NFL commissioner Roger Goodell notified every team that the 2020 NFL Draft will be held virtually due to continued concerns over the COVID-19 pandemic. This means that that coaches and general managers will be switching to what mirrors a fantasy football draft and will be drafting players remotely via teleconferencing. This may inconvenience NFL personnel and damper what has grown into one of the largest sports spectacles in modern day, but it has also raised legitimate security concerns related to video conference technology. A number of NFL personnel have expressed unease with the virtual arrangement, including Baltimore Ravens Head Coach John Harbaugh, who called the security of teleconferencing and so called “Zoombombing” a “big concern”.
Harbaugh’s concerns were not without merit as the FBI issued a warning to all Zoom Video Communications users on March 30, 2020 related to security of their very popular teleconferencing application. The warning focused on Zoombombing incidents in college classes related to a hackers gaining access to Zoom meetings and broadcasting offensive or explicit material to the class. Zoom has reached 200 million users and is being used by a wide range of users from families to the US Department of Defense. With the spike in users on Zoom’s platform, multiple security issues were exposed and the CEO, Eric Yuan, was forced to address them in a recent blog post. These concerns relate to misleading encryption practices, the sale of user information to Facebook, password cracking problems, and more.
Despite Zoom becoming one of the most popular teleconferencing platforms, alternatives exist with different security features that merit consideration. Other platforms that support end-to-end encryption include Google Duo (only supports 12 users), FaceTime (Apple devices only), WebEx from Cisco, GoToMeeting, and Microsoft Teams. Not all of these platforms are free and offer the same convenience as Zoom, but the heightened security is certainly worth the investment especially when the contents of a meeting is sensitive.
No matter what video conferencing platform is used, basic steps should be taken to keep the meeting private and secure. Here are some of the most basic protection steps that should always be taken:
- Protect meeting ID number and create a strong password: Be very mindful of the people with whom you share a meeting number and password, never make it public. Limit meeting credentials to only people required to attend a meeting. Do not use personal meeting numbers or re-use meeting numbers. Randomly generated meeting numbers that are only used once are the most secure.
- Designate a meeting Host: Even with a secure meeting number and password, hackers have a way of getting in. A meeting host should always be designated to control users that join. Most videoconferencing platforms offer a “waiting room” feature which forces the host to allow a guest access before joining and allows the host to remove users at any time. This should always be enabled.
- Restrict Screen sharing: Most platforms offer the ability to restrict which users are able to share screens during a meeting. Enabling this feature protects a meeting from unauthorized content being broadcast.
- Designate a secure location for sensitive meetings: In addition to a secure, encrypted platform, participants should be required to designate a secure location for video conferencing. Participants should have their access disabled if they are seen to be in a public place or an open setting with other people present.
- Adopt a Video Conferencing Policy: An organization wide policy for video conferencing can ensure that certain conditions are met before users join or participate in a conference. Good policy practices include restricting personal devices from recording, turning off cameras and microphones when not in use, and disabling file transfer during a meeting to ensure that users can’t display unauthorized content.
For more information on cybersecurity concerns surrounding Zoom read our follow-up article, Zoom! Goes the Dynamite
How Can Schneider Downs Help?
The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact us at [email protected].