With 52% of the workforce still working from home1 and with working from home becoming the new normal for many, video teleconferencing will still be an essential technology relied upon by businesses. However, it’s not without its risks.
Following some high-profile concerns regarding levels of security, Johnty Mongan, Cyber Risk Management Specialist at Gallagher, has been reviewing the hidden risks of using some well-known, cloud based, video teleconferencing platforms.
Video Teleconferencing (VTC) Hijacking Terms such as “Zoombombing”, popularised by the press during the first lockdown in 2020, emerged to describe hackers who join conversations taking place on video teleconferencing platforms, to which they weren’t invited. And it’s not just eavesdropping: some of these incidents are turning very nasty.
A hacker could access your ‘virtual’ meeting with a link or an individual’s personal ID. Surprisingly, some video teleconferencing sessions are being run without password protection. To make matters worse, there are many people sharing video links across public websites and social media.
It maybe be prudent to stick to the video teleconferencing services available to you on your privately hosted infrastructure, wherever possible. Many organisations use Office 365, where the correct licence plan gives you access to Microsoft Teams. All users within a team have to be on your domain which makes the video conferencing platform a more secure option.
Where it’s not possible to use your own company’s infrastructure and VTC is your only option, there’s a range of controls you can introduce to make the calls more secure.
- When a VTC asks for a meeting ID, avoid using your Personal Meeting ID. Instead, use a unique ID per meeting, exclusive to each meeting you hold. VTC platforms such as Zoom have support pages which offer guidance via a video tutorial on how to generate a random and unique meeting ID for additional security.
- Your chosen VTC platform may offer a “Waiting Room” feature, which enables you to see who is attempting to join the meeting prior to allowing them access. Like many other privacy functions, a skilful disrupter can sometimes bypass this control, but it helps to put another hurdle in their path.
-
Disable other options, including the ability for others to “Join before Host” (it should be disabled by default, but check to be sure - see below). Then disable screen-sharing for non-hosts and also the remote control function. Finally, disable all file transferring, annotations and the autosave features for chats.
To disable most of these features, click on the gear-shaped Settings icon on the upper-right side of the page after you’ve logged in. From there, you’ll see the option to turn off most of the listed features.
Disabling screen-sharing is a bit different, but just as easy. Go to the host controls at the bottom of your screen and you’ll see an arrow next to Share Screen. Click the arrow, then click Advanced Sharing Options. Go to “Who can share?” Click ‘’Only Host’’, then close the window.
- Once the meeting begins and everyone is in, lock the meeting to outsiders and assign at least two meeting co-hosts. Co-hosts will be able to help control the situation in case anyone bypasses your efforts and gets into the meeting.
Credential stuffing
Credential stuffing is another increasingly common form of attack that prays on cloud based service usage. It’s a cyber-attack in which personal details obtained from a data breach on one service or website are used to attempt to log into another unrelated service or website. For example, an attacker may take a list of usernames and passwords obtained from a breach of a major department store and use the same login credentials to try and log into the site of a national bank. The attacker is hoping that some fraction of those department store customers also have an account at that bank and that they reused the same usernames and passwords for both services.
As hackers are always searching for credentials from publicly available sources, one service we recommend is the widely respected website www.haveibeenpwned.com
You can subscribe your domain name and receive regular updates if any of your employees’ emails has been involved in a data breach. If you receive a notification, you can immediately ask those individuals to change their passwords on your accounts to ensure a hacker cannot use the potentially leaked credentials.
This could be the difference between a significant data breach and a near miss!
1. https://voxeu.org/article/working-home-revolutionising-uk-labour-market
Conditions and Limitations
This note is not intended to give legal or financial advice, and, accordingly, it should not be relied upon for such. It should not be regarded as a comprehensive statement of the law and/or market practice in this area. In preparing this note we have relied on information sourced from third parties and we make no claims as to the completeness or accuracy of the information contained herein. It reflects our understanding as at 20/05/2021, but you will recognise that matters concerning Covid-19 are fast changing across the world. You should not act upon information in this bulletin nor determine not to act, without first seeking specific legal and/ or specialist advice. Gallagher accepts no liability for any inaccuracy, omission or mistake in this note, nor will we be responsible for any loss which may be suffered as a result of any person relying on the information contained herein. No third party to whom this is passed can rely on it. Should you require advice about your specific insurance arrangements or specific claim circumstances, please get in touch with your usual contact at Gallagher.
