To serve as a recommendation to state entities and establish guidelines with cybersecurity principles and practices that individuals and organizations can follow to video conference more securely. Although these guidelines are providing this general risk advisory guidance, individuals and organizations are responsible for their own risk assessments of specific systems and software. For optimum risk mitigation, organizations should implement measures at both the organizational and user levels.
The State of Kansas, local and federal government partners, the private sector, and general public have pivoted to widescale remote work and online collaboration. Video conferencing has emerged as a pervasive tool for business continuity and sustained social connection. Although increased telework and online collaboration tools provide necessary capabilities, video conferencing has increased the attack surface exploited by malicious actors.
Once niche products, many of these tools were meant for a subset of the business community and were not scaled for crisis-driven ubiquity. Entire industries, sectors, and stakeholder sets are now profoundly dependent on online tools—simultaneously. Amid the unanticipated exponential growth and unprecedented popularity of these platforms, many video conferencing users have not implemented necessary security precautions—or might be unaware of the latent risks and vulnerabilities.
Risk: The initial settings for home and public Wi-Fi networks and many video conferencing tools are not secure by default, which—if not changed—can allow malicious actors to compromise sensitive data while you work from home.
Mitigation: Change default passwords for your router and Wi-Fi network. Check that you are using Wi-Fi encrypted with WPA2 or WPA3. Verify your video conferencing security settings and use encrypted video conferencing tools whenever possible.
Tips: Here are some simple actionable tips for connecting securely at home.
Risk: Uncontrolled access to conversations may result in disruption or compromise of your conversations, and exposure of sensitive information.
Mitigation: Check your tool’s security and privacy settings. Enable features that allow you to control who can access your video chats and conference calls. When sharing invitations to calls, ensure that you are only inviting the intended attendees.
Tips: Here are some simple actionable tips to help control access to your conversations.
Risk: Mismanaged file sharing, screen sharing, and meeting recording can result in unauthorized access to sensitive information. Uncontrolled file sharing can inadvertently lead to users executing and clicking malicious files and links, which could, in turn, lead to system compromise.
Mitigation: Disable or limit screen and file sharing to ensure only trusted sources have the capability to share. Users should be aware of sharing individual applications versus full screens.
Tips: Here are some simple tips for controlling file and screen sharing.
Risk: Outdated or unpatched video conference applications can expose security flaws for hackers to exploit, resulting in a disruption of meeting privacy and potential loss of information.
Mitigation: Ensure all video conferencing tools, on desktops and mobile devices, are updated to the latest versions. Enable or opt-in to automatic update features, or else establish routine updates (e.g., once weekly) to check for new versions and patch security vulnerabilities.
Tips: Here are some helpful tips to keep applications updated and secure.
In addition to the guidance above, KISO recommends that organization administrators and individual users become familiar with the security settings and capabilities of their preferred video conferencing platform(s). Listed below are links from several popular video conferencing user guides (and their administrative policy settings) that can help individuals and organizations reduce the risk of unwanted interruptions, compromise, or exposure of sensitive data.
KISO recommends that administrators and users examine video conferencing tool user guides in their entirety; the links below are informational only and are not exhaustive. KISO is providing this general risk guidance and has not independently confirmed the veracity of each company’s sites or claims. KISO does not certify, endorse, or recommend usage of one product over another product. Although administrators and users may improve video conference security by implementing capabilities noted below, cybersecurity events may still occur even if vendors and users take every possible precaution. KISO does not guarantee the security of these products; users are encouraged to verify, to every extent feasible, the security of vendor-provided products and to implement desired security controls.
File and Screen Sharing and Recording