Security Precautions When Using Video Conferencing Services

With COVID-19 creating an increased need for work from home video conferencing to maintain business relationships, video conferencing services have been booming. There are several new business conferencing services, and several that have been around for a while. For example, Microsoft relaunched its Skype for Business service as Teams, which is just an old service wrapped into a new application. In addition to the business conferencing services like Zoom and GoToMeeting, there are several services on mobile devices – such as iMessage, WhatsApp, Google – that were not necessarily built for business needs, but can be used for video conferencing when needed during this current work from home period.

Whichever video service your business chooses to allow during this time, there are a few security considerations to keep in mind:

1. Use Encryption. Only services and devices that operate on and have been tested with current SSL or TSL encryption protocols should be used. Using non-encrypted systems for communication can expose sensitive data to potential sniffing, capture, and tapping.
2. Know Your Participants. Many video conferences allow participation through different means, including, but not limited to, audio via Internet, audio via phone call, audio via computer, and audio via a participant-provided bridge number. It is always a good idea to take a role call at the beginning of each meeting to establish who is on the conference. Any participants joining late should be noted as well. 
3. Limited Your Users Use of Free Conference Services. Similar to the risk in item 2, publically available video conferencing services may not limit the number of users who have access to a private channel or video line. Consider using only those services and devices on which you can limit the users to those participating in the video conference. Using publically available services may expose sensitive information to any number of unwanted participants.
4. Don’t Use Public Locations. The use of video conferencing in public locations should be strictly limited and sensitive information should be strictly protected. In a public setting there is an opportunity for non-related parties to overhear the conversation, shoulder-surf, or photo-bomb the meeting. 
5. Be Aware of Your Surroundings. Closely related to items of concern in a public location is the type of information portrayed in the background of a video conferencing session. The background of the area displayed in the video conference should be cleared of any sensitive information or work product. Checking for any whiteboards, displays, sticky notes, or other potentially sensitive information should be a priority. 
6. Know When the Conversation is Being Recorded. Just like face-to-face conversations or phone calls, video conferencing meeting can be recorded. Users should be aware of the possibility that like any other means of communication there is a possibility that the conversation is being recorded and preserved by the other parties.
7. Change Participant Codes. Consider changing, if possible, default session IDs for the conference call. If the same meeting number or user number is used for each session, anybody with the information can call in and participate in the conversation. This is particularly true of free conference call products – the phone numbers, meeting numbers, and participant IDs are often not changed. Having a sensitive conversation with one client while another is calling in could cause an issue.
8. Know Your Software or Service. It is incumbent on the user of the service to know and understand the use of the services and equipment to understand how to determine the participants (e.g. video versus audio only via phone), how to determine the methods for muting or pausing the conference, and sharing files or screens, (e.g. sharing an app versus sharing an entire desktop). The user should also be knowledgeable in determining when a call is being recorded and when participants are dropped or added.

While there are many applications and services available for use during this Great Quarantine, each service should be carefully evaluated to ensure that the security protections align with your business’s internal requirements and that all of your users understand basic security precautions and your company’s expectations on how to use these conferencing services.