What’s the risk?
Video hijacking is when a malicious actor joins a video session to eavesdrop and compromise data discussed during the conversation or shared on a user’s screen. Video hijackers have also been known to disrupt sessions via audio or video communications with explicit content or by disseminating confidential information to users who may not be authorized.
Steps users can take to protect against video hijacking include:
- Avoid sharing private video links over public communication channels, blog posts, or social media; anyone with the link can join a meeting.
- Use a personal meeting ID and only share it with authorized attendees. Do not use a personal meeting ID to host a public event.
- If possible, configure a password for the meeting and share it with participants separately.
- Where available, enable the “waiting room” feature where the meeting host must admit users to the meeting.
- Do not give up control of your screen to another user – hosts can prevent users from screen sharing during most meetings.
Data Privacy and Compliance Archiving
What’s the risk?
Recent news articles have raised concerns about video session encryption mechanisms indicating that, while session data is encrypted “at rest and in transit”, end to end encryption (E2EE) capability is not currently available by default for major platforms including Microsoft Teams, Slack, and Zoom. This means the provider can access data communicated during video conference sessions. This configuration is most commonly used to allow services such as archiving and e-discovery, but companies should carefully review privacy statements, underlying data platform configurations and locations to ensure alignment with privacy and compliance requirements.
While there is no workaround to enforce full E2E encryption, users can leverage behavioral best practices to mitigate risks associated with communicating sensitive information to remote users and counterparties, including:
- Ensuring confidential data transmissions are only sent using approved mechanisms e.g. encrypted email or file sharing.
- Enforcing meeting restrictions when conducting conversations regarding sensitive or confidential information.
- Do not use video session chat capabilities to share confidential information.
- Do not use the screen share functionality to reveal or present any confidential information.
- Ensure your software license version is appropriate for the type of communication needed by the organization; with some providers, functionality such as archiving and e-discovery are only available on enterprise versions.
Recommended Next Steps
Video conferencing can be implemented as unified communication solution to enhance remote telecommuting capabilities for firms continuing operations throughout the COVID-19 pandemic. Be aware of the associated risks and implement corresponding safeguards to minimize data security threats. In addition to the recommendations noted above, firms should consider:
- User Awareness and Training: ensuring users are aware of risks and proper system use enables users to actively participate in ensuring the security of information system and data assets.
- Secure Data Transmissions: only share data via approved mechanisms and ensure sensitive data is only transmitted via encrypted channels.
- Users within Microsoft’s hosted ecosystem can share via OneDrive / SharePoint
- Users outside of the Microsoft ecosystem should utilize encryption solutions such as Information Rights Management (IRM) or email encryption
- Monitoring Capabilities: as with other business communication solutions, ensure capabilities to monitor and archive communications in-line with regulatory and compliance requirements are implemented and functioning properly.
Questions? Need Help?
Current RFA Clients are encouraged to contact their account manager to learn more about video conferencing options or email email@example.com.
As always, for any users requiring assistance, please contact the 24×7 RFA Service desk using 212.867.4600 (US) | +44 (0) 207 093 5000 (UK) or via email using firstname.lastname@example.org.