The current COVID-19 crisis is accelerating the use of virtual meetings by remote attendees for many conferences around the globe. Unfortunately, increasing the use of virtual meetings also increases an organization’s security risks. Virtual meetings can be prone to unauthorized eavesdropping, corporate espionage, real-time harassment, sabotage and data theft.
There are already many horror stories of what happens when hackers access a virtual meeting. Even in a pandemic, there are bad actors out there. This transition happened so quickly that organizations are scrambling to play catch-up in terms of cybersecurity — dramatically increasing the threat. Virtual meetings have become the norm, so these have become an intense target for cybercriminals. Tricia Lewis, executive VP of HackEDU, says COVID-19 has increased cybersecurity concerns simply because when people are in a state of panic, they will click and open anything that makes them feel safer or they believe will provide them with more information. “We have seen a huge increase in phishing scams related to COVID-19, mostly through emails that claim to have updates concerning the virus,” she says. However, using some basic precautions can help ensure that meetings are safe and secure, and not the genesis of a data breach or other embarrassing and costly security or privacy incident.
In the Beginning
During the first few weeks of the COVID-19 pandemic, many conferences and meetings were cancelled or postponed, while others quickly shifted to holding things virtually. Heather Paunet, vice president of product management at Untangle, a leader in comprehensive network security for small-to-medium businesses, agrees that the problem was that some people did things too quickly. “There were so many organizations forced to organize virtual meetings or events with little time to transition or prepare, and few of them had the opportunity to consider cybersecurity measures that they would need to also be in place during these virtual events,” she says. “In the past, with in-person shows, there were specific portals and website access points segmented for sponsors, exhibitors and attendees. These different access points also included varying levels of authentication for each administrator.”
For example, attendees may have simple login procedures, asking for a username and strong password, while exhibitors or sponsors have a multifaceted login procedure, including username, strong passwords and multifactor authentication. This can account for the difference between a single attendee purchase and the larger financial, and contractual, exchange exhibitors must complete prior to an event. Now, with virtual events, the whole ecosystem is online, creating more entry points or points of vulnerability for attendees and exhibitors. “Companies who previously placed strict remote working policies on employees attending, or who created firewall protections for booths on the show floor, now need to consider if any of their digital components could be compromised during a show,” Paunet says.
Robert Siciliano, security awareness expert at Safr.Me, says administrators of these events need to have a full understanding of all of the various settings on the video teleconferencing platforms to prevent unauthorized sharing of video, screens, and inappropriate questions or comments. “There are a number of toggles to turn various settings on and off that would give the administrator and/or host more control,” he says. “Plus, all hosts and panelists need to be properly vetted.”
Herb Brychta, security risk manager for AE Works, says maintaining control is essential to security in virtual meetings. To start, those in charge should select and use a platform that allows them to know and control who is attending the conference or meeting. “This is especially important if you are sharing intellectual property or if your organization is a publicly traded company to safeguard against the release of insider information,” he says. “Dedicate someone to monitor attendee participation to keep tabs on any uninvited guests trying to gain access.” For those using a platform such as Zoom, which is configurable, Brychta suggests taking advantage of features that allow the host to “admit” attendees before they join so there are no surprise attendees.“Assume that if you send out a link and/or a password that the information is no longer private,” he says.
The key to mitigating after the security measures have been put in place, Lewis says, is to preemptively identify new potential threats. “For instance, when COVID-19 first surfaced and the nation was in disarray, a good security analyst would assume that the pandemic is a prime candidate for new security threats,” she says. “This means companies and their leaders need to keep up with the times, and inform their employees of the new threats before they become pervasive.”
Gabriel Engel, founder and CEO of Rocket.Chat, notes that virtual conferencing puts a relatively high load on the intermediary server and the network bandwidth might quickly become exhausted. “Also, participants need to be ready, having the proper clients technology-enabled to join the conversation,” he says. “Users need to be able to properly use the available features, including more complex functions [e.g. digital whiteboards and polls].”
