How to use videoconferencing securely with ensuring privacy?
During the pandemic outbreak, not every organisation could prove to possess procedures which allowed it to implement remote work efficiently. In these cases, the new reality proved to be a particular shock, and – additionally – the hasty implementation of necessary tools among the employees could threaten the cybersecurity of the company infrastructure. On the other hand, even in theory, the companies that were prepared, quickly realised that the tools they used are of little effectiveness or of no effectiveness at all.
Fortunately, recently, numerous organisations and institutions have shared their knowledge regarding the issue. We have shared our experiences and proposals of tool confirmed in practice in practice on our blog. A separate, however, no less important issue is the security of software used in remote work, as well as, best practices in their use. The most acclaimed organisations, that specialise in security have already shared their recommendations. Surely, their implementation will directly translate to the security of the infrastructure of each organisation.
How to protect videoconferencing?
First contact of companies with software used to conduct videoconferencing has turned out to be problematic. A major role have been played by the lack of experience of Zoom users. Numerous users would use default settings without knowing, where each new conference was public, generally accessible for all users. As companies gained experience, the number of incidents decreased. Furthermore, Zoom offers quite a lot in terms of cryptography – in includes, i.a. encryption in compliance with the AES 256-bit GCM standard. However, cyber-criminals still adapt to the new reality and conduct massive attacks not only on videoconferencing sessions, but i.a. on remote access services. The target were, obviously, persons that worked remotely on devices that were not prepared appropriately.
In order to limit the number of potential incidents, we have prepared a practical assortment of hints and prescriptions, that allow to secure office videoconferencing sessions. It should not come as a surprise, that what is key in videoconferencing is, primarily, to be compliant with the company policy – one may assume, that they have already had the time to develop own standards, and should be a priority to the employees. Furthermore, it is advised to limit the scenarios of using the same authentication data (e.g. PIN numbers and other codes giving access to conversations) numerous times. Moreover, it is recommended to use one-time PIN numbers. In terms of privacy security, we turn attention to the fact, that the video-conversations should not be recorded, unless it were absolutely necessary.
Organisers’ responsibilities
Particular prescriptions are also addressed towards videoconferencing organisers and not only participants. Individuals responsible for preparing a virtual meeting should primarily turn their attention to the use of the waiting room option – a software option allowing to halt the videoconference until the moment when the organiser himself joins the conversation. It will reduce the space of attack that is a conversation hijacking. Furthermore, organisers should turn their attention to launching a system of notifications regarding particular events, e.g. a new user joining the conversation. A request to introduce oneself may be helpful in identifying intruders – particularly when the conference is audio format only.
As demonstrated, the basics of the best practices are not particularly complicated, while the tools allowing to secure the privacy of company videoconferencing sessions are usually available on the same platforms set up for collaboration. However, as demonstrated by the example of Zoom, the default setting is not only the best. Therefore, it is advisable for the employees – both the organisers and the participants – to be encouraged to learn the software used in the company, particularly regarding the functions related to privacy and security.
