Soma Tah
The Coronavirus crisis has brought in significant changes to life and work. Organizations embraced ‘remote work’ culture to ensure business continuity during stringent countrywide lockdown measures. The demand fort team collaboration and video conferencing tools have skyrocketed for both personal and business interactions. But organizations have now became largely cautious about using these tools amidst the looming data collection and privacy concerns.
Keshav Dhakad, Group Head & Assistant General Counsel- Corporate, External & Legal Affairs, Microsoft India talks about the risks and also shares some tips for the organizations to help them stay protected.
What are some of the common security/privacy breach risks associated with the growing usage of video conferencing tools these days?
While video meetings and conferences are a great way to stay connected in these challenging times, they need to be accessed in a secure and private manner. Some of the common security risks associated with video conferencing include:
Intruders and uninvited attendees: Appropriate access controls should be activated to prevent online intrusion. Organizers should be able to decide who from outside the organization can join meetings directly, and who should wait in the lobby unless granted access.
Unauthorized access to data: Organizers should define who can access and control the data and content shared during online meetings based on user context, device health, location, and more.
Inappropriate content sharing: To avoid video hijacking, organizers should define roles in meetings that clearly designate ‘presenters’ and ‘attendees’ and control which meeting participants can present content during a meeting.
Meeting recording and access: Organizers should control which attendee can record the meeting and notify everyone if this feature is being used. Recordings should be stored in a controlled repository that is protected by permissions and encryption.
Stolen identity and account information: It is important to ensure that the video conferencing tool being used has multi-factor authentication (MFA), as it helps in protecting usernames and passwords. Attackers can take advantage of weak passwords, which can eventually lead to data theft.
How can organizations protect their sensitive data, when they access video conference or collaboration tools?
With the rise in use of video conferencing, organizations need to ensure that their virtual conversations are private and secure. Apart from ensuring that internal cybersecurity tools are available to block potential attacks, the following are simple, yet crucial steps organizations can take to protect their sensitive data.
First, choose a trusted application for audio/video calling and file sharing that ensures end-end encryption.
Second, enable multi-factor authentication (MFA) to enhance identity protection and refrain from discussing sensitive information during unplanned meetings. Additionally, block legacy authentication protocols that allow users to bypass MFA requirements. If unable to distribute hardware security devices, use tools like Windows Hello biometrics and smartphone authentication apps like Microsoft Authenticator.
Look out for session recordings, any last-minute changes in participant lists and be cautious in allowing participants access to files and media.
Ensure clear employee guidelines are communicated as workers work remotely. Given their access to propriety data and information and organization’s network, they need to be educated on how to identify phishing attempts, how to distinguish between official communications and suspicious messages that violate company policy, and where these can be reported. For example, video is harder to spoof than email; use an official channel like Microsoft Stream so employees are able to distinguish legitimate communications from phishing.
How does end-to-end encryption help?
End-to-end encryption is the most secure way to communicate online, as it protects the content that is being exchanged on a platform from interception by the platform owner or any third party. The content can only be decrypted by authorized users with an encryption key. In the case of video conferencing, this automatically means that data cannot be accessed by anyone, nor can it be sold for ads. In so doing, employees will be able to have secure communications on a standardized platform, and this can be better managed by CISOs through a secure platform.
What does Microsoft Teams offer in this regard?
Microsoft Teams information and conversations are backed by enterprise-grade security features. This includes team-wide and organization-wide two-factor authentication, and Advance Threat Protection (ATP) for content management, allowing users to determine if content in these applications is malicious, and if it should be blocked from user access.
In Teams, we encrypt data in transit and at rest. TLS and SRTP are used to encrypt all data in transit between users’ devices and Microsoft datacentres, and between Microsoft datacentres. Enterprise data is also encrypted at rest in Microsoft datacenters, in a way that allows organizations to decrypt content if needed, to meet their security and compliance obligations, such as eDiscovery. Additionally, files stored in SharePoint and OneNote are further backed by SharePoint and OneNote encryption respectively.
Teams also supports more than 90 regulatory standards and laws, including HIPAA, GDPR, FedRAMP, SOC, and Family Educational Rights and Privacy Act (FERPA) for the security of students and children.
Also Read: