careful about how these tools are configured and used. Even though they were never intended for the kinds of use cases we are seeing during this pandemic, with a little extra diligence and user education, you can use them for your work from home initiative and other applications and be assured of reasonable security.