Secure Video Conferencing: Beware, even if no one’s ‘officially’ recording the meetings

by April 21, 2020 0 comments

Soma Tah

 

The demand fort team collaboration and video conferencing tools for both personal and business interactions have skyrocketed during the ongoing Coronavirus crisis. Faced with the unprecedented challenge of maintaining social distancing, organizations embraced ‘remote work’ culture to ensure business continuity. But after a bout of  ‘Zoombombing’ and incidence of routing some of the call traffics through China coming to light, businesses now have became largely cautious about using these tools.

Aaron Zander, Head of IT, HackerOne talks about some of the looming data collection and privacy concerns and shares some tips for the organizations to help them stay protected, while accessing those video conferencing tools.

What are some of the common security/ privacy breach risks associated with the growing usage of video conferencing tools these days? 

Video conferencing tools have a few big security and privacy concerns:

Access to the meeting by unauthorised guests: This is both the biggest issue and the easiest to fix. Most tools have the ability to restrict access or approve/disapprove uninvited guests. Many also can lock the meeting once attendees are present. Though avoiding posting invitation links publicly, sharing out meeting screenshots on social networking during the meeting.

Recording: Recording is a constant privacy concern, especially with sales teams. There are amazing tools now to help link these video conferencing tools to analysis engines to help improve sales tactics and strategies. But a lot of these tools rely on a “bot” user that records without the normal meeting recording indicators. Most, if not all, of these tools have settings for better adhesion to privacy standards, so it is important to  work with your teams to ensure they are configured to the standards of your business.

How does end-to-end encryption help?

Encryption doesn’t necessarily prevent the service from leaking data or being legally mandated to allow someone to have access, but end-to-end encryption can prevent those outcomes, which is why so many people desire it.

For example, the service you’re using usually encrypts the data you send it, and it sends you. But that still means the service has access to your information. For example, chat services, generally, own the encryption keys so, if a government entity legally requested access to those messages or an outside entity gained access to those keys and services, they can decrypt and gain access to those messages.

End-to-end encryption is the process of ensuring that the only people who can read a message, or listen to a call, are the owners of the encryption keys, usually leaving the service out of it. If we take the same case above, a service using full end-to-end encryption, would not be able to provide decrypted messages under legal request, or risk bad-actors decrypting the messages because they never possessed the keys to decrypt the messages in the first place.

End-to-end encryption is very hard to achieve in a way that is user-friendly. While it might be important for some when discussing things such as military secrets, but isn’t necessarily important for all the general users. Even for most business cases, the extra work to use end-to-end encryption and the limitation on feature set means it’s unrealistic, and not desirable to use for 99% of uses cases.

What is important though is having an encrypted service that uses tested encryption standards. There are many standards to choose from, and they have different positives and negatives, but it is important to choose an encryption methodology that has been scrutinised by the security community time and time again. All of this is made even more complex by allowing telephony (dial-in) services. As phone calls are not encrypted, and while the receiving service on the meeting provider maybe encrypted, all of the data from the service to the caller is not.

How can organisations protect their sensitive data, when they access video conference or collaboration tools?

When screen sharing, opt for sharing a specific window, rather than your whole display. This can prevent accidentally sharing too much information, or having pesky notifications interrupt your meeting. Additionally, when sharing browser content, make a new window with just the tab or tabs you wish to share. This prevents accidentally sharing sensitive information like emails, chat messages, HR data, etc.

Be aware of who is in your meeting. Even if no one is “officially” recording, assume that anyone can be. Have legal protections in place before sharing sensitive information like mutual NDAs with your prospective customers.

It’s quite typical for organisations to record large, recurring company wide meetings that are conducted via video conferencing tools. Most meeting tools allow you to pause the recording during parts of the meeting that may be extremely sensitive, like sharing financial performance data.

Also Read: 

Collaboration in the time of Corona

 

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<