Video conferencing: usability versus risk
The popularity of videoconferencing applications has skyrocketed since the global pandemic was declared, but as a consequence, the number of unscrupulous individuals and groups taking advantage of new and untrained web meeting users also increases.
There have been multiple reports of video conferences being disrupted by obscene language and images, but the more stealthy and serious threats are intruders that access web meetings without the organiser’s knowledge during or even after the event, via the recording.
As demand for remote working boomed, many of the leading online chat, collaboration and video conferencing vendors made their professional paid apps free at the beginning of the pandemic, including Microsoft, Google, Slack, Zoom, Cisco and LogMeIn.
The “pro” versions of most of these video conferencing apps tend to have superior security features compared to the free versions, such as password logins, end-to-end encryption, waiting rooms and blocking file sharing or recordings. Unfortunately the free deals are largely coming to an end now, but the risks of reverting to the free versions of video conferencing apps are real for all organisations, whatever their size.
Usability versus risk
One of the reasons video conferencing services have gained in popularity has been because of their ease of use for end-users, which is especially relevant during stressful times such as a global pandemic.
Given the choice between managing risk and managing usability, ease of use won the battle for most organisations to keep communicating during the sudden transition to remote working in March. Most users either did not know about all the security settings of video meeting apps, were unaware of the risks, or they just assumed someone in the tech department was managing this for them.
One of the biggest risks to Australian organisations is caused by poor user behaviour and some of the most significant threats to the security of their corporate data assets in recent months is caused by employees using web conferencing in an insecure manner.
The security of online meetings should now be taken more seriously, as potential data breaches for organisations and their employees, partners and customers can result in reputational damage, financial losses and also big fines. A serious breach of personal customer information, for example, can result in a fine from the Office of the Australian Information Privacy Commissioner of up to $420,000.
Access to recorded meetings
Even if a cyber attacker does not get access to the online meeting whilst it is happening, thousands of recordings of video calls have been discovered on the open web as they have been uploaded by users to their cloud storage services. The reason they were easily found by snoopers through online search was that they used a default naming convention for recordings, which can be found automatically using bots.
The good news is that many video conferencing services include security settings that can prevent such incidents. The bad news is that it’s often left to users with absolutely no security training to configure them as the default settings do not offer good security.
Organisations should educate all their employees who host meetings on the specific steps they should take in the video conferencing software to ensure their online meetings are secure during and afterwards.
Malware and phishing risks
If you thought it was just eavesdropping that these cyberattackers were up to by exploiting vulnerabilities in video conferencing apps, you would be sadly mistaken as there are other reasons for their efforts. When online meeting platforms have messaging or chat capabilities, which most do, these can be used to launch phishing attacks and to deliver malware payloads through links and attachments, just like email.
Avoid free or consumer grade apps
It is definitely advisable not to use consumer-grade software or the free versions of apps for business meetings. Consumer tools most likely won’t have all the administrative tools users will need to keep their meetings completely secure. While no technology platform can guarantee 100% protection from all external threats, businesses will get a more complete set of security tools with products geared for professional use.
Ultimately, how safe are the well known video collaboration apps? The answer comes down to how much effort an organisation has put into securing them. That effort may be daunting for some, given that COVID-19’s effect on work footprints has created an unprecedented challenge for IT and security staff. Many Australian organisations have been forced to quickly roll out collaboration apps for all their employees, while still juggling plenty of other priorities, but it is the perfect time to review the risks they pose to the organisation.