Alternate format: Video teleconferencing (ITSAP.10.216) (PDF, 807 KB)
By using video-teleconferencing (VTC) applications, your organization can meet and work with employees, clients, and partners who are in different geographic locations. However, there are security and privacy risks that you should consider before selecting and implementing VTC applications in your organization. Identifying the threats and risks related to these tools ensures that you implement the appropriate security measures and best practices to protect your organization’s virtual work environment.
Benefits
VTC applications can increase productivity and improve collaboration between your employees, clients, and partners. These applications are more engaging than phone calls and offer face-to-face interaction between participants. Many of them have built-in collaboration tools (e.g. screen and file sharing, recording capabilities).
You can host meetings of various sizes without needing the physical space to do so.
There are many applications that are available for free or offer subscription options with a sliding fee scale, depending on the services that your organization needs.
Risks
There are a lot of VTC applications to choose from. The security of your organization’s systems and information is affected by how the vendor prioritizes security and how you use and secure these applications.
Threat actors can take advantage of vulnerabilities and software flaws and use brute force attacks to steal information or gain access to private discussions.
If sensitive information is discussed or shared on a VTC application, you may be at a higher risk of a data breach or a privacy breach, which can jeopardize your organization’s reputation and relationships with clients and partners.
Threats
Threat actors are targeting VTC applications to disrupt meetings, overload services, eavesdrop on calls, and steal information. Threat actors use different methods to attack VTC applications:
- Brute-force attacks: A threat actor automatically scans a list of possible meeting IDs to try to connect successfully.
- Meeting bombing: A threat actor joins a meeting to listen in on the conversation or disrupt the meeting by sharing inappropriate or explicit content.
- Screen scraping: Check a link’s URL by hovering your cursor over it and don’t open unexpected attachments.
- Malware: A threat actor can infect devices by sharing malicious attachments, links, or applications to malicious hosts (e.g. websites, software).
- Phishing: A threat actor may attempt to initiate a VTC by imitating a trusted contact (e.g. with a non-functioning camera).
- Insider threat: Vendor personnel may accidentally or purposely compromise your organization’s VTC meetings. An employee may mistakenly share information (e.g. meeting credentials) without having the proper training.
Never share sensitive information over VTC applications. Use other methods if you need to share sensitive information (e.g. secure encrypted messaging).
Security Best Practices
To mitigate the risks associated with using VTC applications, your organization needs to take precautions when selecting, implementing, and using the application. Consider the following tips:
Choose the application
- Download applications from trustworthy vendors.
- Use existing corporate solutions whenever possible.
- Use a VTC application with security controls that can be customized to meet your requirements (e.g. security controls may differ between free and paid versions of the application).
- Use vendors that abide by Canadian privacy laws to ensure your information is protected from unauthorized users and sharing.
- Test the application before organizational use.
Secure the application
- Keep applications up to date or consider using a solution that does not require participants to install software unless necessary (e.g. VTC web versions do not require user updates).
- Change default settings, as they are often less secure.
- Disable features you are not using (e.g. file sharing, screen sharing, transcript generator).
- Ensure administrative privileges are restricted to those who require them.
Secure your meetings
- Secure a meeting with a passphrase or password.
- Keep the meeting link and password private.
- Ensure participants can only join the meeting if the host is present.
- Use a waiting room for participants, if available.
- Keep the number of meeting administrators or hosts to a minimum.
- Never share or discuss sensitive information on teleconferencing applications.
Incident response
If you suspect any malicious activity on your VTC meetings:
- Stop the meeting.
- Identify the information at risk (i.e. sensitive business or personal information shared in the meeting).
- Change meeting IDs and passwords for any recurring or scheduled meetings.
- Report activity to Cyber Centre: contact@cyber.gc.ca
Tips for your employees
Security training is an effective way to protect your organization from cyber threats and create a strong security culture. You should remind employees of the following best practices before they use VTC applications:
- Use only approved VTC applications for work purposes.
- Never share sensitive information over VTC.
- Keep the meeting ID and password private.
- Use strong passphrases for accounts.
- Use multi-factor authentication if available.
- Type the VTC web address manually into a web browser to avoid clicking on potentially malicious links.
- Use a secure Wi-Fi network.
See our related alert, AL20-001 Considerations when using video-teleconferencing products and services.