Video teleconferencing (ITSAP.10.216)

Video teleconferencing (VTC) applications can allow your organization to meet and work with employees, clients, and partners in different geographic locations. However, there are security and privacy risks that you should consider before selecting and implementing VTC applications. By identifying the threats and risks related to these tools, you can implement the appropriate security measures and best practices to protect your organization’s virtual work environment.

On this page

• Benefits of video teleconferencing applications
• Risks of video teleconferencing applications
• Threats to video teleconferencing applications
• Security tips for organizations
• Security tips for employees
• How to respond to an incident
• Learn more

Benefits of video teleconferencing applications

VTC applications can increase productivity and improve collaboration between your employees, clients, and partners. These applications are more engaging than phone calls and offer face-to-face interaction. Many of them have built-in collaboration tools, such as screen and file sharing, as well as recording capabilities. You can host meetings of various sizes without having the physical space to do so.

There are many applications that are available for free or offer subscription options with a sliding fee scale, depending on the services that your organization needs.

Risks of video teleconferencing applications

There are many VTC applications to choose from. Keep in mind that the security of your organization’s systems and information will be affected by how the vendor prioritizes security and how you use and secure these applications.

Threat actors can take advantage of vulnerabilities and software flaws and use brute force attacks to steal information or gain access to private discussions. If sensitive information is discussed or shared on a VTC application, you may be at a higher risk of a data or privacy breach. This could jeopardize your organization’s reputation and relationships with clients and partners.

Insecure bridging to external services is another risk of VTC applications. Many VTC services allow a telephone dial-in optiona form of bridging, for guest users. Even if the VTC application uses cryptography and good security practices, its security will be downgraded to the level of the external service. Sensitive or personal VTC content may be exposed when shared with an external service such as those providing translation or transcription.

Threats to video teleconferencing applications

Threat actors target VTC applications to disrupt meetings, overload services, eavesdrop on calls and steal information. They use various methods to attack VTC applications, including the following:

• Brute-force attacks: A threat actor automatically scans a list of possible meeting IDs to try to connect. If successful, the threat actor can conduct
  • meeting bombing by eavesdropping or disrupting the meeting by sharing inappropriate or explicit content
  • screen scraping by collecting screen display data from a compromised system
• Malware: A threat actor infects devices by sharing malicious attachments, links or applications
• Phishing: A threat actor initiates a VTC by imitating a trusted contact
• Insider threat: Personnel can accidentally or purposely compromise your organization’s VTC meetings, such as when an untrained employee mistakenly shares information like meeting credentials

Never share highly sensitive information over VTC applications. Use other methods if you need to share such information, such as secure encrypted messaging.

Security tips for organizations

To mitigate the risks associated with using VTC applications, your organization should take precautions when selecting, implementing and using the application.

Choosing the application

• Opt for vendors that can demonstrate that they abide by Canadian privacy laws to ensure your information is protected from unauthorized users and sharing
• Use existing and tested corporate solutions whenever possible
• Download applications from trustworthy vendors
• Select a VTC application with customizable security controls to meet your requirements and be aware that security controls may differ between free and paid versions
• Test the application before organizational use

Securing the application

• Consider using a VTC solution that does not require participants to install software, such VTC web versions which do not require user updates
• Update default settings, as they are often less secure
• Activate security capabilities such as encryption and access control features
• Deactivate features you are not using, including file sharing, screen sharing, and transcript generators
• Ensure administrative privileges are restricted to those who require them
• Ensure end-user and conferencing devices are current with software updates and patches
• Deactivate unnecessary or unrequired services
• Where possible, activate device logging capabilities to help with incident response activities
• Use restricted end-user devices for collaboration and meetings when travelling or attending meetings outside trusted zones

Securing your meetings

• Use a meeting passphrase or password
• Keep the meeting link and password private
• Ensure participants can only join the meeting if the host is present
• Use a waiting room for participants, if available
• Keep the number of meeting administrators or hosts to a minimum

Security tips for employees

Security training is an effective way to protect your organization from cyber threats and create a strong security culture. You should remind employees of the following security tips before they use VTC applications:

• Use only corporate-approved VTC applications for work purposes
• Activate strong encryption protections on your Wi-Fi network to protect your communications
• Keep the meeting ID and password private
• Use strong passphrases for accounts
• Use multi-factor authentication if available
• Verify the domain and URL before avoid clicking on links

How to respond to an incident

If you suspect any malicious activity on your VTC meetings:

1. stop the meeting
2. identify the information at risk to determine if sensitive business or personal information was shared during the meeting
3. change meeting IDs and passwords for any recurring or scheduled meetings
4. report activity to the Cyber Centre by email at contact@cyber.gc.ca

Learn more

• Rethink your password habits to protect your accounts from hackers (ITSAP.30.036)
• Best practices for passphrases and passwords (ITSAP.30.032)
• Password managers: Security tips (ITSAP.30.025)
• Steps for effectively deploying multi-factor authentication (MFA) (ITSAP.00.105)
• Protect your organization from malware (ITSAP.00.057)
• Security tips for organizations with remote workers (ITSAP.10.016)
• Cyber security tips for remote work (ITSAP.10.116)