by Sabrina Stein

Who would have expected at the end of 2019, that at the same time extremely much people could no longer go to work, students would study at home without their classmates and that friends would no longer be allowed to see each other (at least in a group)?

And at the same time: Who would have expected that, despite all this, it would be possible for a great many people to work productively together in a team, yet still communicate with teachers, classmates or fellow students and regularly "meet" friends or get in contact with family members? All of this has worked surprisingly well over the past few weeks - thanks to video conference software! However, there were also “complications” when using these services. The current blog article describes how you can avoid this.

Secure videoconference

Video conference very quick and easy !?

For many, organizing video conferencing software and then just starting it is no big deal. With the many benefits of the services, the risks are often forgotten.

Many people like to be guided by friends, acquaintances or search engines when making a selection and trust relevant recommendations or prominent Google positions - but is that sufficient as a selection criterion? Most likely not! - because cyber criminals are also aware of the situation and the "negligence" of users and often cleverly exploit weak points!

We would therefore like to urge the readers of our blog to use services not only because everything has always gone well so far or because countless people do this too. Or maybe simply because the programs are free (which doesn't have to mean anything negative).

We would like to name a few points that you should definitely consider when choosing a solution and show you how you can manage to protect your data and that of all participants well and responsibly, regardless of the software you choose! - We want your security!


Why is video conferencing security so important?

In video conferences - whether private or business - a lot of confidential or personal information is often exchanged. The latter in particular are particularly worth protecting in accordance with the EU GDPR. But just for reasons of trust, we should treat information from and about other people with a lot of respect and ensure that it is only accessible to authorized persons.

Information worth protecting includes, for example:

  • Statements about customers, employees and other people
  • Information from schedules
  • Contents of exchanged files
  • Background documents with details of who is attending the conference
  • but also: information about who is still in the conference room and for how long
  • Etc.

In addition, conference participants should only receive information that they are allowed to receive - and especially information that will not harm them!

The discussions about a well-known and widely used video conferencing service in the last few weeks show how important the security aspect is, but they are often ignored. For example, cyber criminals sneaked into video conferences that were attended by children and presented illegal content. In addition to the inadequate access control, the inadequate encryption method was also criticized.

Since this and other incidents, the service provider has taken some security precautions. Corresponding incidents show, however, that on the one hand it should not always be assumed that the security that is actually to be expected is given, on the other hand, countless users have not thought about data security.

The public reports have shown us exactly the points to look out for!

There are a few easy-to-remember pillars that should always be considered:

  • Appropriate encryption (of the data transmission and the transmitted data)
  • Access control for everyone who receives the data
  • conscious selection of the information transmitted


What should you pay attention to specifically?

When it comes to security, a distinction must be made between different levels at which risks can arise. On the one hand, the technical level (software and transmission) and, on the other hand, the behavioral level, which includes, for example, the decision about transferred data and its storage. In the following we explain the first level in more detail.


Encryption

It must be ensured that encryption is carried out in various ways - on the one hand with regard to the data and on the other hand with regard to its transmission. If this does not take place, it is particularly easy for hackers to intercept the information on its way from the sender to the recipient.

Therefore, the transmission should not just take place via TLS protocol (SSL certificate), but using end-to-end encryption. Here the information is encrypted at the sender and decrypted at the recipient. You should pay attention to this type of data encryption not only with video telephony, but also with other digital communication services.


Data protection and server-side security

If you want to keep confidential data of your employees, customers, friends and family members GDPR compliant (and you should definitely do this in a business context!), A video conferencing service from the EU is definitely preferable to a non-EU country. Because it is more likely that this also corresponds to the relevant data protection regulations. In this case, personal data will be treated appropriately and lawfully.

If you choose a service that runs over a server, not a peer-to-peer connection (directly from user to user), there are a few security considerations to consider! This also applies if data is stored on a central server as part of communication.

In this case it is important that it is located in an EU country - even better in the country where you are based. Otherwise, there may be conflicts with the applicable data protection law. Please note that many messenger, e-mail, cloud and conference services also save their data on servers in America.

Insecure servers in particular are a popular point of attack for hackers. The data centers in which the server is located should therefore also have high security standards and ideally guarantee good performance and high availability.

A current TÜV certification can, for example, provide an indication of the corresponding safety and quality criteria.

Find out in advance where information about your conference can be stored and which routes they will take!

However, there is another important point about data protection. Many services like to transfer various data about your use of the service to third parties, such as B. Social media providers. When you take a closer look at the privacy policies of some video conferencing services, you sometimes wonder what they are doing with their users' data. Even if it is time-consuming - check the data protection declaration - in detail!


Network connection

If you have connected the device to an untrustworthy network, make sure that you are using an in-house VPN (virtual private network) connection that has been set up by your IT administrator. This may require additional software on your device. With this connection you can, for example, securely access your corporate network from another location.


Conference tool configuration options

You have a lot of data protection and security aspects in your own hands! The following explains some setting options that are available in the tool and that you should also use!

Always check which functions are available in the service of your choice and which are required in the conference! Many tools offer a variety of functions - in addition to the chat, this can of course also be the video and the microphone, but also file transfer or a whiteboard.

Not all functions are always necessary. For example, if you want to record an online seminar, it is sufficient if only the speaker can be seen and heard - the participants do not need to be seen or heard while speaking. Automatic activation of the relevant functions should also be ruled out - and it should also be ruled out that these functions can be activated by persons other than the participant himself.

In addition, the question arises as to whether people who come into the room later should still be able to read the chat that has already taken place - this may be necessary or even questionable depending on the purpose of the meeting.

In no event should the conference be recorded without the consent of all parties involved. It is ideal if this is communicated again by the tool itself at the beginning of the recording - for example via the automatic announcement: "The conference is now being recorded".

Also check whether and where the information transmitted in the conference can be saved and for how long it should be available to whom. This affects the participants on the one hand and the server already mentioned on the other.

Another very important point that has repeatedly emerged from the recent media reports on the given tool: create a meeting ID e.g. a name or link for the meeting that is not easy to guess! And: Use password protection so that only participants who log on with a password can take part in the conference!

If you use a service, please always check whether the aspects mentioned are given and feasible. If not, please consider taking the underlying risk or investing a little more time or money in finding a safe solution for everyone involved.


Behavioral Aspects in Video Conferences

You can use the most trusted software and the most secure server environment. If the person in front of the computer, laptop or smartphone does not handle confidential and personal data responsibly, the entire effort is not worth it.

Therefore please note the following points:

  • Check yourself and everyone involved so that only the necessary information is exchanged in the conference!
  • Pay attention to the perspective! The displayed image area must not contain any confidential information!
  • If this is not done via an automatic announcement: Inform everyone involved about recordings and obtain their consent at the same time!
  • It is also important to check the identity of everyone involved in the beginning so that unauthorized participants can be identified quickly.
  • End the video conference - ideally by logging off each participant independently and closing the application or browser window.

Finally, it is of little use if only some of the employees - or the family - implement the advice given above. Make sure your co-workers, co-workers, and relatives are also aware of the points above.

The current article contains some tips with which you can protect trustworthy data in your company - but also with friends and family during a video conference.

The most important note that you should always pay attention to: Always inform yourself comprehensively beforehand in order to save yourself unnecessary worries afterwards!

You are also welcome to share your tips on the topic with us via our social media channels! Visit us on Facebook or LinkedIn and comment on the article in the blog post.

And above all: stay healthy and confident!

Your Keyweb AG