_This is the seventh episode of our COVID-19 webcast series. In this episode Partner Mark Shaw wants to look at the legal and regulatory risks around the use of virtual conferences during the COVID-19 pandemic.
Transcription of the video:
In each of its communications on remote working during the COVID-19 pandemic, the CSSF has stressed the need for firms to ensure satisfactory IT security conditions for its employees.
A key development in remote working has been the exponential growth of third-party video conferencing services like Google Hangouts, Zoom, Webex, Skype, BlueJeans to name a few.
Like all aspects of cybersecurity, the most common weak point in the system is the users, and poor security discipline creates legal and regulatory risk.
Let’s take a look at some of ways to mitigate these risks.
1. Consider how you appear
Or perhaps, more importantly, the area behind you.
Does it include any material or items that might compromise your privacy or security? Or any commercially sensitive information, like a whiteboard.
Hackers are very good at using data that you may think is benign for social engineering purposes – anything like a personal photo, artefact or even a pet wandering into view could provide valuable data to a hacker.
Lurking on large video conferences gives hackers access to live images of a large number of households, so consider using an electronic background or avoid using the webcam altogether (although I’ll come on to why this could pose an issue for hosts of calls).
As a wider security point you should deactivate your webcam when not in use. Ideally also use physical cover: either a piece of tape or slidable cover, like this – if you get in touch we’d be happy to send you one.
Does the service you are using indicate when you are being recorded? And if so, how?
The safest approach is similar to that for email – assume you are being recorded and consider how this would appear in a courtroom.
Meetings shouldn’t be recorded unless necessary, and hosts should be clear to participants where recording is used.
3. Who’s on the line?
If you are the host of a call then of course you should always use a password and only share this with known participants. Clearly don’t share the password or other details on social media!
Verify the identity of all participants on the call. Of course, seeing attendees helps you to verify them, but they may be practicing their own good security and not using video!
Some facilities provide waiting room facilities, and these are a good way of verifying the identity of participants before letting them into the conference.
4. Beware when screen sharing
Screen sharing has huge potential for legal and reputational risk.
Limit the ability for screen sharing to the host, or to a person the host selects. This removes the possibility of someone sharing content by mistake or maliciously.
When screen sharing, only share the application needed, as opposed to the whole desktop because even an icon or stray file name could give away sensitive company information.
5. Choose your product carefully
Always check the terms and conditions of the service you are using.
Beware of free products – consider the internet adage “if the product is free, then you’re the product”
So check whether the provider is collecting, selling or sharing your data to fund the provision of any free service.
And when you’ve chosen your product, always ensure you use the latest version of its software.