May 19 2020

Videoconference Security Risks: What Remote Workers Need to Know

As businesses come to depend on conferencing technology, there are security measures they need to be taking.

Amid the widespread shift to a remote workforce, many employees’ day-to-day tasks have taken different forms. From adjusting to home offices to learning new collaboration programs, the transition has brought about new priorities for workers and IT departments alike.

Reliance on certain programs has changed: Videoconferencing and audioconferencing tools have jumped to the top of list of critical elements for business continuity, right along with email and document-sharing solutions. These changing priorities have spawned a change in security needs as well. Nearly overnight, companies switched to conducting much of their business over videoconferences, and hackers and disruptors have taken advantage. 

Companies around the globe have had their virtual meetings “bombed,” with people entering uninvited. While this can be merely an unwelcome distraction, it also can be a security breach, and businesses need to be able to keep their employees and data secure in this new landscape. 

MORE FROM BIZTECH: Read our full interview with IBM's Charles Henderson for more about how you can protect your organization's meetings.

The Cybersecurity Landscape: Videoconferencing Security Risks

In-person meetings are different than video meetings for many reasons. One reason is the impact video meetings can have on security. 

“It’s really easy to see when somebody walks into your meeting room physically, sits down next to you and starts listening,” says Charles Henderson, global head of IBM’s X-Force Red. “But when you have a dial-in conference or maybe a web meeting or something like that, it may be less obvious.”

Henderson says that regardless of who was invited, everyone who’s in that virtual meeting room is now privy to the same information, so all someone needs to do is get in the room to breach the system.

“That’s a dynamic shift, where the barrier to entry for the attacker has gone way down,” says Henderson. “You simply need a touch-tone phone.” 

Abhay Kulkarni, vice president and general manager of Cisco Webex Meetings, says that not only is it easier for outsiders to get the information but the information itself is much more sensitive.

“In the past, when you and your colleague wanted to discuss something confidential, you would go into a room and talk about it,” Kulkarni says. “Now, the only way you can collaborate is on video. So, a lot more sensitive ideas are being discussed on a wide variety of topics, from HR issues all the way to high-stakes meetings.” 

Videoconferencing: Security Concerns vs. Privacy Concerns

There are two kinds of information at stake in video meetings: One is organizational information, and the other is the personal information of employees. When it comes to company data, the fact that high-level meetings are now done over videoconferencing raises the need for more security.

“Ninety-five percent of conference calls are not confidential,” says Henderson. “In fact, there’s probably a good portion of those that should be an email. But the remaining 5 percent, those range from mildly sensitive all the way up to board-level meetings. If somebody is there listening, that can be catastrophic for a business.” 

While those business stakes are high, so are the personal stakes. During videoconferencing, particularly during remote work, employees are giving each other glimpses of their homes and families. All that information can be ripe for hackers to grab.

“Privacy is almost a tandem track for security in many ways,” says Kulkarni. “A participant in a meeting should be able to join a meeting without having to worry about whether their private information is disclosed.”  

He says he has seen reports of people using applications integrated with Facebook, for example, leading all participants on the call to share some data with the social media giant. A frequent struggle when it comes to security is the issue of convenience: Businesses rely on employees using this technology in order to conduct business, so while it’s important to keep it secure, it’s also important to make it as easy to use as possible. 

“There’s this certain intersection of privacy and security with convenience,” says Henderson. “If you make the most secure conference system in the world, but it’s cumbersome for your sales force to use and it impacts how easily they’re able to close deals, you’re not going to have very good adoption. In fact, your users are going to pivot to their own solution to get around it, and it’s going to be far less secure.”  

MORE FROM BIZTECH: Learn about cybersecurity's increasing role in the future of work.

How Video Authentication Options Can Help Secure Your Next Meeting

Most videoconferencing platforms have measures built in to control who has access to meetings. These range from basic tools like meeting ID numbers and passwords to more intricate services like virtual waiting rooms. 

“In these waiting rooms, a conference organizer basically gets a notification,” says Henderson. “It says that somebody is in the waiting room, it gives their name and they’re given the option of bringing them in or not.” 

These tools work well for most meetings, but there will be times when an extra layer of protection is needed. For things like board meetings or high-ranking government communication, organizations may want to consider encryption. 

“You can imagine what kind of stress those meetings potentially have to endure, because a lot of interesting conversation can be learned by listening in to what the head of states are talking about,” says Kulkarni. “So, those types of meetings would require that you’re using encryption, and that the encryption is solid.”

He says it’s important to make sure the right algorithm is being used and that the right key lengths are used so it’s more difficult to break in. Those keys also have to be managed in a way that’s compliant with other regulations and policies.  “There are all kinds of things you can enable to really guide your users toward making the right choices,” says Kulkarni. 

Charles Henderson IBM
Your policies are only as good as they are able to be used.”

Charles Henderson Global Head, IBM’s X-Force Red

Cultural Best Practices for Preventing Videoconference Security Risks

The tools may be available, but they’re useless if employees don’t use them. Ingraining these protections into the company culture is the best way to ensure compliance from workers.

“Your policies are only as good as they are able to be used,” says Henderson. “So, don’t lock down every call under the sun and make your conference calls unusable.” 

“Tell them, ‘Would you feel comfortable talking about this in a coffee shop? If you would, would you whisper it? Or would you speak loudly about it and comfortably about it?’ If the answer is either, ‘I wouldn’t talk about it at all,’ or, ‘I’d whisper,’ start thinking about things like using the unique meeting ID for each meeting.” 

Paying close attention when people join meetings is also important. Some workers turn off notifications that alert them when someone joins, as it can be disruptive, but Kulkarni says that’s a mistake.

“You have to make sure you’re meeting and interacting with the right people,” he says. 

One trend that could upend security efforts is employees freely sharing pictures of their meetings on social media.

“They have this tendency of, ‘Oh, I’m meeting with my great colleague, let me take a screenshot of my meeting and post it on social media,’” Kulkarni says. “Well, that screenshot also had a meeting ID. So that person is publicizing that information.”

Making many of these changes the default settings can help ensure compliance, as employees would have to go in and switch their settings themselves to take away the protection. And despite the risks, Henderson says that these systems have been very helpful for businesses.

“Right now, the conference calling systems are the best thing going,” he says. “But I think we can do it in a much more secure, measured way where we start to look at the settings and configuration and situation of conference calls to make sure that you’re taking appropriate steps to keep the information we discuss in them private.”

SolStock/Getty Images