Remote working has become more common since the beginning of the Covid-19 global pandemic. Companies are exposed to security breaches as employees use home networks with reduced security. Other practices are becoming popular—such as BYOD or bring your device to work—but they pose unintended security risks. Using personal endpoints exposes you to malicious threats unless you install watertight security measures.
But one high-profile feature of remote working in particular is gaining the attention of security leaders for the wrong reasons—video conferencing. Even the FBI has recently warned of “meeting-bombers” gaining unauthorized access to video conference meetings through both Zoom and Cisco Webex. With all these threats in circulation, Jeff Penner from Activeco, an IT support Vancouver company asks the questions on everyone’s minds, “Have you conducted end-user training on remote security policies and best practices? Do you have monthly, or weekly, security awareness training in place?”
Threats to video conference security
Remote work is not going away. Virgin Group Chairman Richard Branson says, “We like to give people the freedom to work where they want, safe in the knowledge that they have the drive and expertise to perform excellently”. More and more companies feel this way, but the security has to be right.
Besides meeting-bombing, cyber criminals can also put malicious links into chats. Sometimes they can steal meeting links with the intention of coming back to bomb more meetings. This gives them a lot of room to plant threats like malware and ransomware. What about the Zero Day Attack, where cyber-criminals attack a known vulnerability until it is fixed? This happens too. But you can combat these attacks by doing the following:
1. Verify meeting links
Whenever you are invited to a meeting, make sure that invite link comes from a trusted source. Take care to check for dodgy file extensions such as .exe. Rather be safe than sorry and do not click on a suspicious-looking link.
2. Create a waiting room
Sometimes meeting participants will enter the meeting room before the organizer and start discussing items on the agenda. This can be annoying but it is not the worst thing that can happen in a video conference. This is why the organizer needs to get the chance to do a roll call and make sure that those who are in the meeting room are supposed to be there. This is why a virtual waiting room is a good idea, as the host can only admit approved entrants.
3. Don’t recycle meeting IDs
Sometimes we get lazy and keep the same meeting ID because it’s easy to share and store. But this also makes it easy for meeting-bombers to gate-crash a meeting. Because of this, many video conference platforms now auto-generate new meeting IDs. If your service can’t do this, be sure to generate new meeting IDs all the time.
4. Use a meeting password
To be extra safe, you will need to go beyond a meeting ID and create a unique meeting password. It might feel like going to a lot of trouble, but it is important for video conference security. This is even more crucial for highly confidential meetings.
5. Vet the meeting attendees
It’s important to verify who is in the meeting room. Some platforms allow for enterprise-wide meetings, and clearly you cannot vet everyone on those types of calls. But for smaller meetings, always verify that whoever is in the room is supposed to be there. Remove anyone who is not invited.
6. Lock the meeting room
Just like locking an actual physical room, you should lock the virtual meeting room once you get started. This will reduce the chance of cyber criminals bombing the meeting. Because of network connectivity issues, a participant can sometimes drop out. Just be sure to unlock the meeting room to let them back in.
7. Use a blurred background
You may have a beautiful home with a great view, but there is a good reason why you should blur your background. The most sophisticated meeting-bombers can now socially engineer their victims if they have access to personal identifiers like family photographs, address clues, and home security fittings.
8. Be careful of the chat room
Not all video conferencing platforms are created equal. This makes sharing important information in the chat room a bad idea. If you are certain that your conferencing platform offers end-to-end encrypted security, then you can safely share your information. If not, it is best to exercise caution.
9. Update, update, update
In the age of BYOD, conferencing tools are likely to be installed on multiple devices. Some are company-approved devices but some may be personal devices. To reduce the threat level, be sure to update your conferencing software regularly. Security vulnerabilities can be exploited on older software versions.
10. Social media is not for sharing links
Always share meeting information privately or via approved company channels. By broadcasting your upcoming meeting on social media, you allow threat actors the time to craft a malicious attack on your meeting.
11. Make sure you go for training
In the age of working from home, regular security training is vital. It allows you to create boundaries and codes of best practice for users. Yes, you can farm out your security to a managed IT security firm, but your first line of defence must always be your own vigilant employees.
When you roll out your training, besides the core security protocols, be sure to put in place simple house rules while will help your cause. These could be simple rules around recording a meeting. You might want to restrict the ability of personal devices to be used for company recordings. Other house rules could be practical instructions such as making sure that cameras are faced towards the user directly, or that microphones are muted while others speak.
In the age of remote working, video conferencing services want to sell their services as easy to use, but there is often a trade-off between security and user experience. Always have security front of mind when choosing a video conference platform. Cyber criminals are always looking for ways to exploit your systems. You need to train users to play their part by following simple rules to reduce the risk.
Jeff Penner is a senior manager at ActiveCo Technology Management, an IT consulting Vancouver company. Jeff has been in the managed services industry since 2015, understanding what business owners are looking for from technology, and helping them find it. The most important element for a business owner taking on a new technology partner is peace of mind and thus Jeff directs his efforts on finding practical information that any leader can apply to their business. Jeff lives in Vancouver, BC, sharing his love for learning and “the great indoors” with his 2