InfoSec Blog - Tips for Secure Staff Web Conferences
March 30, 2020 (Updated May 29th, 2020)
As we all settle into the new reality of working remotely, one of the tools that we will rely on heavily is web conferencing. At the University of Guelph we offer Zoom for academic instructional purposes, and both Cisco Webex and Microsoft Teams for business and administrative functions. Getting started with these solutions is very straightforward, however there are security settings that should be considered as you begin to use them more frequently.
This blog post is specifically intended to provide best practices for running secure web conferences where sensitive or confidential business information will be shared. We will focus on features of the business-focused platforms Cisco WebEx and Microsoft Teams, as these tips are not intended for online lectures or general purpose web conference calls which have different needs and security considerations.
By exercising caution and following these tips you will remain in control of your web conference, ensure that it doesn't get hijacked, know who is listening in, and protect sensitive information.
Before the Call
- Set up a complex host password for your account and never share it with anyone.
- Create a complex meeting password for all of your meetings. Never reuse meeting passwords and only share the password with those that need to attend. (WebEx Feature Only)
- Do not include the meeting password in the meeting invitation, but instead share it via some other means such as a phone call or in a separate targeted email. This prevents unauthorized access in case the invitation email is forwarded to an unintended recipient. (WebEx Feature Only)
- Require attendee registration which will allow the host to approve those people that can and cannot attend ahead of time.
- Specifically ask invitees not to forward meeting invitations.
- Configure the use of entry/exit tones so that you know when someone new joins the conference. For meetings with a large list of attendees this may be a distraction if people join late or need to leave early.
- Don’t allow the meeting to begin until the host joins. (WebEx Feature Only)
Once the Call Starts
- Pay attention to the participant list, and ask unknown parties to identify themselves or remove them from the call.
- Never share sensitive information in your meeting until you are certain of the attendees.
- Disable or limit attendee features that are not needed, such as viewing the attendee list, public chat, private chat and file sharing.
- Disable screen sharing for participants and only delegate control when necessary. If it is needed, remind participants not to share sensitive information inadvertently.
- Disable annotations and whiteboards to avoid attendees from drawing on the screen.
- Only record meetings when necessary and ensure all participants know that it is being recorded.
- Never record calls with highly sensitive information, such as health information, unless it has been specifically approved.
- If possible, protect your recordings by adding a strong password to protect the contents.
- Delete recordings when no longer needed.
- WebEx - https://help.webex.com/en-us/8zi8tq/Cisco-Webex-Best-Practices-for-Secure-Meetings-Hosts
- Teams - https://www.microsoft.com/en-us/microsoft-365/blog/2020/04/06/it-professionals-privacy-security-microsoft-teams/?ocid=2438669&MC=SecSys&MC=SysMagSof&MC=WinServer&MC=EntMobile&MC=MsgCollab
- OpenEd Zoom Support - email@example.com
- OpenEd Tip Sheet for Zoom - https://opened.uoguelph.ca/instructor-resources/resources/Zoom_Security_Privacy_BestPractices.pdf
- OpenEd Zoom Security Checklist - https://opened.uoguelph.ca/instructor-resources/resources/OpenEd_ZoomSecurityChecklist.pdf
- FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic - https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic
Written by: Stephen Willem (Chief Information Security Officer)