The pandemic highlighted just how important video is to maintain communication workflows and business continuity for many organizations. But the pandemic also highlighted vulnerabilities in cloud-based video conferencing services, even spawning new terms like Zoombombing.
A year on, remote work is continuing, and some organizations are planning hybrid workplaces as offices reopen. Most vendors have addressed many of the video conferencing security issues that plagued deployments in the early days of the pandemic.
"We learned a valuable lesson last year that you can't assume apps are secure," Metrigy analyst Irwin Lazar said. "We're smarter about security than we were a year and a half ago."
Most organizations have established video meeting security policies that require passwords or waiting rooms, enable encryption capabilities and prevent unauthorized users. However, companies still need to take further measures to protect all aspects of a meeting, including content and devices.
This article is part of
Addressing user behavior
In the pre-pandemic days of video conferencing, the focus on meeting security was in the meeting room itself, such as the endpoints and infrastructure.
"Now, security isn't physical; it's about behavior," said David Maldow, founder of market research firm Let's Do Video.
IT shouldn't simply roll out video conferencing licenses to users, but also train users on how to best use video services to prevent security mishaps. Security training tools could range from publicly available YouTube tutorials to in-house training materials, Maldow said. But training only goes so far.
Irwin LazarAnalyst, Metrigy
"Ultimately, you can't trust users," Lazar said.
Organizations can offer all the training they want, but IT needs to configure services and mandate encryption and passwords as a policy. For organizations using multiple meeting services, IT must keep a consistent policy across apps and services, he said.
IT teams may struggle to balance security needs with ease of use. Part of the process for evaluating video conferencing services is to examine how vendors implement security, Lazar said.
Organizations should look for end-user security controls that are easy to use but also unobtrusive so they don't detract from the meeting experience. For example, a pop-up notification that an attendee is in the waiting room is preferable to hiding waiting room controls in a list of attendees, he said.
Securing shared content and data
One area of concern now for remote meetings is how and where content is stored. Video services can generate different types of content, including chats, shared documents, whiteboard images and meeting recordings.
Organizations in regulated industries, in particular, need to consider certain requirements, such as archiving communications for a certain time period or making content available for regulatory audits. Content shared or developed in a meeting needs a compliance strategy, Lazar said.
But regulated organizations must understand that some video services may not have certain security or compliance certifications. For example, Zoom addresses HIPAA regulations with a focus toward audit controls, access control and authentication. But the agencies that certify HIPAA compliance only certify health technology and not off-the-shelf products like Zoom, Maldow said.
In addition to content sharing, organizations must know where data is sent and stored. Certain regulated industries require data to be sent and stored only in the U.S. Most video vendors have improved their disclosure of where they route traffic, Maldow said. If organizations need to, they can implement geofencing in their meeting service to ensure traffic is routed through specific server locations.
Home video devices create new vulnerabilities
A new wrinkle for video conferencing security issues is the devices users have at home to connect to meetings remotely, such as webcams and headsets. Vendors like Poly and Cisco have introduced more sophisticated devices to improve the quality of the home video experience. These devices aim to provide a more high-quality experience than consumer devices, with capabilities like background noise reduction and directional microphones.
Even with the introduction of enterprise-grade home video devices, home users may also turn to consumer devices from Amazon and Google for their ease of use. Those devices lack many of the security features needed for business communications, and IT is unable to control or manage them, Lazar said.
"It becomes another security vulnerability point," he said. A device could potentially have a weakness in the firmware that could enable someone to connect to the device and watch employees in their homes.
The better option for IT would be to provision devices that meet security requirements and can be centrally managed to ensure patches and updates are deployed in a timely manner, he said.