For example, some tools share system audio of users with an open microphone, inadvertently exposing videos or music played on other screens. Not properly disabled video overlays may leak into a conference and cause problems. “Since most companies with proprietary codebase [such as Skype, Whatsapp or Slack] tend to be vague about how they manage or store customers’ data, many risks are being taken when using their platforms,” Engel says. Those include being “Zoom bombed” in a private call — when strangers join your video call; having your data routed out of the country and, in turn, not following data privacy laws, such as General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA); a data breach where someone without authorization listens into your meeting and losing control of a meeting where every participant can mute or kick out persons at will.
Everyone Makes Mistakes
Nick Santora, a cybersecurity specialist and CEO of Curricula, stresses that with everyone being rushed into working remotely, new tools were pushed onto employees without much training on how to use them. This introduced security risks by missing critical steps to ensure they are operating as expected. “The most common mistake for virtual meetings is not protecting access with a password,” he says. “When you’re scheduling a virtual meeting, you can check a box requiring a password. Always make sure that box is checked. If you invite someone to a meeting with that link directly from the platform, it should automatically populate for a URL with the password to be included in the calendar invitation.”
A lot of the problems that are experienced during virtual meetings could have been avoided if those in charge just mitigated some common risk factors. “The big mistake is not using the software as designed or not taking advantage of the security features,” Brychta says. “Most of these platforms have tutorials. Take the time to learn about the software.”
Lewis notes the most common mistake when hosting a web conference is sending the conference link to everyone in the company through one quick email blast, noting it is important to take the time to hand-pick each individual you want to attend the meeting, and only inform those individuals. “When conducting a virtual meeting, you have a direct connection between the computers of multiple employees in a company,” Lewis says. “Many virtual meeting platforms allow the conductor to take control of others’ screens, as well as other functions that put people at risk when the host computer is compromised. Once this occurs, you not only have one computer that is compromised, but potentially every computer that is connected to the meeting.”
Tips for Event Organizers
With virtual meetings, there are a range of risks, from low to much more significant, and these risks increase with the importance of the meeting. For example, disruption by uninvited guests is certainly a risk that wastes time and, consequently, money. Brand risk is always a potential problem, especially if there’s a client participating in the meeting or other key stakeholders. And the compromise of intellectual property or confidential information is a risk if unintended parties gain access to information. “Realize that, in a virtual world, people can be ‘virtually’ anywhere and anyone,” Brychta says. “A back channel for verification purposes is recommended if your meeting is decisional in nature. Information taken out of context can have adverse public relations impacts and risk to your brand.”
Paul Lipman, CEO of global security firm BullGuard, says the easiest way to mitigate risks is by utilizing the security features integrated into the meeting service that one uses. “Many have implemented helpful changes that protect users — from enforcing meeting passwords, the addition of true end-to-end encryption, and providing virtual ‘waiting rooms,’” he says. “Beyond the technical precautions, there are also a few steps you should take to avoid ‘social engineering’ of your meeting.”
For example, never share meeting details with those who aren’t meant to be participating, and don’t post them in social media or on a web page, or web-based service that could be scanned by search engines. That way you can avoid meeting details being shared with those who shouldn’t have access to them. “Try to avoid re-using the same personal meeting ID/password from one meeting to the next, especially if you have a lot of attendees and can’t police participation closely,” Lipman says. “Remember that even if you have recording turned off for a meeting, it is easy for anyone in the meeting to take a personal recording either using a screen recording app or their phone.”
Also, be wary when clicking on links that are shared in a meeting chat, especially in a meeting with a large number of participants. “At the banal end of the risk spectrum is the obvious risk of mischief from uninvited participants disrupting a meeting, as we’ve recently seen … ‘Zoom-bombing,’” Lipman says. “More significant risks include potential privacy and confidentiality compromise through phishing and malware risks — both in terms of links shared in meetings and the proliferation of fake conference app installers.”
There are several things event organizers should do to ensure their attendees and sponsors are protected online. Paunet notes organizers should continue to segment sign-in portals between attendees and exhibitors/sponsors. Providing directory access segmentation can ensure that any malicious attendee can not access business information or data collected by an exhibitor or sponsor during the show. “Additionally, ensure that all attendees and exhibitors are aware of spam or phishing messages and how to spot them,” she says. “With so many emails coming in these days, making sure all attendees can identify authorized emails in comparison to phishing emails is crucial.”
