In most organizations, the only meetings happening right now are virtual meetings.
And quite frankly, if you're reading this article, you may be one of the few in your organization giving the security of these virtual meetings much thought.
That does not surprise Jeff Greene, Director of the National Cybersecurity Center of Excellence (NCCoE), which is part of NIST.
"While many of us have become security-conscious in our online interactions, virtual meeting security is often an afterthought, at most. Who hasn't been finishing one call when attendees of the next call start joining—because the access code is the same?
In the moment it may be annoying, or even humorous, but imagine if you were discussing sensitive corporate (or personal) information. Unfortunately, if virtual meetings are not set up correctly, former coworkers, disgruntled employees, or hackers might be able to eavesdrop."
7 NIST best practices for secure virtual meetings
Thankfully, NIST has come up with some best practices for virtual meeting security, so let's take a look at them.
Note: there are low, medium, and high risk conference calls based on the content. The higher the risk, the more of these steps you'll want to implement.
- Limit reuse of access codes; if you've used the same code for a while, you've probably shared it with more people than you can imagine or recall.
- If the topic is sensitive, use one-time PINs or meeting identifier codes, and consider multi-factor authentication (MFA).
- Use a "green room" or "waiting room" and don't allow the meeting to begin until the host joins.
- Enable notification when attendees join by playing a tone or announcing names. If this is not an option, make sure the meeting host asks new attendees to identify themselves.
- If available, use a dashboard to monitor attendees—and identify all generic attendees.
- Don't record the meeting unless it's necessary.
- If it's a web meeting (with video):
- Disable features you don't need (like chat or file sharing).
- Before anyone shares their screen, remind them not to share other sensitive information during the meeting inadvertently.
Conference call security infographic, decision guide
And here's another great resource for virtual meeting security.
The National Cybersecurity Center of Excellence (NCCoE) created a fantastic infographic and decision tree. It breaks out security steps for low risk calls, medium risk calls, and high risk calls.
These are unusual times. Millions of workers are working remotely for the first time. Thankfully, there are resources like these.
In addition to this NIST guidance, here is a new initiative from SecureWorld called the SecureWorld Remote Sessions.
Related episode: Remote Work, Protecting Against Privacy and Legal Pitfalls and Liabilities, with Jordan Fischer, Cyber Attorney and Managing Partner at XPAN Law Group.