6 ways to keep spies out of conference calls
As the world gingerly steps into hybrid working following 18 months of the pandemic, securing video conferencing calls remains a major concern. Here SC Media UK asks the experts for the inside take on cyber-proofing company calls
Virtual conferencing – love or hate it – is here to stay. Since the pandemic, 98 percent of global companies have adopted team building and collaboration software like Microsoft Teams, Google Meet and Zoom, according to Mimecast’s State of Email Security (SOES) 2021 report.
But as useful as collaboration tools are, CISOs are wondering whether their cybersecurity procedures are a fit match for the risks posed by online meetings. More than two-thirds of SOES participants expressed concern about safeguarding business conversations that take place through virtual conferences.
As we enter the era of hybrid working 1.0, here are six steps for curbing virtual meeting espionage…
1. The obvious – but not always used – password
The most essential – and often most neglected – consideration when setting up a meeting is making sure it has a password in place. This helps ensure your meeting contains only the people you are expecting – unlike a shareable URL that can invite lax or unwanted access.
2. Balance security and open policy
“For things like media encryption, most conference call software does a pretty good job out-of-the-box,” says Ben Lee, Microsoft technology lead at LoopUp, provider of SaaS conferencing solutions. “But it’s the softer side of security that’s usually the greater menace.”
Lee says firms should carefully configure their policy procedures on a user needs versus security basis. In MS Teams, for example, policies are generally split – there are generic global controls then granular level settings that can be tailored for different people in the organisation.
“Your company needs to think carefully about which security settings can be applied globally and can’t be changed. For example, if you have dial-in calls, there is a global setting that controls whether you have voice announcements when people join or leave. Or you can control who can start and open a meeting globally,” Lee says.
Lee says it’s important to create and agree different levels of access based on whether users are authenticated from within your organisation, partner organisations, or anonymous users.
3. Mind your meetings
If you schedule one meeting immediately after another on the same conference facility, at some point you likely will have participants on the call who shouldn't be there. This could occur because the first meeting runs over, or participants invited to the second meeting join early.
If you host recurring meetings, anyone with those dial-in details and knowledge of the time of the meeting can join – even if they are no longer supposed to be involved.
4. Surveillance and scheduling
It is wise to designate someone as “surveillance” to ensure that an eye is kept on who is entering the calls, so they can remove any unwanted visitors instantly, says Malcolm Murphy, cybersecurity expert at Mimecast.
He recommends you implement safe scheduling practices: “Cybercriminals often try their luck with fake invite emails, so people need to ensure the links that they are clicking are legitimate.”
5. User education
When deploying video meeting software, user adoption plays a critical role in security success.
“There are a lot of powerful simple things that users can do that make a big difference to security levels. It’s important to disseminate best practice information around the process of creating meetings, or understanding how to change the meeting settings,” says Lee.
6. Watch your sharing
Be ultra vigilant about sharing meeting information, says Jonathan Knudsen, senior security strategist at the Synopsys Software Integrity Group.
“Monitor the attendee list during the meeting to be sure you don’t see anyone unexpected. It is also important to be careful with meeting recordings,” he says.
“Make sure your video conferencing platform encrypts recordings and requires a password or other authentication to view them. Again, be careful about distributing the recording information so it does not fall into the wrong hands.”