Advice: Web conferencing security

Advice: Web conferencing security

2 April 2020

In light of COVID-19, many businesses and individuals are now turning to web conferencing systems, like Zoom, Skype, Google Hangouts, GoToMeeting and Cisco WebEx to connect online.
Web conferencing systems are great for providing real-time chat, being able to see and hear other participants and in some cases, to share or transfer files.
As we increasingly use web conferencing to keep in touch from home, cybercriminals may look to take advantage – attempting to intercept sensitive conversations, or tricking people into downloading malware on their devices.
To help you select a web conferencing system and understand how to use it securely, the Australian Cyber Security Centre has developed guidance, which we encourage you to follow and share with your colleagues, staff, customers and other contacts.

How to stay safe when using web conferencing technology
Whether you’re a business considering different web conferencing options, or an individual running a conference call, there are simple steps you can take to make sure you’re using the technology securely and reducing your exposure to cybercriminals.
For businesses
  • Check the protections used by the provider. For example, depending on what country they’re based in, the provider may be subject by law to covert data collection requests and access. You should also read the provider’s terms and conditions carefully, paying close attention to conditions like whether the service provider claims ownership of any recorded conversations and content.
  • Check that the provider offers multi-factor authentication for users to access the system.
  • Check what information is collected by the service provider and how it is used. Such information can include names, roles, organisations, email addresses, and usernames and passwords of registered users. This will help inform what the privacy, security and legal risks are with using a provider.
  • Review the provider’s security documentation, such as terms and conditions, against your organisation’s security needs. For instance, would accepting any of their security conditions breach your organisation’s liability rules, particularly around data handling and storage?

For individual users
  • Establish your meeting securely by sending invitations and logon details separately from the invitation through a secure method, like email or encrypted messaging apps. Do not share website links or logon details on publicly-accessible websites or social media.
  • Be mindful of the sensitivity or classification of your conversations.
  • Be aware of your surroundings and use a private room or headphones if possible. If around others, keep the microphone on mute unless speaking. This helps to ensure sensitive conversations aren’t accidently overheard.
  • Where video is required, try to position your camera so it is only capturing your face, so that again, it doesn’t broadcast private or sensitive details in your background.
  • Only allow invited participants to join the meeting – and be aware of any unidentified conference participants (ask people to identify themselves).
  • Only share individual applications when screen sharing, rather than your whole screen so you don’t share more content than is needed.
  • If you’re using a web conferencing solution on your personal device, make sure you have the latest software and security updates installed. This will help prevent cybercriminals using weaknesses in software to access your devices.

More information
Visit cyber.gov.au for advice to help businesses stay secure from cyber threats while managing a remote workforce.

To stay up-to-date on the latest online threats and how to respond, sign up to the Stay Smart Online Alert Service.

If you’ve suffered financial loss from cybercrime, report it to ReportCyber at cyber.gov.au/report.

The information provided here is of a general nature. Everyone’s circumstances are different. If you require specific advice you should contact your local technical support provider.
Feedback
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.

Disclaimer
This information has been prepared by the ACSC. It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.