With COVID-19 concerns cancelling face-to-face
meetings , be aware of the security risks of videoconferencing and how to
easily overcome them
By Tony Anscombe
At the time of writing
one-third of the world’s population is enduring restricted movement to stem the
spread of COVID-19. The lockdown has driven huge swaths of the working
population to become
remote workers, many for
the first time. The sudden surge in employees, students, teachers, and many
other professionals working from home is driving a huge increase in demand for
videoconferencing, online collaboration tools and chat systems.
On March 11th,
Kentik (a network operator based in San Francisco) reported a 200% increase in
video traffic during working hours in North America and Asia, and this was
before the official lockdown in California or other locations took effect.
Last week UK Prime Minister
Boris Johnson shared a picture of himself chairing a cabinet meeting via the
Zoom app, demonstrating social distancing even in the highest levels of
Government.
The decision was a wise one
as he has since tested positive for the coronavirus. However, a meeting at this
level over a public conferencing system raised questions about security and the
UK’s National Cyber Security Centre confirmed there was no security reason why
conversations below a certain classification could not take place this way.
If a UK Government meeting
is authorized to be held online using a freely available videoconferencing
tool, then companies forced to quickly adapt to employees working from home can
probably do so with some confidence. However, that does not alleviate the need
to understand the built-in security and the need to control how
videoconferencing is conducted by using the features available.
Below we outline some key
considerations.
Work environment
Check your environment to
ensure that the video stream you are sharing does not contain sensitive
information. A whiteboard behind you may have the remnants of a previous
meeting, make sure all confidential or sensitive material is removed from the
camera’s scrutiny. And while we’ve probably all laughed at cute viral videos of
pets or toddlers entering a streaming video interview or meeting, consider the
effects such interruptions could have on your meetings and ensure suitable mitigations
are in place before starting your meeting.
Control access
Most videoconferencing
platforms allow for the creation of groups of users or the ability to restrict
access by internet domain so only users with an email address from your company
would be able to join the call. Alternatively, only allow attendees that are
invited by adding their email addresses to the invite when scheduling the call.
Set a meeting password,
typically an option when creating the meeting, which adds a randomly generated
password that invitees will need to input. A numerical password can be used to
authenticate users who connect by phone. Do not embed the password in the
meeting link.
Holding participants in a
“waiting room” and approving the connection of each one gives the host ultimate
control over who is in the meeting. To handle this for larger meetings you may
be able to promote other trusted attendees to an organizer or moderator role.
Communication and file transfers
Enforce encrypted traffic.
Do not take it for granted that systems have this option enabled by default for
video communications. Some services encrypt chat by default but not video
unless specifically requested.
If third-party endpoint
client software is permitted, then ensure it complies with the requirements for
end-to-end encryption.
If file transfers are
needed, then consider limiting the types of files that can be sent; for
example, don’t allow executable files (such as .exe files).
Manage engagement and attendees
It’s easy to get distracted
on conference calls, email and other notification pop-ups and migrate your
attention to the content rather than the call in-hand. The host, depending on
the platform, may have the ability to request notification when the
conferencing client is not the primary (active) window. If you’re a teacher,
then this feature may be extremely useful if you want to ensure the attention
of all your students.
Monitor who joined the
call, either by enforcing a registration process to connect or by downloading
an attendee list after the call. This is also likely to include the connect and
disconnect time, showing whether the user was engaged for the whole call.
Screen sharing
Limit the ability for
screen sharing to the host, or to a person the host selects. This removes the
possibility of someone sharing content by mistake.
When screen sharing, only
share the application needed, as opposed to the whole desktop. Even an icon or
name of a file on a desktop can give away sensitive company information.
Apple’s iOS takes screen
snapshots used when task switching between apps. To protect against this
inadvertently including the capture of sensitive information, check to see if
the conference system can blur this image.
Forewarned is forearmed
Take the time to step
through all the options in the settings of the videoconferencing system you may
already have or are thinking of using. As you can see from the snapshot of
considerations above, there are many settings and finding the right
configuration for your environment is an important task to undertake to ensure
company communications remain secure.
Lastly, check the privacy
policy of the service you are using. The adage that ‘if it’s free, you’re
probably the product’ should be enough motivation for you to check whether the
company is collecting, selling or sharing your data to fund the provision of
its ‘free’ service.
If you want to learn more
about the increased cybersecurity risks associated with teleworking, as well as
about ways to counter them, you may want to read these articles:
COVID-19
and the shift to remote work
Work from home: How to set up a VPN
Work from home: Improve your security with MFA
Work from home: How to set up a VPN
Work from home: Improve your security with MFA
ESET has been here for you
for over 30 years. We want to assure you that we will be here in order to
protect your online activities during these uncertain times, too.
Protect yourself from threats to your security online with an extended trial of our award-winning software.
Try our extended 90-day trial for free.
Protect yourself from threats to your security online with an extended trial of our award-winning software.
Try our extended 90-day trial for free.