Social distancing protocol has forced many organizations to move their operations to remote working environments. This shift has resulted in companies leveraging video conferencing platforms to stay connected with colleagues and clients, simulating the face-to-face conversations that are no longer possible.
The higher education workforce is no exception to this new work-from-home culture. Not only have business operations become remote, but residential courses have moved online for the foreseeable future. Video conferencing solutions have become an important component of online course delivery.
But these innovative technology solutions introduce new security concerns for higher ed institutions. Are they as safe as they seem? What vulnerabilities might exist and how can they be mitigated? Keep reading for these answers as well as additional information.
Video conferencing security in the news
COVID-19’s impact on public health has dominated recent headlines, but other stories have emerged in its shadow. One trending story that’s become a topic of discussion relates to video conferencing security. At the center of the conversation is Zoom, a communications technology company that has become the conferencing service of choice for many.
The scrutiny around this company stems from security vulnerabilities on the platform that have led to unauthorized access and inappropriate sharing by hacktivists and pranksters in what were assumed to be private, secure meetings. Incidents like these have led to other questions about privacy, including how web conferencing providers leverage information from users on their platforms.
4 Video conferencing security risks (and how to avoid them)
You’re committed to protecting your students, staff and the sensitive data they entrust to you. There are several key concerns colleges and universities should be aware of as they continue to rely on video conferencing solutions. Consider the following risks.
1. Video conference hijacking
Probably the most notable risk related to using video conference services is the possibility of an unknown individual hacking into your video meeting. Zoom in particular has fallen victim to this issue, which led to some to deem it “Zoom-bombing.”
The slang term is used to describe the unauthorized entry into private video conference meetings. These bad actors access private meetings by exploiting a vulnerability within the Zoom platform that allows open access to meetings set as public. On the milder side, this leads to meeting disruptions. More severe ramifications can include the sharing of inappropriate media or information.
There are a few steps you and your staff can take to prevent uninvited guests from joining your meetings:
- Configure settings in video conferencing apps to make meetings private. This can be done by enabling a password requirement and by making new participants wait in a “lobby” for admission by the meeting host.
- Restrict screen sharing to “host only” in settings.
- Update video conference software to ensure that the most current version is being used.
2. HIPAA compliance infractions
Recent articles have reported that security experts have uncovered some concerning vulnerabilities in the Zoom platform, for Mac users in particular. Additionally, university officials should be aware that many off-the-shelf video conferencing solutions are not compliant with privacy regulations such as Health Insurance Portability and Accountability Act (HIPAA).
To reduce risk, be sure to monitor updates from Zoom and other providers as they patch these newly exposed vulnerabilities. Zoom has released updates addressing some reported susceptibilities already, and other companies are taking note and reviewing their systems as well.
For HIPAA compliance, be sure to use video conferencing solutions designated for use in compliance with HIPAA, such as ZOOM for Healthcare and GotoMeeting. Both of these platforms have information on their websites explaining how they comply with HIPAA, and what requirements, if any, users must follow to ensure compliance. These solutions may have special licensing requirements and additional cost for improved security.
3. Targeted phishing attacks
Fraudsters are always working to exploit the news cycle for opportunities to phish users. This new brand of attacks is capitalizing on the pandemic and video conferencing usage with messages like, “Download Zoom now and receive a free gift card.”
Upon clicking the malicious link, malware is downloaded onto the user’s device. The goal of many of these attacks is credential mining to gain a foothold into your university network. The result could be malware or ransomware on the networks of unaware users.
To reduce risk, make sure users are trained to recognized phishing attempts and provide a method for reporting suspicious emails. Administrators should be monitoring their networks and removing suspect emails from the inboxes of users to reduce risk of compromise.
4. Data privacy issues
The recent scrutiny of Zoom’s business model has revealed that the company has fairly liberal sharing policies with third-party advertisers. Some of these concerns have been addressed by the company, but there is still some ambiguity about how Zoom and other video conference providers use personal data.
Another privacy breach that has been uncovered is that “private”, user-to-user chats within Zoom conference meetings aren’t so private after all. It turns out that those conversations are included in the final transcripts to the meeting host.
To reduce risk, review the privacy statement for your video conferencing software and make sure that user information does not contain personally identifiable information (PII). Make sure users know that the private chats aren’t private, and that the host will get a copy of whatever is said in the meeting.
Stay protected while you stay connected
The unfortunate events surrounding Zoom video conferencing have put many on edge about the platform. But it still remains a popular choice, with many faculty finding it a preferred tool for online instruction. While it’s not necessary to avoid using the service altogether, it is essential to be aware of the security concerns and be diligent about taking precautionary measures to avoid putting your school at risk.
For more information and advice about how to rethink higher education, visit our website resources.
Author: Jason Nairn
Dr. Jason Nairn serves as Collegis Education’s vice president of Information Technology and Security providing IT leadership for several college and university. Prior to joining Collegis, Nairn was vice president of Information Technology and chief information officer for Concordia University in Portland, OR.