In recent weeks, video conferencing platforms like Zoom, Skype and Google Hangouts have all seen massive spikes in usage due to businesses making the switch to have their employees work from home (WFH). This increase in usage has led to more eyes on the platforms, both from interested parties and malicious actors. Due to the rapid nature of the shift to WFH, many users are learning on the go and unfortunately, that often means users are favouring quick and easy methods rather than best practices. This post will share best practices for maintaining your organization’s cybersecurity while using video conferencing tools. We’ll also share a few specific tips related to the particular systems like Zoom and Google Hangouts.
Spotlight on Zoom
Before diving into our recommendations, we wanted to highlight a vulnerability identified within Zoom’s platform that is putting your data as a consumer at risk. At the time of publication (April 3, 2020), this vulnerability is active and estimated to take weeks to months to be resolved by Zoom engineers. While ongoing, Zoom’s meetings are not protected by end-to-end encryption, but rather their own definition of it (similar to transit encryption) which would allow Zoom to access unencrypted video and audio from meetings. Zoom has released a statement that they do not mine or sell any of this user data, but this vulnerability adds a risk that malicious actors would be able to get their hands on this data pending a security breach. It is our recommendation at this time to avoid using this platform if possible. As a Google Partner, Business Cloud is always recommending our clients to use Hangouts Meet but with these Zoom vulnerabilities in mind, there has never been a more important time. Note that I’ve linked some additional training material at the bottom of this post.
General Recommendations
Dialing-in: Many services offer a dial-in option for users to dial into a meeting, usually by calling a number and entering a PIN code. While convenient, this unfortunately opens your meeting up to all of the vulnerabilities that come with using a Publicly Switched Telephone Network (PSTN) service. Our recommendation is that users always connect via the computer apps or video link, rather than calling in. When choosing to Join by Video, you can always opt to disable your camera feed and participate by audio only.
Host-Codes and Personal Meeting IDs: Wherever possible, we recommend using a randomly generated meeting ID over a static number or code. This will prevent anyone from accidentally (or intentionally) joining your meeting who you may have shared a code with in the past. Google Hangouts does this automatically, and Zoom will allow you to choose whether to have one generated or to use your Personal Meeting ID (skip to 0:27). Keep in mind that this pertains to conference dial-in numbers as well as these are often static. We always recommend using one of the online tools (Hangouts, etc) over a traditional dial-in conference system.
Be Cognisant of Recorded Meetings: Most video calling platforms will allow you to record the meeting to be saved as a video file for reference later. This is a very helpful tool but meeting hosts should always make guests aware that a call is being recorded. Note that this feature is available in Google Hangouts Meet for All G Suite customers until July 1, 2020.
Using Zoom More Securely
We recognize that it’s not always possible to avoid using a platform altogether, especially if it’s the tool of choice for an external audience who may be planning a meeting. In these instances, we wanted to provide a series of tips to mitigate as much risk as possible. Some of these suggestions have been taken from Zoom’s Blog post How to Keep Uninvited Guests Out of Your Zoom Meetings and the full article can be found in the Additional Resources section below.
Only Allows Signed-in Users to Join (Meeting Hosts only): This will prevent anyone without an account from joining the meeting and additionally ensure participants are joining a meeting with the correct account.
Avoid In-Meeting File Transfers: This should go without saying, but generally you should avoid file transfers from parties you don’t know. Even if you do know them, suggest that they email you the file instead so that G Suite can scan it for viruses and malware.
Screen Sharing and Giving Control: Screen sharing is a vital part of video conferencing solutions but you should avoid giving others control over your screen wherever possible.