These days, there are few offices that go without a video conferencing platform of some kind. But what many workplaces forget is that video conferencing security is just as essential as being secure with conference calls, emails or any other form of remote communication.
As pivotal as it is to secure your video chats, actually enforcing security is rarely easy. Plenty of businesses are tempted to simply layer security measures like firewalls or additional passwords onto web tools after the fact. However, in practice, these are fairly simple obstacles for hackers to jump over, and once they’re breached, organizations are left unprotected against illicit access to private business communications and even user data. Even for small businesses, attacks like this can be devastating, costing both immediate revenue loss and a severe drop in reputation.
The crux of a secure video conferencing service isn’t simply add-ons or layered tools. The fact is, without protection built directly into the service, there won’t be any real security in conference calls you make over the web.
But what does that built-in security look like? Here, we’ll explain exactly that by walking through what technology it takes to truly achieve video conferencing security. For further protection, we’ll also go through several key video conferencing security best practices.
The most direct way a hacker can gain unauthorized access to video calls is simply by logging in. If users’ passwords are overly simplistic or common, it will only be a matter of time before a cyberattacker simply guesses the correct credentials.
This is why any secure video conferencing platform must require users to create sufficiently long and unique passwords — especially ones with different letter cases, numbers and special characters. As any IT manager can tell you, there will always be employees who use overly simple or obvious passwords when setting up an account. To combat this, a secure conference calling service must outright reject such passwords as insufficient and require users to create longer ones.
However, requiring long, complex passwords will not inherently create a secure web conferencing environment. After all, password databases are frequently hacked and leaked over the dark web, granting access to hackers just as easily.
Fortunately, password databases can be kept secure through encryption from the software provider. By applying an encryption methodology — in particular, SHA512 and salt cryptography — passwords stored in databases are made to be unreadable by all except the system through complex coding. This helps ensure that even in the event of a database breach, the actual data will be unreadable and therefore unusable to hackers.
Single Sign-On & Two-Factor Authentication
However, in some cases, complex passwords can stand in the way of secure web conferencing. Long passwords are by design hard to remember, and as such, users may write or type them down in insecure places to remember them. Furthermore, requiring only long passwords to log in still leaves open the possibility — no matter how remote — that a hacker may guess a user’s credentials and brute force their way in.
One effective answer to this is single sign-on (SSO). Instead of requiring a new password to secure your video conferencing software, single sign-on allows users to sign in using an existing account, such as via Google or Microsoft. This allows users to reuse a complex password from an account while still enjoying a secure login for additional software.
Further security can be added to sign-in procedures through two-factor authentication (2FA). Here, a successful login does not immediately grant access to an account. Instead, users are then required to input a code sent to their email or phone number or a code generated by an authenticator app. Because this extra step requires access to an additional device or account, it dramatically reduces the chances of an unauthorized login.
However, hackers are typically aware of the difficulty in directly accessing accounts and will rarely let these measures alone stop them. When login attempts fail, cyberattackers will most often attempt to covertly intercept video conferences — not unlike bugging a telephone to secretly listen in.
The most feasible way to prevent this is to use encrypted video conferencing software. Encryption, as we said, effectively scrambles data so as to make it unreadable to unauthorized users; the more sophisticated the encryption method, the more difficult it is to decipher the data.
Although video chats utilize audio and visual components, not simply text, it is still fully possible to secure conference calls through the same encryption methods. One of the most reliable of these is Secure Real-Time Transport Protocol (SRTP), which uses both a random cipher key for media and a built-in means of authenticating exchanged messages. This combination of approaches prevents video from being intercepted or from being falsified by hackers.
SRTP can be made even more secure by the use of Datagram Transport Layer Security (DTLS). This is a protocol that layers messages with additional encryption that’s so complex, it can only be deciphered using the code’s original key. Then, this approach is taken a step further by sharing said key only with the other participant(s) in the video call — not with a central server or authority, which may be open to hacking. All these combined measures provide security on a direct point-to-point basis for even greater protection.
An often unsung component of secure web conferencing is WebRTC, a media exchange technology designed to share communications directly within web browsers. On top of being an important component for real-time media transfers, WebRTC is vital for achieving the most secure video conferencing platform possible as a result of its built-in security protocols.
One of the most important of these safety features is also fundamental to WebRTC: the fact that it runs directly within the browser with no additional plugins. As a result, WebRTC and any associated video conferencing software will update to the latest version as soon as you update your browser. This makes it significantly faster to install the latest security protocols and helps to prevent hacks related to system vulnerabilities or exploits.
Furthermore, because WebRTC runs directly in the browser without any installation on devices, it exists separately from the digital architecture of that device. This is critical for security, as this setup means WebRTC is unaffected by any installed programs or vulnerabilities on the device; any spyware, viruses or similar backdoors hackers may try to create for illegitimate access cannot reach the browser’s technology and thus will not affect a WebRTC-based platform.
This is on top of the security measures WebRTC implements by design. Crucially, it features full end-to-end encryption via DTLS and SRTP, meaning that web chats using WebRTC inherently run through encrypted video conferencing software. WebRTC also establishes direct browser-to-browser connections for data transfers rather than connecting to a central server, further lowering the possibility that media can be intercepted.
All these security measures must go hand in hand with a way to view potential or actual threats, however — otherwise, users will have no way to understand possible system vulnerabilities.
This requirement is actually fairly straightforward to confirm in a piece of software: the system simply must have a tool or API for logging instances when it’s been accessed, and this must be easily accessible to local technicians. It’s even better if the system has a way of alerting security advisors if any of these entries appear to be illegitimate, of course — but more importantly, it’s downright vital that this tool issue automatic alerts to system administrators when it detects full-on intrusions.
