Now more than ever conference calls and web meetings — virtual meetings — are routine occurrences in modern business, and while many of us have become security-conscious while conducting transactions online, virtual meeting security is often overlooked. For example, who hasn’t been finishing one call when attendees of the next call start joining because the access code is the same? It may be annoying, or even humorous, but what if you were discussing sensitive business or personal information.
The National Institute of Standards and Technology offers timely reminders for many of us now teleworking due to the coronavirus health emergency: If virtual meetings are not set up correctly, former coworkers, disgruntled employees, or hackers might be able to eavesdrop. But, using some basic precautions can help ensure that your meetings are an opportunity to collaborate and work effectively – and not an opening for a data breach or other embarrassing and costly security or privacy incident.
Most virtual meeting services have built-in security features, and many providers will give you some basic security suggestions. Regardless of your provider, NIST offers a few simple options for holding a secure virtual meeting:
- Limit reuse of access codes; if you’ve used the same code for a while, you’ve probably shared it with more people than you can imagine or recall.
- If the topic is sensitive, use one-time PINs or meeting identifier codes, and consider multi-factor authentication.
- Use a “green room” or “waiting room” and don’t allow the meeting to begin until the host joins.
- Enable notification when attendees join by playing a tone or announcing names. If this is not an option, make sure the meeting host asks new attendees to identify themselves.
- If available, use a dashboard to monitor attendees – and identify all generic attendees.
- Do not record the meeting unless it’s necessary.
- If it’s a web meeting (with video):
- Disable features you don’t need (like chat or file sharing).
- Before anyone shares their screen, remind them not to share other sensitive information during the meeting inadvertently.
This list is not all-inclusive, NIST reported, nor must you use every tool for every virtual meeting. It is critical to be aware of your organization’s policies; the sensitivity of the topics under discussion; factor in the logistics of the meeting; and select the measures that make sense for each situation. Consult your security and information technology experts if you have questions about ensuring a secure virtual conference or telephone setting.
Where highly sensitive information may be shared, talk to a security professional first and take more precautions. Additional steps you should consider include:
- Using only approved virtual meeting services which issue unique PINs or passwords for each attendee and instruct them not to share them.
- Using a dashboard feature so you can see who all the attendees are at any time.
- Locking the call once you have identified all the attendees and lines in use.
- Encrypting recordings, requiring a passphrase to decrypt them, and deleting recordings stored by the provider.
- Only conducting web meetings on organization-issued devices and platforms.
NIST provides resources to assist employees while teleworking. Those resources are available at https://csrc.nist.gov/.