In a recent blog, we discussed key cybersecurity risks that businesses are facing during the COVID-19 pandemic. Now, we want to zoom in on a particular risk: videoconferencing.
As people continue to keep their physical distance, companies are quickly implementing off-the-shelf videoconferencing tools to maintain visual interaction among employees.
But when using these videoconferencing tools, companies should keep their eyes open to certain unique risks, and mitigate them where they can.
The core challenge is not videoconferencing itself. It’s that companies are quickly turning to tools that were meant for a smaller scale or a more casual context, and they’re doing so before they’ve necessarily had time understand the particular challenges that a videoconferencing tool may present.
Zoom is just one example but it’s an instructive one. Last month, the Office of the New York Attorney General sent a letter to Zoom citing its concern with Zoom’s “existing security practices” that may not be “sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network.”
The letter also called out specific risks, such as those “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams,” which was announced by a cybersecurity analyst on the same day and is a repeat issue from 2019.
The same day, the FBI released a statement to Zoom users on safety precautions and noted several recent incidents of session hijacking (“zoom-bombing”).
The point is not that there’s an inherent problem with Zoom or any other particular product—the problem is simply that these products are being used on a scale that’s unprecedented, in new contexts, and potentially before companies are ready for them.
Employees using newly introduced software with little to no training may compound the inherent security or privacy risks. Put simply, people just haven’t had time to learn to use these products in a safe way.
For example, these videoconferencing tools often use data centers located outside the countries in which users are located. It might not even be apparent where the data centers are located. That means that companies and users might be exposing their data to regimes that don’t necessarily honor privacy the way that they may expect.
In normal circumstances, companies have time to conduct diligence and get a handle on this risk before rolling out new tools to employees. But at the moment, diligence can be a luxury that many companies feel they can’t afford.
Similarly, some of these products were developed in jurisdictions known for industrial espionage. Even state-sponsored industrial espionage.
That may present a trivial risk when the resulting videoconference platforms are used for friends to chat, but it presents an entirely different level of risk when used for a sensitive business negotiation, or getting a credit card number from a customer, or giving professional advice.
Some of these products have made it extremely easy for users to record conversations. That’s a great technological achievement, but is it a sound legal choice?
To record a private conversation in the United States, all states and the federal government require the consent of at least one party to that conversation. A few states require the consent of all parties. (California, Delaware, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington.)
If you fail to get consent, recording the conversation may be deemed criminal wiretapping. Ordinarily, this isn’t a huge risk. For the most part, recording a telephone conversation or an at-the-office videoconference isn’t particularly easy.
To be sure, it’s not rocket science. But there’s enough friction that most users wouldn’t normally think to record a conversation or know how.
Traditionally that meant that the risk was remote enough that many companies didn’t feel the need to train their employees on the various laws governing recording.
The problem in the current environment is that employees are suddenly using tools that make recording easy—all it takes is the click of a button. Your employees might quite innocently not realize that it’s illegal to record conversations.
Plus, because many employees will be using personal accounts to set up meetings, you won’t necessarily be able to set system-wide controls on what users can do.
There’s a flipside risk, too. If you’re on a videoconference with a counterparty, are its employees recording you?
Watergate and some other exceptions aside, most people don’t go around recording conversations, and so most of your employees don’t naturally assume that their conversations might be recorded.
But in the past few years, there has been an uptick in commercial disputes where one party had recorded its conversations with its adversary. And this current moment is just accelerating that risk.
What can you do about these risks?
- Companies should consider actions that it can take to minimize exposure to the risks of using new videoconferencing platforms.
- Consider investing in subscription or enterprise software that includes videoconferencing capabilities and that gives you the ability to set company-wide restrictions on how the software is used.
- If you don’t have time to set up an enterprise videoconferencing system and need to use informal solutions, consider using videoconferencing with just a video feed—audio muted—in conjunction with your existing teleconference bridges for audio.
- Do your diligence quickly on the known security and privacy risks presented by the particular videoconferencing solutions that you find your employees using, and adapt quickly.
- Provide employees with thorough and mandatory training and “best practices” before they can participate in future videoconferences.
- Make sure your employees know never to record a conversation with the consent of all parties, unless they are absolutely sure that all parties to the conversation are in a “one-party consent” state.
- Make sure your employees know that they can never assume that what they say will stay private.
