Whether it’s Webex, Zoom, Whatsapp, Facetime, Skype, Messenger – or any one of the other too-numerous-to-count ways you can use video to communicate, it’s fair to say it’s been a growing trend socially and professionally for years. Yet it took a virus no-one can see to introduce video conferencing properly to millions of us. It allows flexibility to work without worrying about cost, technology or accessibility. Well almost. Our Director of Customer Data Security, Candice Pressinger, explains why - as with anything - you need to protect yourself.
In these times of self-isolation, social distancing and working from home, it is more important than ever for you to stay connected with your work colleagues and be able to effectively communicate with business partners, suppliers and customers.
Video conferencing is one of the most effective tools for this; you’ll sometimes also hear it called web conferencing or conference calling.
Attendees can use in-browser software or a downloaded app to enter the meeting, joining the audio either by telephone or using the speakers and microphone on their PC or tablet. While it is known as ‘video’ conferencing, attendees can choose to join using only audio (on the phone), it’s not essential to have a web cam.
Video conferencing solutions come with many options and functions, such as the ability to hand over presenter control to attendees, to take remote control of attendees’ PCs, to transmit documents and links, and to take screenshots and record the calls.
Sounds great, right?
Now imagine all that power in the hands of an uninvited guest!
Sounds a little scarier, doesn’t it?
While it’s a great way to stay connected, there are some security considerations you should bear in mind when selecting the solution you will use, when setting up your group meetings and during your video conferences.
Selecting a video conferencing tool
There are many tools and apps available that allow you to have a face-to-face (video) conversation with your customers, business partners and colleagues. Here are a few things to consider when deciding which tool or app you should use:
- Does your business already have a company-approved tool/technology that supports video conferencing for use
o with internal colleagues?
o with external third parties (customers, business partners, etc.)?
If so, use it! Don’t be tempted to download or sign-up to the latest flavour-of-the-month and risk undermining the due diligence, third-party risk assessment or security checks your company has carried out.
- Make sure that each person in the business, able to set-up and schedule conference calls, has their own login for the web conference solution. Ensure each person sets a unique password for their account so that if the password is stolen it can’t be used to access another of their accounts. You can see here how breaches identified by just one data security firm in 2019 had exposed nine billion people’s credentials to cybercriminals!
- If your web conference tool requires the installation of software or an app, make sure it is set to ‘automatically install’ any security or feature updates. This way you can get the latest developments as they adapt to the ever-changing tactics of fraudsters.
- Only select a web conference solution that strongly encrypts all voice and video conversations, as well as any files transfers, chats or messages between attendees (e.g. make sure any URL you’re visiting starts with HTTPS (you’ll see it as https:// or hear it referred to as port 443/TLS v1.2)
- Make sure the tool/software you select allows you to control who can join your video conferences, so that you can limit attendees to only authorised people and prevent any unexpected guests. This is especially the case for solutions that allow attendees to join audio only – what options does the tool have to help you keep track/control dial-in only participants?
- Find out what the solution provider does with the data capture/shared on the video conferences.
o Do they keep your data - if so, where, for how long and how do they protect the stored data? and do they share it?
o Some of the free solutions may sell all the data they capture and not just your/your company’s identity, but also who you meet with, for how long, how frequently, etc. If that isn’t acceptable to you, consider a premium/paid-for solution that explicitly states that they don’t sell your data on to any third parties.
- Make sure the solution offers the video conference host/presenter monitoring capabilities, so that you can see or keep track of how many people and, more importantly, who has joined the conference call.
Setting up meetings
Please note: not all of the recommendations below are available with all web conferencing solutions.
- Avoid using your own personal meeting ID; instead schedule each call in advance so that it has its own unique meeting ID. This helps to ensure that you don’t have any surprise guests on your calls (for example, if you always use the same personal meeting ID, you may find attendees for your next meeting joining early before your current meeting has finished.)
- Avoid publishing joining details of your meetings publicly, e.g. on your website or social media, or you may suffer from video conferencing hijacking. Invite only the specific attendees you wish - or that need - to join your call.
- Set-up your calls to require both the meeting ID and a password to join. This can help you control who is able to join your conference (especially if you are expecting a lot of attendees when it can be difficult to check that only the people you expect are on the call.)
- Alternatively, and especially if attendees can join your conference calls by phone only, make sure a password is required for those joining by phone. Otherwise anyone could dial into the conference call phone number, and you may not be able to spot someone who shouldn’t be there as people joining by phone sometimes show up in the host’s web conference software with just the word ‘Caller’ and a number beside it.
- Set-up your calls so that the host is in control of who can join. This function is sometimes called a ‘waiting room’. Attendees can join the conference call (therefore test their audio and web cam) but are not connected to the call until the host joins/allows them in.
- If the security/encryption of the call is an optional function, make sure all calls are set-up to use end-to-end encryption.
- Disable those conference call features and functions that you don’t need and should avoid using such as file transfer, chat/messaging, screen or application sharing, remote control (taking over an attendee’s computer) or the ability to take snapshots/screenshots.
- Specify settings that increase the security of your calls. So, not just setting a password to join, but also consider muting all participants upon entry to the call, participant arrival and departure notifications, only allowing the host to screen share, making sure only hosts or organisers can record sessions, enable background blur/replacement, etc.
During the video conference meetings
- Ask for permission to record a video conference from everyone on the call. Make sure everyone is aware that they must not record the call using a local device (e.g. using their mobile phone.)
- Consider your surroundings before joining a video conference:
o Is there anything sensitive, confidential or inappropriate in your background that could be seen by others on the call? (Some web conference solutions allow attendees to hide/blur their background.)
o Try to make sure that no-one can overhear the call (e.g. other people in your household or from the side of your attendees.)
o If your call can be overheard, make sure you have told all others in your household that they must not write down or do anything else with any details they may hear.
- Once all your expected attendees have joined, and if the feature is available with your video conferencing tool, ‘lock’ the meeting so that no one else can join. This can help with preventing surprise guests from joining an in-progress call, as mentioned earlier.
- If you need to share screens, make sure you only share the application needed rather than the whole desktop. Be careful if you have multiple displays not to share the wrong screen first! You may inadvertently share sensitive or personal information with attendees.
- If you need to share documents with attendees, avoid using the video conferencing tool for this, as this creates additional uncontrolled copies of your documents. By preference, use your existing company-approved methods of information exchange:
o Between internal colleagues that might be using your company email systems to send them a link to the document’s location on your file share or other document repository (e.g. SharePoint)
o With business partners that could be using your company email or Securemail service to exchange confidential email (just as you would when in the office.)
o With customers, consider the sensitivity/classification of the information to decide if the document should be shared externally.
After the video conference meetings
- If you have recorded your meeting, make sure you limit who is able to listen back to the call to only those who have a need to hear what was discussed:
o Don’t publish the recording on any publicly access forum (e.g. YouTube)
o If the recording is published on an internet-accessible site, make sure there are access controls in place (for each separate recording) so that you specify who is allowed to access the recording and anyone wishing to listen back needs to enter valid login details to do so.
o Only share the link to the recording with those who a need to hear what was discussed on the conference call.