As the coronavirus pandemic continues to keep business and enterprise teams largely working from home, cracks have emerged in information security programs across the globe.  Many organizations have found it necessary to move rapidly to one of several commercially available video conferencing platforms without taking the time to properly analyze risk, design and deploy controls to mitigate that risk, and to train users on best practices to keep confidential information safe.   The result of this mass migration has essentially created a “wild west” environment, often will little certainty regarding the security and privacy implications of these process changes.

One obvious driver for companies to move to a particular platform is cost.  Several well-known companies offer free versions of their video conferencing services such as Zoom, Microsoft Teams, Skype, Citrix GoToMeeting, and Cisco WebEx.  Each of these can facilitate a quick and easy establishment of a basic video conferencing solution, however, in every case the features offered in the free version is limited in some way or another.  It’s important to take time to evaluate the differences of each platform and consider the needs and risk as you select a video conferencing solution.

Start with an understanding of what your company’s communication needs will be.   For example, you should know the answer to these questions before you select your vendor:

⦁ How many people will need to communicate at one time in a conference?

⦁ Will we need screen-sharing capabilities?

⦁ Will participants need the ability to call in from land lines or cell phones?

⦁ Will we be sharing information that is highly sensitive and governed by regulatory requirements such as HIPAA, FERPA, GDPR, COPPA, GLBA, etc.?

⦁ Do we have policies and procedures to advise employees as to when and how meetings should be conducted both internally and with third parties?

⦁ Does the solution offer the ability to configure settings to enhance the security of conferencing sessions, such as encryption, authentication methods, etc. ?

⦁ Do we know what information the video conferencing vendor is collecting from us, and more importantly, who they are sharing it with?

 Blair Carlisle has experience with all the vendors mentioned in this article and our advisors have been asked by several clients for advice regarding which platform we recommend.  As we do not resell any of these solutions, we can offer independent advice for your selection process.  We generally regard “Free” services with a high-degree of skepticism as there is almost always a trade-off in security and privacy of such services.  The bottom line is they have to monetize their services in some way, usually by collecting and selling data – often to advertisers.  For this reason we recommend the paid versions of platforms that include enhanced control of privacy and security.  As the saying goes, “you get what you pay for”.  

Currently we are urging caution regarding the use of Zoom, as there are a number of security and privacy related issues with the platform.  One only need to Google search Zoom and Security to get a quick understanding of these issues.  We do note, however, that the management of Zoom has recognized these issues and is moving to address them as quickly as possible (albeit late).  

The remaining vendors mentioned above all have paid versions, however, we tend to prefer the implementation of Microsoft Teams because many of our clients are already deeply deployed in Microsoft’s Office 365 ecosystem, and there are a growing list of security and compliance capabilities that we find useful and important if companies invest the time to set them up properly.  For clients that are not in the Microsoft O365 or Azure platforms, we encourage a deeper look at the Citrix or Cisco options, advising that they be carefully configured to ensure sensitive data is protected.  

It’s important to note that no solution is without security risks, and the weakest link is often the people using the software.  Whichever solution you choose for video conferencing, take the time to make sure you have adequately assessed the risks and taken time put controls in place to avoid a costly mistake later.  

Pete Rife, CISSP, CISA is the President and CEO of Blair Carlisle, a technology risk advisory company with offices in Columbus, Ohio and Denver, Colorado.  He is also the Director of IT Risk Advisory for Holbrook & Manter, a CPA firm in central Ohio that specializes in SOC 1 and SOC 2 reporting for clients worldwide.

He can be reached at prife@blaircarlisle.com or prife@holbrookmanter.com.