The COVID-19 crisis has ceased normal operations for many businesses, as remote work and teleconferencing have become a necessary norm. While reacting to the unprecedented shift in the office dynamic, companies are turning to commonly available or ‘one size fits all’ solutions for their communications and video conferencing needs.
Teleconferencing solutions and cybercriminal tactics
Slack and Zoom have gained popularity in recent months due to the ease of communication between employees, customers, and vendors. Personnel may utilize these solutions without prior approvals from their respective IT departments, potentially exposing confidential information and harming their organization’s reputation.
Commonly available video teleconferencing solutions are accused of hiding security and privacy flaws, while also utilizing insufficient encryption. Many of these telework applications do not allow an organization to manage their own encryption configuration and must rely exclusively on the application provider’s systems. As a result, there is no guarantee of data confidentiality and data location (data residency) since calls may be routed offshore.
Some recent examples in the news includes cyber criminals gaining unauthorized access to the following:
- Discussions related to confidential company financial statements
- Telehealth calls
- Elementary school remote classes
The tactic known as ‘Zoom-Bombing’ has inundated the popular free video teleconference application Zoom, where by default, the application configuration allows an uninvited user to enter a public meeting and cause havoc by sharing crude imagery or hate speech.
Cybercriminals were exploiting the following security weaknesses by:
- Gaining control of a user’s account and messages
- Accessing privately shared files
- Accessing a user’s video camera at any time
- Intercepting privately shared video content
- Gathering participant’s social media profile information
How can your organization protect itself?
Organizations should make meetings private, utilize the solutions that allow for data residency, and keep up-to-date on training and processes. The steps outlined below can also help mitigate the risks of personnel utilizing video conferencing software.
- Choosing the right tool
Choose or configure a video conferencing tool that provides end-to-end encryption and only allows authorized individuals to access meetings.
- Policies & procedures for approved teleconferencing software
Update policies and procedures around the use of approved teleconferencing software and ensure employees accept and understand them.
Refresh cybersecurity training for staff, specifically around working remotely and risks associated with utilizing unapproved teleconferencing software. Provide personnel with best practices for conducting a video conference (e.g. only enable minimal functionality or view only access to participants; do not share confidential information, etc.).
- Consistent monitoring
Increase the monitoring and review of the unauthorized video conferencing tools and the related data leakage.
How BDO can help
The current situation is constantly changing making preparation and risk mitigation challenging. Our team of professionals have helped a number of organizations adapt and pivot in this difficult environment and we are ready to help protect your organization from security risks posed by your remote workforce.
Vivek Gupta, National Leader – Cybersecurity Consulting