Ensuring end-to-end encryption, enabling default security settings, making users aware of cyber risks… Here are 7 practical tips for securing your videoconference sessions.
Do we have a “video”? Since March 2020 and the first confinement, videoconferencing has entered the mores of French companies. With the generalization of telework and work in hybrid mode, combining face-to-face work and remote collaboration, videoconferencing has become largely commonplace. The neo-teleworkers link the visios sometimes forgetting the most basic safety rules. However, recalls Gérôme Billois, partner at Wavestone and cybersecurity expert, “videoconferencing is a real concentration of information between the video stream, the chat system and file exchanges. It shows everything that is going on in business and is a step above messaging.” The opportunity to recall some good practices.
1. Choose the right platform
The choice of solution is, of course, crucial. Without doing a benchmark, the platforms do not all natively offer the same level of security (in terms of encryption, authentication). In addition, some have very permissive privacy policies in terms of the collection of personal data, as noted in April 2020 by the American NGO Consumer Reports pointing the finger at Zoom, WebEx, Google Meet and Microsoft Teams. In August 2021, Zoom paid $85 million to avoid legal action on this ground. The complainants accused the platform of having disclosed their personal data to other companies such as Facebook, LinkedIn or Google. However, the American publisher believes that it offers an end-to-end encrypted service.
Gérôme Billois recommends analyzing the publisher’s profile, nationality, hosting mode and server location. Preaching for his parish, Renaud Ghia, president of Tixeo, a French videoconferencing solution, asks the question of the trust placed in the supplier. “A company must be able to carry out an audit of the solution via a third-party organization”, he underlines. In this regard, the National Information Systems Security Agency (ANSSI) offers its own certifications. Finally, videoconferencing refers to issues of sovereignty, knowing that this market is monopolized at 90% by American publishers subject to the Cloud Act.
2. Ensure “true” end-to-end encryption
Most videoconferencing specialists claim to offer end-to-end encryption of communications. But what is actually encrypted? Does encryption apply to both voice and video communications as well as shared files? Gérôme Billois advises making sure that the system concerns all the flows. Renaud Ghia specifies: “It must be activated by default and not offered as an option as some publishers do.” As for decryption, it must take place on the workstations of the participants and not on the publisher’s servers, recommends the president of Tixeo.
3. Protect the session from intruders
It is recommended to avoid videoconference sessions secured by a simple PIN code of a few digits. Via a so-called “brute force” attack method, it is easy for a hacker to break it by quickly reviewing all the possible combinations. A vulnerability that gave birth to zoombombing. Either the intrusion of a hacker or a troll into a videoconference that is supposed to be private.
It is advisable to protect the sessions by the pair identifier-password accompanied by a second mode of authentication. To ensure this, solutions from Google and Microsoft rely on Gmail and Office 365 accounts. “For particularly sensitive meetings, double authentication can be considered using a USB key or smartphone” , adds Renaud Ghia.
The waiting room function also serves as an airlock. Like a bouncer, the meeting organizer authorizes or not the participants to enter. “An administrator can create a group of members for recurring meetings and define specific parameters for people outside the organization,” recalls Gérôme Billois.
4. Set default security levels
It is also possible to set default security levels for the whole company, such as the prohibition to invite external participants or to share files. A collaborator will then have to request authorization, exceptional or permanent, to access certain functionalities.
The level of locking can also be proportional to the criticality of the meeting. “The risk of dissemination of fresh and sensitive information is, of course, higher during sales meetings, R&D brainstorming sessions or management committees”, illustrates Renaud Ghia. A DSI can also impose a single videoconferencing platform. This referenced solution will serve as a privileged communication channel internally but also to exchange with customers, partners and other subcontractors.
5. Choose the appropriate hosting mode
Due to its simplicity of use and ease of deployment, SaaS mode is the most common hosting choice. However, for the most demanding use cases, an organization can use a videoconferencing solution hosted on its own infrastructure. “The company is then completely autonomous and can open this platform to authorized people only while adding perimeter protection devices or a VPN”, observes Renaud Ghia.
The pinnacle of autonomy is to combine the choice of self-hosting with that of an open source video conferencing solution like BigBlueButton or Jitsi. “Using an open source platform, however, requires the benefit of ad hoc skills internally”, tempers Gérôme Billois.
6. Raise employee awareness of cyber risks
Cybersecurity is not just about tools. Employees should also be made aware of cyber risks by recalling good practices. The camera is not systematically activated, the microphone is switched off when you are not speaking, and the exchange of files is only carried out between duly authorized persons.
An online meeting is also not the space that best lends itself to the confidentiality of exchanges. “In principle, when I am invited to participate in a videoconference, I do not mention confidential information”, advances Renaud Ghia. “It is true however that it is not a public exchange like in a webinar where the level of security can be lower.”
7. Redouble vigilance in the public space
With the generalization of telecommuting and hybrid work, more and more videoconferences are held on the move, in coworking spaces, on the terrace of a café, on public transport or at the airport. So many public spaces where prying eyes and ears can linger.
“With his headset, the employee is in his bubble and no longer realizes that there are people around him”, observes Gérôme Billois. If you cannot isolate yourself and equip your screen with a confidentiality filter, you should reserve sensitive meetings at the office or at home. Similarly, public wifi access should be avoided. The nomadic worker will favor 4G/5G via connection sharing with his smartphone.