Video conference has suddenly become an essential tool for business continuity amid the disruption caused by COVID-19. The increase in the number of requests of video software assessment by IBM’s X-Force Red prompted the team to look at the most used video platforms.
The rush to keep businesses afloat and the team functioning albeit remotely, IBM’s X-Force Red have observed an issue that was looming long before the pandemic: Corporations are not applying security policies for virtual meetings.
The team was not even surprised to find out that clients using video conference platforms “support non-member meetings.” Translate: One does not need authentication to join or access a meeting “using a simple link or code that is typically embedded in email threads and calendar invites.” One does not even need to be a hacker to obtain sensitive information.
IBM said companies need to realize how to implement security controls these platforms offer. Just because there is no IT personnel to advise those working remotely doesn’t mean they would forget to use encryption, passwords, and other controls.
Potential areas of abuse
In a blog post, IBM dissected potential areas ripe for abuse and ways to address them.
Identify the most sensitive meetings. Meetings that involve corporate data discussion is very minimal compared to the usual workforce meetings before, which could also be the same in video conferences.
Organizations should look at this problem with a risk-based approach. From the onset, identify the risk-level of the meetings and decide if the video conference needs to be encrypted or not. “Video conferencing security policies should be built and communicated at every job level — from executive assistants to the wider legal team, all groups need to be aware of potential risks.”
The other major factor is authentication. Gatecrashing cybercriminals could easily find their way into videocon if they see that the “door” is wide open. Online meetings can be “by invitation” only and invitees need to be properly identified.
Encrypt, encrypt, encrypt
To help businesses start their security strategy for confidential meetings, here are some tips to help create greater privacy and control:
Confidential Call Policies: Have employees evaluate their meetings’ sensitivity when they’re first scheduled. This will help determine what security protocols are needed. A good rule of thumb is, would you normally take the meeting at a coffee shop? If not, consider it confidential.
Consider Unique Meeting IDs: Many platforms give users a standard meeting room name, which is often a predictable combination of the company and individual’s name. Reusing room names allows previously invited participants to join all future meetings with the same name — sensitive or otherwise.
Implement Meeting Passwords/PINs: For an extra layer of security, beyond a unique meeting ID, apply unique passwords or PINs so only invited participants can join calls.
Roll Call: Meeting hosts should make sure they know everyone on their sensitive calls; do this with a simple roll call before the meeting starts. This will help to identify participants dialing in using nameless phone numbers instead of a profile, similar to what non-member meetings allow.
Revise Settings: Take advantage of features like waiting rooms that require the host to add attendees to the meeting. Other controls, such as disabling the ability to join a meeting before the host arrives, can keep participants from accidentally discussing sensitive information before knowing who is on the call.
Notifications: Turn on notifications to keep track of who enters the meeting room at any given time, and make use of both visual and audible notifications so nothing goes unnoticed.
Alternate Hosts/Password Sharing: Apply policies that prohibit employees from sharing meeting room passwords and allowing alternate host permissions to avoid credentials falling into the wrong hands.
Once Accessed: If the meeting has already been compromised, the best thing to do is end it immediately — powering through the call only puts sensitive information at risk. And if for some reason you can’t do this immediately, notify and mute all participants so they are aware of the intruder and know not to divulge any further information while you work to end the call. Once the call has ended, report the issue to the platform provider as soon as possible and report the incident to your company’s legal and security teams.