Obviously, this is in large part because techs must immediately know of any hacks the instant they occur to re-secure the system and patch vulnerabilities. But it’s also important to have constant system monitoring to stay alert against en masse system attacks known as distributed denial of service (DDoS) attacks. Although a secure video conferencing system should be able to prevent these at the outset by simply blocking excess traffic from the IP addresses committing the attack, it’s still crucial for administrators to see they’ve happened right away. A delay in viewing or reporting these threats only leaves room for hackers to reassess their plan of attack and return with more effective methods.
Built-in tools for this monitoring are essential; for maximum effectiveness, these should include data sets and statistical breakdowns of the nature of access attempts. Even better is if the system supports integration with external monitoring tools (for example, Zabbix). The bottom line is that without measures to review access attempts and successful intrusions, it will be impossible to change and improve upon current security measures.
Up to now, we’ve covered tools to prevent hacks and data interception. These are all invaluable for businesses, but they’re far from the only tools necessary for secure video meetings. After all, it’s not only possible but exceedingly common for cyberattackers to simply break into web calls and disrupt proceedings (a practice commonly referred to as “Zoombombing”).
To prevent such disruptions, a secure video conferencing platform must also have tools for limiting who can access conference calls, as well as tools for controlling the calls themselves.
One common safeguard is to set a password on conferences, which in theory will lock out unwanted guests. For smaller conferences or internal events, this can be an essential way of ensuring privacy.
For larger conferences, however, passwords are almost always shared along with meeting invites, meaning additional security measures should be available. One such method is securing video calls by allowing in only invited users — that is, users with a specific login on the video calling software. This way, anyone without explicit access permission will instantly be prevented from listening in on your call.
However, even this measure is open to failure: password hacks, system vulnerabilities and unforeseen security gaps can all still let unwanted guests into video calls. That’s why every secure video calling system also needs the last resort of in-call moderation tools to maintain order and privacy within the conference.
The most critical of these moderation capabilities are:
- Muting users’ mics (especially muting all users or all but one user)
- Turning off users’ video (including all for all users or all but one user)
- Blocking screen share attempts
- Removing specific users from the call
Maintaining security will require all of these measures to be kept available, even if — like any last resort — it’s preferable they’re never actually used.
Just consider that without capabilities like these, creating a secure web conference call becomes far more difficult in the event one or more external measures fail.
Video Conferencing Security Best Practices
Even with security measures such as these in place, breaches can still arise from simple human error. That’s why, on top of using effective technology to secure your web conferences, it’s critical that staff keep key video conferencing security best practices in mind at all times.
Although technology should be designed with security on by default, employees always have the potential to circumvent this security, whether it’s out of ignorance or actual malice. As implied earlier, passwords and account access are at the forefront of this: if a hacker gains the login credentials for an employee account on your video calling platform, it will open up access to untold amounts of data and communications.
As such, the absolute most important video conferencing security best practice is to keep passwords confidential in all cases. Employees should never share passwords over chat, email or even in calls, as hackers commonly try to trick users into handing this information over by pretending to be someone legitimate in the company (a practice known as “phishing”). So long as login credentials are kept fully private, you’ll have already done a great deal to secure your video conferences.
Within video calls, there are further guidelines to follow, of course. The most important ones are:
- Immediately kick out suspicious callers: Unless you’re holding a wide and open forum, users you don’t recognize simply should not be part of video calls. To keep them from disrupting the call or hearing confidential information, remove them immediately.
- Don’t be afraid to “mute all”: Should a group of trolls enter your call, it’s critical to keep them quiet while working out how to remove them. Liberal use of “mute all” functions will help maintain order while doing so.
- Steer clear of suspicious links in the chat: Many hackers will plant URLs in the chat as a way of wreaking havoc even after you’ve kicked them. Because these links will always direct users to spammy or harmful sites, either advise users to not click them or, better yet, delete those messages outright.
- Remember to disable video and screen shares: Plenty of trolls will disrupt calls with obscene visuals in addition to excess noise. As such, moderators and hosts should always keep in mind that they can disable video or block screen shares from unwanted guests, too.
- Add conference limits as necessary: Passwords or user limits can be a powerful way to prevent trolls from even appearing in your video calls. When wide access isn’t a concern, consider using these as an extra safety measure.
- Utilize “start with mic and video off” settings: For those conferences open to a wider audience, setting the conference to initially having users muted and without video can serve as a stopgap against disruption.
- Know when to use webinars instead: Events with numerous attendees but only a few speakers are generally better presented as webinars than video conferences, as under webinar settings audience participation is limited. This will help keep disruptions to a minimum even without much moderation.
Considering any or all of these video conferencing security best practices will add to the safety provided by effective technology.
As remote and smart working continue as the standard, it’s never been more important to stay secure in conference calls and video chats. But that security is by no means limited to the calls themselves; what’s just as important is to keep the system and its associated data, including exchanged files and call recordings, safe from unauthorized access.
Certain best practices will go a long way to helping in this regard, but on their own, they won’t go far enough. Built-in protocols like login protection, encryption and direct browser-to-browser connections can all work in tandem to keep all your business meetings private, even when they take place over the internet.
But it’s crucial that these measures are a built-in and always-on component of that platform, rather than add-ons that can be switched off. To truly be secure in video calls, protective measures have to be an inherent aspect of the system and baked directly into its design.
To see an example of a fully secure conference call app, see how security is built into Wildix, the first in-browser video conferencing tool built for sales.
For more tips on cybersecurity and safer business technology, subscribe to receive our magazine for free!