In the weeks since the coronavirus outbreak began in the U.S., meetings of all forms have shifted to take place virtually.

Online meeting services are being used not only to conduct traditional business meetings, but also for schools to host remote learning sessions, nonprofit organizations to meet with members, and even for family and friends to enjoy spending time virtually. This has led to a rapid adoption of video-based meeting solutions such as Zoom, Cisco WebEx and Microsoft Teams, among others.

However, as quickly as the meetings shifted to become virtual, nefarious online actors began to take advantage of the opportunity. Reports circulated around hijackers infiltrating online sessions that they weren’t invited to in, a phenomenon called “Zoom-bombing.” Many people became concerned about software vulnerabilities leaking their personal information or even allowing cybercriminals to take over their device.

The security of virtual meetings depends upon a few factors. It is important to consider the security of the meeting application, as well as the infrastructure on which the meeting is being hosted. However, the security controls of the meeting host and behavior of participants are also key factors determining whether a virtual meeting is susceptible to outside threats.

Here are the steps that business leaders, meeting hosts and end users should take to ensure that their virtual meetings remain secure and private:

Best practices for enterprise decision makers

First, when choosing a meeting solution provider, evaluate the security of the application itself. Look for solutions that offer end-to-end encryption, which prevents data from being viewed or accessed by the service provider. Review compliance with local data privacy regulations such as GDPR and CCPA. Ensure that solutions offer robust security controls, such as options for password-protected meetings and single-sign-on.

Once a meeting solution provider has been selected, evaluate your infrastructure to ensure it is protected against potential threats from videoconferencing software. Cloud infrastructure should comply with stringent security standards, such as ISO 27001 or FedRAMP.

Online meetings should only be taken from company-issued laptops and mobile devices. In particular instances where that might not be possible, employees should make sure to take basic security precautions on their personal device. This includes using a complex passcode for device login, installing an endpoint protection solution and removing other meeting clients from the device.

Finally, mandate that information technology administrators configure application settings for maximum security. Require users to sign in to their online meeting account before joining – in other words, disallow “guest” logins. Some organizations will only enable online meeting applications to be used over a remote access application, such as a VPN, but this can degrade performance. Requiring sign-in via an SSO solution can be a strong alternative for certificate-based device binding.

Require all meetings to be set with a Host/Leader passcode. Set rules within the solution to impose the complexity of the passcode, which should be at least six alphanumeric characters. Additionally, meeting IDs should be randomized, rather than fixed. These practices ensure that users without the meeting ID and associated passcode will not be able to use the online meeting space fraudulently.

Best practices for hosts and end users

Many of the security issues with meeting solutions that have been reported in recent weeks relate to host and user best practices, as opposed to technical faults with the solution itself. Although the IT function can take some control of the situation and require certain baseline security standards, meeting hosts have a responsibility to reduce the security risks associated with online meetings.

When setting up a meeting, hosts should omit sensitive information in the meeting invite. For example, avoid titling the meeting “Meeting on acquisition of Company X.” For highly sensitive meetings, send the passcode in a separate email. Also, prohibit users from sharing documents through the application chat panel. File-sharing should only be done through secure content collaboration platforms.

For use cases such as remote classrooms, where the host wants to maintain an extra level of control, the meeting can be set so that it will not start until the host arrives. The host of the meeting will have a separate PIN from attendees, and then attendees are parked in a waiting room until the host joins. Once started, the meeting can be locked so additional participants cannot join without approval. Only the host will be able to present, unless they specifically delegate control to an attendee.

Users can also take responsibility to maintain best practices for secure online meetings. Do not forward meeting invitations, and only join meetings from a company-issued device that’s signed into the corporate meeting solutions account. Use the link in the invitation to join, rather than dialing in to the conference bridge directly. Join meetings using VoIP or PC audio whenever possible, as this media can be encrypted, whereas telephone calls are not encrypted.

Mike Fasciani is a research director for unified communications and collaboration at Gartner, focused on helping clients make strategic decisions about deployment options, business cases, vendor selection and overall digital workplace trends in the UCC industry. His research interests include cost-effective UC migration strategies, Session Initiation Protocol networking, WebRTC-based solutions, cloud UC deployments and work-stream collaboration applications.

Image: VISHNU_KV/Pixabay