According to research from analyst, Frost & Sullivan, the overall video and web conferencing market is on a high growth trajectory and is forecast to grow from $8.5 billion in 2017 to $11.0 billion by 2023. This expansion is also in turn, fuelling growth in virtual meetings, which offers participants a wide range of advantages from cost savings to reduced environmental footprint to increased productivity and efficiency to real-time information sharing. Virtual meetings, in short, offer a myriad of benefits to participating organisations but they also bring with them challenges and risks.
Company meetings often discuss sensitive and confidential information – so if this information is misplaced or leaked it could have massive impacts on the company. While companies cannot fully stop what is leaked by employees, they can ensure that the technology they are using in virtual meetings to connect one another is secure and no data leaks happen. Here, Pete Eyre, Managing Director at Vevox evaluates the potential risks companies face in conducting virtual meetings communications and how they can best mitigate them.
Scoping the Challenge
While we are seeing the level of understanding about the security challenges of virtual meetings increasing and also a growing interest among businesses in raising their awareness levels further, there are still a lot of businesses where virtual meeting security is not fully focused on or seen as a priority. Certainly, issues like GDPR have heightened the awareness of many organisations of the importance of security and the fact that there are security risks out there. Typically, though, the focus is often on areas like email security and password protection. Those are critically important, of course, but there can be some complacency around meetings security. That is often because people believe that meetings are an inherently safe space. They forget that while they might need to use passwords to log into their email programs, they also need to carry that security on into their meetings. Whether they are using software internally or externally, they still need to put that health check in place.
Many don’t have complete clarity on the networks they’re using, whether their Wi-Fi is on a closed network, for example, or whether they are using free software. They don’t think beyond having a meeting ID and consider whether they actually need a password for a particular meeting, for instance or what might happen is leaked content could be attributed to an individual
For many businesses, the biggest hurdle is understanding the platform that they’re using and understanding what levels of security it can offer. Often, therefore, there is a desire to take security seriously but a lack of understanding about how best to do that. At Vevox, we believe that software providers have a duty to their customers to be upfront and transparent about security considerations and concerns. Vendors need to be focused on giving the right advice. They should not just be focused on selling software but rather on looking after customers all the way through their journeys.
It is crucial that security issues are considered from the outset of any virtual meeting, understanding what the customer’s requirements are and making them feel confident that those requirements are met.
Businesses will do best if they adopt a prudent and measured approach. There is never any need to break GDPR rules or cut corners in any way. It is about understanding your qualities and making sure your vendor is aligned to them.
With regards to GDPR, the risks that business run will very much depend on how they plan to use the data they collect as part of the virtual meeting process. If the data that is being collected is anonymous response data, for example, then the business concerned does not need to worry itself about the GDPR ruling. Ultimately, the ethical consideration has come down to meeting organiser, and then how they store data as a company or process data as a company. In our view, the GDPR ruling has done a really good job of making organisations focus on what they need. In fact, it encourages them to collect only what they need and collect permission to use.
What to Look For
So, given all this, what are the key elements that organisations need to look for from their meeting app and meeting app provider? First, it is key that they look for providers who are well-informed, who have all the relevant security-related information on hand. Providers should be there to assist with policies, the architecture of the platform, recommendations for its use and terms and conditions and so on.
They also need to look at whether the provider has been independently verified, that it complies with the ISO27001 standard, for example, and that their architecture is regularly pen tested. But it also important to be aware that security threats are evolving all the time, so any chosen provider needs to be cognoscente of that and continuously monitoring for new threats and adjusting their approach accordingly.
Businesses should also look for providers that supply robust meeting IDs unique to each meeting, features in place within their architecture that prevent people from running software over the top of it to access the meeting, sharing an ID or simply guessing their way into a meeting, and that are also transparent about the partners they work with and the architectures they use.
Ultimately though, its critically important to realise that no provider can mitigate risk altogether for the organisations they work with. The ultimate responsibility for the way data is used comes down to the owner or the facilitator of the meeting, and how they store or process data as a company. There is a lot they can do here about making participants aware of what data they are collecting and how they are going to process and use it. When meetings involve discussions concerning confidential or commercially sensitive information, meeting organisers need to be making the right choices about who they invite to any given meeting. It is good practice to only invite the essential attendees, to ensure this information stays at an appropriate level. Equally, businesses should be careful about leaving meeting details lying around: whether it is the agenda; who is being invited; or even the access details themselves.
The truth is, of course, businesses can never eliminate human error altogether but by putting in place intelligently-designed processes and intelligent systems, they can at least mitigate the impact of any errors and go a long way towards creating a virtual meeting environment that is safe and secure for all.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.