The spike in the number of people working from home has lead to a leap in videoconferencing so organizations can keep in touch with staff. However, some dark web sites are trading information on videoconferences that hackers or pranksters can listen in on.
That’s led the Canadian Centre for Cyber Security, the federal government’s cyber experts, to warn infosec pros to ensure these meetings are buttoned up to reduce the risk of data theft and reputational damage.
Here’s a summary of the recommendations:
- First, don’t publish links to meetings in open forums. That’s how hackers learn about them
- Make sure all meetings have a user password. If the system offers, use a “waiting room” where participants can be positively identified. (Separately, one non-government expert advises hosts to watch who joins a meeting in mid-session to verify the person is an authorized participant)
- Use existing corporate solutions whenever possible. If you are picking a new solution choose a platform with appropriate security features. Factors to consider include the level of encryption, the ability to require passwords or other methods of authentication in order to join a videoconference
- Someone in the organization has to set rules and expectations concerning the types of discussions that may take place on a given platform. (As an example, for Government of Canada users, classified material should never be shared on an unclassified network)
- Use the right tool for the job. Don’t be afraid to send sensitive documents via courier or secure email rather than sending them over a VTC shared files channel
- Ensure that conference organizers are aware of the security features available on the platform and are used appropriately
- Ensure all parties using the VTC software are aware of and comfortable with any data sharing done by the software owner in order to realize a profit (i.e. Selling data analytics for marketing purposes)
- Choose a solution that allows you to control how your data is handled. Some platforms may route data outside Canada or store shared data on servers they control
- Consider using a solution that does not require participants to install a client unless necessary. Not only does that aid simplicity, but there’s also no need for clients to be updated