If you have been working from home during COVID-19, video calling is probably a familiar part of your day. Video conferencing allows you to continue working closely to your colleagues, and in many cases, share or transfer files remotely.
However, to reduce security, privacy and legal risks, it is important to use secure video conferencing. Cybercriminals are a genuine threat, and may attempt to intercept sensitive conversations or coerce users into downloading malware on their devices. In fact, according to a report by the Office of the Australian Information Commissioner,1 over 62% of data breaches were a result of malicious or criminal attacks in 2019.
The government’s lead agency for cybersecurity, the Australian Cyber Security Centre2 (ACSC), recommends you ask a number of key questions before considering a video conferencing service provider, including:
Are they based in Australia?
The use of offshore video conferencing software can introduce additional security risks for your business. Foreign-owned service providers are still subject to the laws of their country and those laws can change without notice. They may also allow covert data collection, compromising an organisation’s sensitive information without their knowledge.
Do they have a good track record?
A provider’s response to security incidents and privacy issues say a lot about how seriously they view these issues. This can be illustrated in how quickly they disclose information and take effective action to fix security vulnerabilities. Service providers should consistently engage with their customers, proactively address cyber security issues, and advocate for data privacy rights.
Are they reliable and scalable?
Because of the increased numbers of employees using video conferencing for business, you need to ensure it is reliable and available in times of increased demand. You should check that the number of simultaneous connections meets your business needs, and is able to cover peak periods (which, by the way, has increased 21%3 since the last week of February!)
Do they meet your security requirements?
Seek legal advice before agreeing to a service provider’s terms and conditions that could potentially breach liability or financial rules. T&Cs from secure video conferencing providers should include specific detail about an organisation’s privacy, security and legal rights. Without these, you may not be able to verify their claims or guarantee your information is not being used without your permission. In particular, check whether the provider claims ownership of any content, files, metadata or recorded conversations that are created or shared.
Do they use strong encryption?
Reputable service providers should be encrypting data while it is being transferred between devices, and when it is being stored. Video conferencing software should also use strong encryption, particularly Transport Layer Security (TLS), to protect data while it is in transit. TLS versions 1.2 and 1.3 inherently offer more protection for data transmitted across untrusted networks like the internet.
Do they collect metadata?
Many service providers collect information including names, organisations, roles, email addresses, information about devices, and the user names and passwords of registered users. Because this information is sensitive, be conscious of the information you disclose during the registration process. Knowing how this information will be used will give you insights into the security, privacy and legal risks involved.
According to the Australian Cyber Security Centre (ACSC), when using video conferencing you should do the following:
Configure settings appropriately
Your service provider should provide recommendations on security features and settings in their documentation. This includes providing multi-factor authentication for users to access the system. However, default security settings may need to be tailored to your organisation’s specific needs. Colleagues using video conferencing on personal devices will also need to apply security patches to ensure the video conferencing software is as secure as possible.
Establish meetings securely
When hosting a meeting, consider how invitations and website links will be distributed to those participating. If possible, access credentials and send meeting details via email or an encrypted messaging app. Never access these on social media or on publicly-accessible sites. Also be aware of unidentified participants by locking meetings once they are underway. If participants can’t identify themselves appropriately, the meeting host should disconnect them!
Be aware of your surroundings
One of the more common video conferencing problems is maintaining confidentiality. Use a private location where possible, and if you are working in a shared location, use headphones to ensure only approved participants hear your discussions. Also try to position your camera so it only captures your face, or use background blurring features if they are available.
Be mindful of what you share
Video conferencing can sometimes involve private or sensitive topics. Discussions should be limited to content that has been approved prior to the meeting, and participants should understand what can be recorded and/or made public. If screen content is to be shared, only share what is required, rather than your entire screen. If screen sharing is not required, disable the functionality.
Have a cyber security strategy
Other proactive strategies recommended by the ACSC are to ensure that:
- You regularly review your organisation’s procedures and your business continuity plan. This will contain all of the information you need to get your business operating again after an incident or crisis.
- Your systems, including Virtual Private Networks (VPNs) and firewalls, are up to date with the most recent security patches. The ACSC offers guidance on how to turn on automatic updates for both Windows and Apple users.
- Any mobile phones, laptops and remote desktop clients are secure. This includes reviewing risk tolerance, risk management controls and regulatory legislation and obligations.
- Your staff and key stakeholders are informed and educated in cyber security practices, such as detecting socially-engineered messages. These also include messages delivered by SMS and instant messaging.
- Your business is protected against Denial of Service (DoS) threats which are designed to disrupt or degrade online services such as email, website and hosting services.
- 2019, Notifiable Data Breaches Statistics Report: 1 April to 30 June 2019, Australian Government, Office of the Australian Information Commissioner
- 2020, Web Conferencing Security, Australian Government, Australian Cyber Security Centre (ACSC)
- 2020, Australian Broadband Demand: new weekly report reveals growth in NBN data demand, NBN Co Limited.