Tips for Secure Video Conferencing
October 20, 2020
Due to the COVID-19 pandemic and social distancing requirements, organizations pivoted to widescale remote work and online collaboration. Video conferencing emerged as a tool for business continuity and sustained social connection. However, these tools opened the door to increased cyberattacks.
Amid the unanticipated exponential growth and unprecedented popularity of these platforms, many video conferencing users have not implemented necessary security precautions—or might be unaware of the latent risks and vulnerabilities.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has established principles and practices that individuals and organizations can follow to enhance video conference security.
Connect Securely
The initial settings for home Wi-Fi networks and many video conferencing tools are not secure by default, which—if not changed—can allow malicious actors to compromise sensitive data while you work from home, according to CISA. Here are some quick tips to ensure a secure connection:
- Change default password to strong, complex passwords for your router and Wi-Fi network.
- Choose a generic name for your home Wi-Fi network to help mask who the network belongs to, or its equipment manufacturer.
- Ensure your home router is configured to use WPA2 or WPA3 wireless encryption standard at the minimum, and that legacy protocols such as WEP and WPA are disabled.
- Avoid using public hotspots and networks.
- Only use video conferencing tools approved by your organization for business use.
- Enable security and encryption settings on video conferencing tools; these features are not always enabled by default.
Control Access
CISA says uncontrolled access to conversations may result in disruption or compromise of your conversations, and exposure of sensitive information. To mitigate this risk, companies should check their tool’s security and privacy settings, enable features that allow control of who can access video chats and conference calls. When sharing invitations to calls, ensure that you are only inviting the intended
attendees. Here are additional tips from CISA to help control access to conversations:
- Require an access code or password to enter the event. Try not to repeat codes or passwords.
- Manage policies to ensure only members from your organization or desired group can attend. Be cautious of widely disseminating invitations.
- Enable “waiting room” features to see and vet attendees attempting to access your event before granting access.
- Lock the event once all intended attendees have joined.
- Ensure that you can manually admit and remove attendees (and know how to expeditiously remove unwanted attendees) if opening the event to the public. Be mindful of how (and to whom) you disseminate invitation links.
Manage File and Screen Sharing, and Recordings
CISA says mismanaged file sharing, screen sharing, and meeting recording can result in unauthorized access to sensitive information. Uncontrolled file sharing can inadvertently lead to users executing and clicking malicious files and links, which could, in turn, lead to system compromise. To alleviate this potential problem, CISA recommends disabling or limiting screen and file sharing to ensure only trusted sources have the capability to share. Users should be aware of sharing individual applications versus full screens. Here are some simple tips for controlling file and screen sharing:
- Toggle settings to limit the types of files that can be shared (e.g., not allowing .exe files).
- When recording meetings, make sure participants are aware and that the meeting owner knows how to access and secure the recording. Consider saving locally rather than in the cloud. Change default file names when saving recordings. Consult with organizational or in-house counsel regarding laws applicable to recording video conferences.
- Consider sensitivity of data before exposing it via screen share or uploading it during video conferences. Do not discuss information that you would not discuss over regular telephone lines.
Update to Latest Versions of Applications
Outdated or unpatched video conference applications can expose security flaws for hackers to exploit, that could result in a disruption of meeting privacy and potential loss of information, according to CISA. The agency recommends these tips to keep applications updated and secure:
- Enable automatic updates to keep software up to date.
- Develop and follow a patch management policy across the organization that requires frequent and continual application patching.
- Use patch management software to handle and track patching for your organization.
In addition, CISA recommends organizations become familiar with security settings and capabilities of their preferred video conferencing platform(s). Here’s a list of several popular products:
Contact ALTA at 202-296-3671 or [email protected].