The COVID pandemic has contributed to recent enormous growth in remote-working applications, and especially across video conferencing platforms. Video meetings have become the new normal, and they will likely remain a business staple even after the pandemic has cleared and quarantine and stay-at-home orders are lifted.
Of course, many large conferences, business networking events, and training events throughout the rest of the year have already announced that they intend to shift to a virtual format, showing that the demand for video and remote-working solutions will be higher than ever.
But shifting to video has not been a flawless process for many organizations, and the security risks remain high for those who use public-facing cloud service providers such as Zoom, WebEx, and GotoMeeting et. al. The biggest threat with these service providers is that anyone with an Internet connection can access them, and sometimes, even in instances where the meetings are password protected.
The results have led to many breaches where hackers disrupt business meetings with profane and inappropriate content. But this vulnerability isn’t isolated to one cloud service provider; attacks have been widespread across nearly all publicly accessible video conferencing platforms. To successfully use video conferencing for business purposes, a greater emphasis on the security features of video conferencing platforms is necessary. Advanced on-premise technologies have many distinct advantages over cloud service providers that are proven to safeguard both small and large meetings.
Strategy #1: Ensuring Access Security
Access security is incredibly important, particularly when in a videoconference. While the bring-your-own-device (BYOD) format is convenient, it presents a major security risk when using a cloud-based application. For many companies, they ensure access security by locking down the endpoints, or those devices you use to connect to meetings and other business applications.
Business devices that are locked-down restrict the installation of apps to only those that the IT department has verified and installed. While this is one method of providing access security, it is often cost-prohibitive and takes an incredible amount of time and resources to maintain.
Unsecured end points create vulnerability because they have security holes that can be exploited by “bad actors’. One such attack is called “man-in-the-middle”. These attacks impersonate a message recipient and interrupt the data stream in a way that the data stream becomes accessible to the hacker. They can then create their own messages to impersonate the sender or recipient to gain access to sensitive data and other valuable information. That’s why end-to-end data encryption protocols offer better protection as they contain a method for endpoint authentication that prevents man-in-the middle attacks and can make sure that integrity of your business data streams are upheld, and all instances of communication are protected.
In fact, if organizations want to have one of the highest levels of security they should use an on-premise video solution behind their company’s firewall. When video solutions are placed behind the firewall, they have inherent security, which can be increased further when IP address matching technology is implemented. This strategy secures connections even when passwords and usernames may have been compromised.
Strategy #2: Ensure End-to-End Data Encryption is Present
End-to-end data encryption ensures that messages are encoded at the source and not decoded until they reach their intended recipient. This prevents any potential hacker or other entity from having access to the information. They lack the keys needed to decrypt the information being sent. Standard encryption technologies have a vulnerability in that they often allow for decryption by the server that is facilitating the communication between sender and recipient. Once decrypted, this information is available to both legitimate and illegitimate sources (hackers). Often this is key, proprietary information such as financial data, employee information or technology intel.
Strategy #3: Standardize Equipment
The shift to remote working solutions in recent weeks left many companies scrambling to patch together a multitude of different hardware devices and software applications, which can also present a huge security risk. This risk is most acute when workers use personal computers and download convenient communications solutions rather than company-issued and approved devices and tools. These downloadable tools often leave company data exposed and put critical data at risk.
Every piece of equipment and platform necessary for business purposes should be approved on a company-wide level. Personal devices should not be connected to the network or used for business. While it may take more time, effort, and resources to standardize equipment and platforms, it’s definitely worth the security gains you will reap by having thoroughly-vetted solutions in place.
Strategy #4: Emphasize Password Management and Video Conferencing Policies
Many companies have ineffective password management protocols, which can be an issue with some users. Sometimes, weak passwords and those that are changed rarely can lead to a security breach. Companies can adopt requirements that ensure passwords are strong and updated regularly. For even greater security measures, some companies are deploying new remote access tools that don’t even allow passwords to be emailed or shared for access.
You may also want to consider adopting policies for video conferencing. Some best practices include:
- Ensuring cameras and microphones are turned off when not in use.
- Preventing or requiring permission for the recording of video conferences.
- Banning discussion of the meeting details in the open.
- Limiting or disabling remote camera control features.
Best practices and password management can also greatly enhance the security environment for all of your data, including video conferences.
When Free is not Free (Privacy)
Oftentimes companies are enticed to use tools because they are “free”. In many regards, there is no free tool. If a company is using a corporate tool that requires all attendees to “register”, there is no problem when it’s just used by employees. As soon as an outside attendee is invited to such a meeting, the company is basically inviting that attendee to compromise their privacy. Forcing anyone to register with the vendor to join a meeting means that the vendor now has the email address of the attendees and embeds tracking software in their browser. The email address can be used by the vendor to do direct email marketing to the attendee even though the attendee had no interest in the tool other than join the requested meeting. The vendor can and does constantly send newsletters and other promotions to the ever-going list of attendees. In addition, depending upon the “Privacy Policy” of the vendor, the vendor can sell the email to bulk email providers. This is especially troubling when used by educational institutions as that exposes students to spam email at an early age.
The browser tracking tools provide data to the vendor that the vendor can sell to marketing organizations. These tracking tools continue to become more and more sophisticated and able to defeat the “Remove cookie from browser” function.
All in all, the income earned from the email and tracking of the attendees pays for the “free” tool. The biggest issue is that the privacy of an individual is compromised just to join a meeting invite by a host that thought the session was free.
As we all move forward and forge new working patterns, we will become more adept at working in remote environments and understanding the importance of proper security. In the interim, it’s crucial to remember that in our new remote working environments, the phrase ‘caveat emptor’ or “let the buyer beware” is more relevant than ever, even when discussing video solutions and platforms. Some have very lax security measures, while others – including on-premise solutions – are much more stringent. No one can protect your company’s data better than you can, and understanding the pitfalls of publicly accessible video conferencing solutions can help you to identify ways to achieve a far superior secure environment.
About the Author
Larry Dorie, CEO and Co-Founder of RHUB Communications, creators of one of the most secure on-premise web conferencing and remote support tools for enterprise organizations.