The current pandemic has certainly shown the utility of electronic collaboration tools such as videoconferencing platforms. Once an expensive perk of solely enterprise companies, the video call is now used not only for executives remotely attending board meetings but also for the following:
- Sales calls
- Partnered coding
- Team standups
- Chats with distant family members
- Online classes at all school levels
- Professional appointments with accountants or lawyers
- Telehealth visits with your medical professional
At the moment, it’s important for public health that everyone stays distant from one another. In order to keep people working, however, some work policies and regulations are being relaxed to allow better video communications with the tools we all currently have available.
The Security Risks of Videoconferencing
Unfortunately, that does not mean there are fewer risks. When it comes to video, we need to protect against unauthorized people getting access to the call to either hear the discussion or manipulate the video to “prove” something else happened.
This makes total sense when the video is a discussion of a company’s merger plans or upcoming product announcements. In those scenarios, an unauthorized individual might want to listen in for their own gains or to sabotage. Meanwhile, in other conversations, you may discuss a relative’s health or talk about financial position—data which could be used for nefarious purposes, as video is just another medium through which a malicious actor can mine data. Recordings can also be used to create deep fakes (https://www.creativebloq.com/features/deepfake-examples), manipulated media which can be used to back up claims that something was said when it really wasn’t.
In addition to unauthorized access, there is also incidental data loss, which may include information on the whiteboard in the background of the video or a prototype sitting on your desk. When at home, you need to remember that there could be mail on the table with your address on it or other sensitive data that happens to be in video range. And don’t forget that on the screen, you may switch between spreadsheets but not realize that your bank balance and account number are visible in another window.
How Organizations Can Mitigate These Risks
For enterprise video systems, the first line of defense is access. This is pretty easy when you’re at the office. The conference rooms with video capabilities are physically within the domain and all the firewalls that this entails, for instance. Starting from a secure network removes a host of possible hack vectors. With 128-bit Advanced Encryption Standard (AES) built into the system, as well, keys generated at the beginning of each session are functionally unbreakable with current supercomputers. It’s also important to note that the formal office setting may be acoustically separate from a location where an attacker might be able to physically overhear a conversation. Finally, the hardware and software themselves have encryption, and the users never have to think about it.
Unfortunately, that means that when employees work from home, they may not be aware that their tools are less secure.
When working remotely, a videoconferencing call should still start with a secure network. A non-public, WPA2 network with a non-default admin password is easily creatable on a home system. If feasible, it’d also be useful to use a VPN to encrypt all internet traffic.
Encrypting the video traffic is possible from a variety of popular tools, but not all of them are configured with 128-bit AES by default. Doctors are suddenly expanding into the telehealth field and health industry-specific tools are more private than social media-based options, but may not be available at their practice, or feasible for their patients. HIPAA is currently allowing some of the public tools for telehealth, but the services that default to encrypted, private conversations (like Apple’s Facetime, Google’s Hangout, Microsoft’s Skype or Facebook Messenger) can be used, while the medical industry is barred from using apps that default to broadcasting publicly, like Facebook Live, Twitch, and Tiktok. While these and other tools may be configurable to have 128bit AES encryption, the end-user might need more computer assistance to set it up – or even to know it’s not already there.
Conference call etiquette, even outside of a conference room, can help keep remote videoconferences more secure. Muting your line when you are not talking helps keep the call on focus and also prevents background noise from being broadcast unintentionally. This means side conversations, which may be sensitive or personal, will not be overheard. Turning off your camera when not in use, or even covering it, is another option.
As meetings and video chats get larger, make a habit of confirming the attendees who are on the call are supposed to be on the call. Most apps have an audio tone when someone joins the call, so when the 11th person joins a call that 10 people were invited to, you should be able to confirm the new person is supposed to be there. A bug in Zoom – since patched – previously allowed a researcher to generate potential Zoom meeting room URLs. They found that 1 in 25 generated URLs got them into a password-less room without an invite. Other tools may have undiscovered issues, but paying attention to who joins will help mitigate the problem, as will setting passwords for your video chats.
Being aware of what can be seen on the screen or by the camera can help prevent the transmission of sensitive information unintentionally regardless of who is on the call with you. During this period, it is important to stay connected with your co-workers and loved ones, but do make sure it is with the people you intend to be connected to.
Suffering VPN overload? Learn how Tripwire products can help.