How to video conference safely

Read our cybersecurity guidance on how to stay secure whilst using video conferencing applications.

Share this post

As businesses moved to remote working, there was a rush to dust off existing video conferencing applications and download freeware from the internet. This was quickly followed by waves of scary stories that spread panic about the risks of virtual meetings. So here is a brief summary of the guidance we give our clients to stay secure. If you have any doubts, consult an expert.

Service choice

Overall, we like to start with the application you are already paying for (for example Teams is widely distributed with Office 365). But ultimately it does differ by business, as you need to choose the service that meets your requirements, which must include a high level of security.

  1. Start with a risk assessment. The choice (and often the cost) should be aligned to the risk and damage which could result if your virtual meetings were accessed or compromised by cyber criminals. There are bank grade solutions that may be required, but this is generally disproportionate.
  2. Avoid free tiers. The cost of upgrading to business versions that have great security features can be modest, so use them.
  3. Upgrade application. If you are using a ‘legacy’ application, make sure you upgrade to the latest version of the software. Many solutions require you to download an application on your local machine. This needs to be brought up to date as older versions will have known security vulnerabilities which are easily exploited.

Meeting disciplines

Like any software which is accessed remotely, it is the way it is used and configured that makes the biggest difference to security. We find that the security features are almost always left at the default setting or even disabled altogether, leaving you wide open to attacks.

  1. Secure access credentials. These need to be strong and not re-used elsewhere. Cyber criminals use information gathered from previous data breaches to access conference services where the same passwords/codes are being used. If you believe they have been compromised, change them immediately. Highly sensitive meetings should have unique passwords and not rely on one click links.
  2. Greet your guests. Before you launch into your conference call make sure you have the correct attendees. You can control attendees and can enforce a ‘Lobby’ entry on most services, where you get to allow users in as they present themselves. Where possible get each attendee to say Hi and check out attendees whose cams are not switched on. Consider locking entry once your meeting has started.
  3. Service configuration. This can vary from having to ‘accept’ attendees into the meeting, through to whitelisting the computers that have ‘permission’ to join any meeting. This is the key control to keep the security risks of video conferencing within your risk appetite, so please take specialist advice.

Data and Privacy

Consider the impact of a compromise to you and others, and mitigate the risks by managing data and information as part of the process.

  1. Consider your audience. The content you present on a video can be easily recorded by the attendees. Consider the control you have on attendees, especially when presenting highly confidential or personal data.
  2. Privacy settings. Some service providers may actually be using the platform to gather information about you and your customers/contacts. If you can’t manage this through privacy settings, then you should change providers.
  3. Data Loss prevention. Some services are designed to facilitate data sharing and collaboration across internal teams. Make sure you understand how to configure guest users’ access and permissions to these types of platform. Again, this is a crucial aspect, so get expert advice.

Spying and spoofing

Cyber criminals adapt their approach to match the opportunity. They know that suddenly, confidential conversations are happening virtually, giving them the motivation to phish for access credentials and deliver malware, via videos or attachments, to ‘spy’ on you via your laptop.

  1. Scrutinise inbound requests. Fraudsters are actively phishing for video conferencing login credentials. You should maintain a mindset of ‘zero trust’ for inbound requests to join meetings or enter credentials. Always question the validity and verify if you have doubts.
  2. Anti-Virus software. Cyber criminals’ use of ‘spyware’ will increase during this time. Keep your AV software up to date and well configured to mitigate against this malicious software.
  3. Connection security. Paid for services will have a level of encryption. But you should consider making internet connections more secure, for example with the use on VPNs.

We hope this has proved useful. Please contact us if you need any help.

Mitigo is a cyber security company – providing professional services firms with cyber risk management services.

CYBER SECURITY UPDATES

Sign up for the latest advice and information about keeping your business cyber secure.

Share this post