Millions of people are working remotely due to the ongoing COVID-19 pandemic. Technology enables us to continue doing our jobs despite social distancing recommended by health care experts. Zoom, GoToMeeting, Cisco WebEx, and Skype are some of the software platforms that allow people to connect with their colleagues in live video chats and webinars.
Though these platforms facilitate collaboration, engagement, and online learning, they carry vulnerabilities when not correctly configured. Unfortunately, people with bad intentions, known as malicious actors, are taking advantage of these vulnerabilities by hijacking meetings in an action known as “zoom-bombing.”
Let’s examine some of these vulnerabilities and discuss what you can do to protect your meetings.
In March 2020, a high school in Massachusetts reported that an unidentified individual dialed into a virtual classroom and shouted profanities, as well as the teacher’s home address. Another virtual classroom was disrupted by a malicious actor who displayed racist and other offensive tattoos. These unfortunate incidents could have been prevented with the right security practices.
Best practices for securing your remote meetings
There are some practices you can put into place to configure and secure virtual meetings that are available across most platforms. Let’s look at what you can do.
Require a meeting password. Only supply the password to designated attendees. This will greatly reduce the risk of an unwanted visitor disrupting your meeting.
Create a unique meeting ID. Only those who have the meeting ID can access the event. Meetings IDs, combined with password protection, will go a long way in defending your meeting from malicious activity
Lock your meetings. Once your attendees have joined and your meeting has started, you can lock the room, so no new attendees have access. This is yet another way to make sure no malicious actors join your conversation.
Allow invited visitors only. You can also set your meeting to only allow invited visitors to attend. If you do not use this security feature, invited visitors could forward the meeting information to others.
How to handle virtual meetings that must be public
In some cases, such as a school board meeting, an event is required to be open to the public. You can still help prevent a “zoom-bombing” attack with some of the other available controls. What can you do?
Use your waiting room. The waiting room option allows you to verify that potential attendees are known and expected collaborators. Any unknown visitors can be left in the waiting room until verified.
Restrict screen and audio controls. The meeting organizer should be able to control who can display their screen during the meeting. They will also have control over who can broadcast to the group with their webcam or microphone. Limiting access to these controls in a public meeting will help prevent the kind of digital vandalism we’ve seen in these events.
Restrict certain file types. In some cases, malicious actors have inserted offensive, animated .gif files into Zoom meetings. As an organizer, you can restrict which file types are allowed in the meeting. Consider using this option if you have many participants and are concerned about questionable content.
Don’t forget about email scams
In addition to potential remote connectivity software platform vulnerabilities, it is important to be aware of email scams associated with COVID-19. Malicious actors are posing as representatives of the World Health Organization and the Centers for Disease Control and Prevention to take advantage of you. These emails appear legitimate and claim to provide recommendations to avoid contracting the virus.
As always, exercise caution online. We have such amazing options for collaboration with our colleagues while we pass through this difficult time. However, vulnerabilities exist, and malicious actors are exploiting them. Please keep the tips above in mind while you use your remote meeting platforms.
Expert help from the Fund
The Fund provides Privacy and Information Security coverage to members of our Property and Liability programs. Members that suspect they have been the target of cybercrime should call the Fund immediately at 855.295.8344 to report a claim. Members that have questions about cybersecurity education or consultation should contact Privacy and Cyber Risk Consultant Lucas Anderson at firstname.lastname@example.org or 512.505.2893.