Tips for secure videoconferencing during COVID-19

僅提供英文版本

Videoconferencing has become the virtual watercooler during the COVID-19 pandemic as homebound workers turn to platforms like Zoom, Webex, Slack, LogMeIn, Google Meet and many others to hold face-to-face work meetings with employees, partners and customers.

Use of videoconferencing platforms has spiked since much of the world went on lockdown in March. Zoom reported that usage of its platform soared from 10 million people per day in December to 200 million in March. Many other providers have reported doubling or tripling of video traffic.

The crush of activity has exposed a few security flaws that developers are working to patch, but the most common problems are caused by hosts who don’t understand or don’t pay attention to security controls built into the platform. While most commercial platforms have ample security features built in, providers may turn some off by default to enhance ease-of-use. Service providers also can’t guard against unintended human errors, such as the thousands of Zoom meeting recordings that were found in open view on the web in early April, apparently because hosts uploaded them without applying proper security controls.

Among the intrusions that have bedeviled online meetings during the pandemic are “zoombombing,” in which unwanted intruders horn in on videoconferences to share inappropriate comments and images and lurkers who sit quietly on the sidelines and steal private information shared in video conversations and text chats.

Here are some secure videoconferencing steps you can take to keep your virtual work meetings private and secure. Most apply to nearly all platforms.

Start with the choice of platform. For sensitive meetings, be wary of consumer platforms that were never intended to provide enterprise-grade security. Using encryption protects meetings from being intercepted over unsecured Wi-Fi connections. Several commercial services provide end-to-end encryption, but it isn’t always enabled by default, so check your settings. Most platforms offer a basic free level of service, but advanced security settings may not be available in those basic tiers.

Protect yourself by using randomised meeting IDs that are nearly impossible to guess. When setting up meetings, some platforms use a default ID consisting of a URL followed by a string of random characters. Attackers may be able to invade such sessions simply by guessing the characters at the end of the address.

Enable password security on the meeting so that only invited recipients can enter, and be sure to warn your guests not to share the password. You might also consider sending a separate email or meeting invitation with the login instructions rather than using the invitation capability within the platform. Those branded invitations can be spoofed by purveyors of phishing emails that trick recipients into clicking on malicious links.

If the platform has a “waiting room” feature, use it to isolate attendees in a staging area where you can admit them one by one. Change the default meeting settings to automatically mute and turn off attendees’ video upon entry. Then turn on audio and video controls for each person who enters.

This may be inconvenient in large meetings, so in those cases consider platforms that permit hosts to mute the entire group. You can also look for a “lock meeting” option that enables you to block new participants from entering without permission once the meeting begins.

Turn off file-and screen-sharing and block or regulate chat. Most platforms permit users to exchange files, but malware detection is usually rudimentary or nonexistent, making them an easy target for infected documents. Start your meeting with screen-sharing disabled so intruders can’t hijack the display with inappropriate messages. Enable attendees to share their screens as needed.

Chats should never be used to exchange sensitive information. Some platforms capture chat messages – even private ones – in recorded meetings and share them with the meeting organiser later. If you want to complain to other attendees that the meeting is dull, it’s best to keep your opinion to yourself or use a separate chat client.

Nearly all platforms give moderators the option of recording meetings. This feature can be a source of embarrassment at best and a security risk at worst if recordings are inadvertently made public. If you want to record a meeting you host, be sure to notify all participants and gain their acceptance before clicking the start button. If you’re attending a meeting, look for an icon that indicates that recording is on.

Videoconference service providers frequently update their security settings, and many are locking down platforms tighter than ever during the pandemic. Check the security section of the provider’s website for the latest enhancements and tips on how to ensure that your work meetings are both productive and safe.