As the COVID-19 pandemic broke, people began to work from home and firms moved to ways of remote working, there was a rush to dust off existing videoconferencing applications and download freeware online. This was quickly followed by stories that spread panic about the security risks of virtual meetings.
Here’s a brief summary of the guidance we give our clients to stay secure. If you have any doubts, consult an expert.
We focus first on the conferencing application you are already paying for (this may well be Microsoft Teams, which is widely distributed with Office 365). But, ultimately, it does differ by business: you need to choose the service that meets your requirements, which for law firms, must include a high level of security.
- Start with a risk assessment: The choice (and often the cost) should be aligned to the risk and damage which could result if your virtual meetings were accessed or compromised by cybercriminals. There are bank-grade solutions that may be required, but this is generally disproportionate.
- Avoid free tiers of service: The cost of upgrading to business versions that have great security features may be modest, so use them.
- Upgrade your application: If you are using a “legacy” application, make sure you upgrade to the latest version of the software. Many solutions require you to download an application on your local machine. This needs to be brought up to date, as older versions will have known security vulnerabilities which are easily exploited by criminals.
Like any software which is accessed remotely, it is the way it is used and configured that makes the biggest difference to security. We find that the security features are almost always left at the default setting or even disabled altogether, leaving you wide open to attacks.
- Secure your access credentials: These need to be strong and not reused elsewhere. Cybercriminals use information gathered from previous data breaches to access conference services where the same passwords/codes are being used. If you believe they have been compromised, change them immediately. Highly sensitive meetings should have unique passwords and not rely on one-click links.
- Greet your guests: Before you launch into your conference call, make sure you have the correct attendees. You can control attendees and enforce a “lobby” entry on most videoconferencing software, where you can allow users to enter the meeting as they present their identity. Where possible, get each attendee to greet everyone, and check out attendees whose cams are not switched on. Consider locking entry once your meeting has started.
- Service configuration: This can vary from having to “accept” attendees into the meeting, to whitelisting the computers that have “permission” to join any meeting. This is the key control to keep the security risks of videoconferencing within your risk appetite, so take specialist advice here.
Data and privacy
Consider the impact of a data breach on you and your clients, and how you mitigate the risks by managing data and information as part of the process.
- Consider your audience: The content you present on a videoconference can be easily recorded by the attendees. Consider the control you have on attendees, especially when presenting highly confidential or personal data.
- Privacy settings: Some service providers may actually be using the platform to gather information about you and your clients/contacts. If you can’t manage this through privacy settings, you should change providers.
- Data loss prevention: Some services are designed to facilitate data sharing and collaboration across internal teams. Make sure you understand how to configure guest users’ access and permissions to these services.
Again, this is a crucial aspect of security, so get expert advice.
Spying and spoofing
Cybercriminals adapt their approach to match the opportunity. They know that suddenly, confidential conversations are happening virtually, giving them the motivation to phish for access credentials and deliver malware, via videos or attachments, to “spy” on you via your laptop.
- Scrutinise inbound requests: Fraudsters are actively phishing for videoconferencing login credentials. You should maintain a “zero trust” mindset for inbound requests to join meetings or enter credentials. Always question the validity of this kind of request, and verify if you have doubts.
- Anti-virus (AV) software: Cybercriminals’ use of spyware will increase during this pandemic. Keep your AV software up to date
and well configured to mitigate against this malicious software.
- Connection security: While paid-for services will have a level of encryption, law firms should consider making internet connections more secure, for example with the use of virtual private networks.
Mitigo is part of the Society’s Member Benefit scheme, offering technical and cybersecurity services. Find out more in the member's benefits section.
David Fleming, chief technology officer at Mitigo
- Steps to restraining the press
- The CJRS: a developing picture
- COVID-19 and AWI: the Society's blueprint
- Give me liberty or give me an ECHR-compliant lockdown!
- Pensions and the pandemic
- Secure digital signatures: moving forward in a crisis
- PSG: progress during the pandemic
- In-house, from home
- Scottish Solicitors' Discipline Tribunal