Again, at the beginning of each meeting, the host should verify who is in attendance and know who is on the guest list. “It’s easy for an invite to get forwarded from the wrong person, so a quick check will keep things in order,” Santora says. “Always put a waiting room and/or passcode on your meeting. This will act as a wall so no one who randomly received the invite can just hop right in.”
Another tip is to review platform settings to confirm that only assigned parties can record information. Engel suggests nominating one or more moderators, not only for the conversation itself, but for the technical administration and user management, e.g. being able to mute users who have a noisy microphone. “Encrypt your conferencing sessions for extra confidentiality,” he says. “Transport-layer encryption is a necessary control that comes with most tools on the market. End-to-end encryption is already available for messaging solutions and expected to become widely available for video streaming in the next few years as well.”
The key to mitigating risk is staff awareness and training. Even before COVID-19, human beings were the vulnerability. “So many viruses happen because people click on a link in their email, which deploys a virus,” Brychta says. “As we’ve transitioned to an environment where people are working from home where they are most comfortable, their awareness is not as heightened, and everyone is more susceptible when comfortable.”
Lewis notes the best way to safely hold virtual meetings is to educate employees on best practices for internet surfing/communication. This includes not having any other tabs up that might include personal information, using secure video conferencing software and, again, only sharing the video conference link with employees who are necessary to the meeting. “Before you hold your virtual meetings, collaborate with your IT/cybersecurity specialist if you have one, or educate yourself on best security practices so you can discuss the information with your employees,” she says.
Santora agrees that the No. 1 most effective cybersecurity strategy is to train all of a company’s employees to become the first line of defense against potential hackers. “Every single person can play a role in defending against cyberattacks,” he says. “It’s so important to get ahead of the curve before the event happens. This is about protecting your company in one of the most vulnerable times we live in. Hackers don’t care about anything but themselves.”
Dangers of Personal Devices
Businesses are also in the midst of addressing the increased use of virtual meetings to keep employees engaged and connected to their teams and customers. One major consideration that many businesses tend to overlook is the increased usage of personal devices when working remotely or at home. “To manage the risk brought on by users engaging in virtual meetings, firms should look to offset the security gaps brought on by this widespread reliance on personal devices,” Paunet says. “To do so, firms can engage in many of the same activities they would to improve cyber posture in the office.” That includes investing in scalable and reliable VPN solutions so that employees can trust that they are accessing a network as securely as though they were in the office, educating their employees on their “cyber hygiene”, training employees to spot phishing emails and similar scams, avoiding public Wi-Fi and using non-personal devices whenever possible.
A lack of face-to-face meetings opens a lot of vulnerabilities, especially if the first time you are meeting someone is virtual. Use of security features and a back channel for verification purposes is critical. “As cyber crooks go with technology, so should we,” Engel says. “Use a service that receives regular updates and security fixes. Make sure these are applied for all your users. Familiarize yourself with the available features of the service of your choice.”
Lipman says that with so many people conducting business remotely and relying on conferencing solutions to collaborate, communicate and remain connected, endpoint devices are under a heightened level of risk. “Everyone should be running commercial-grade endpoint security to protect against malware, phishing and other attacks,” he says. “Furthermore, a VPN or ‘Virtual Private Network’ is a critical component of users’ protection.”
Siciliano notes COVID-19 is a singular event for which scammers worldwide have been waiting. That’s why it’s vital that an organization’s IT people stay on top of what is new and ahead of what is next regarding hardware updates, software updates, IT vendors and the various security tools meant to prevent intrusions. “This is the perfect storm” to overwhelm and misinform workers, cause financial distress, fear and confusion, and take advantage of millions of workers “using their own personal devices to access company networks,” he says. “Cybercrime has been organized for quite some time, and this event has allowed them to focus solely on all of the various scams that revolve around one theme.” | AC&F |