It's no secret that the acceleration of work-from-home and distributed workforce trends — infamously spurred on by the pandemic — has occurred in tandem with the rise of video communications and collaboration platforms, led by Zoom, Microsoft, and Cisco.
But given that videoconferencing now plays a critical role in how businesses interact with their employees, customers, clients, vendors, and others, these platforms carry significant potential security risks, researchers say.
Organizations use videoconferencing to discuss M&A, legal, military, healthcare, intellectual property and other topics, and even corporate strategies. A loss of that data could be catastrophic for a company, its employees, its clients, and its customers.
However, a recent Aite-Novarica Group report on videoconferencing security showed that 93% of IT professionals surveyed acknowledged security vulnerabilities and gaping risks in their videoconferencing solutions.
Among the most relevant risks is the lack of controlled access to conversations that could result in disruption, sabotage, compromise, or exposure of sensitive information, while use of nonsecure, outdated, or unpatched videoconferencing applications can expose security flaws.
"The risks include the potential for interruptions, unauthorized access, and perhaps most concerning, the opportunity for a bad actor to acquire sensitive information," says Craig Lurey, CTO and co-founder at Keeper Security.
Threats Targeting Video Communications Platforms Multiply
The use of videoconferencing software by remote workers makes it an easy target for various types of attacks in the wild. For instance, "Zoom-bombing" and other attacks came to the fore in the wake of the first work-from-home wave during the pandemic.
Other threats include DDoS attacks, according to the FBI's Internet Crime Report, and malware. In May, for instance, threat hunters discovered a vulnerability chain in Zoom's chat functionality that could be exploited to allow zero-click remote code execution (RCE).
Security firm Vectra also recently discovered a vulnerability in Microsoft Teams, which found that the platform stores authentication tokens unencrypted, allowing any user to access the secrets file without the need for special permissions. The weakness gives attackers the ability to move through a company’s network much more easily.
But while zero-day exploits and other high-profile attacks get a lot of attention, Mike Parkin, senior technical engineer at Vulcan Cyber points out that many, if not most, attacks still target the users.
"That usually means phishing emails or other social engineering attacks that lead to compromise, or business email compromise attacks that can lead to direct losses through fraud," he says.
SMBs at Particular Risk From Videoconferencing Threats
The risk is especially piquant for small and medium-sized businesses (SMBs), researchers say. This segment relied heavily on video collaboration to cut travel costs even before the pandemic, and now represents a class of superusers.
At the same time, SMBs may not have the security awareness or in-house expertise necessary to shore up their defenses. Parkin says SMBs often wrestle to implement and manage a proper cybersecurity program.
"That lack of resources can manifest in not knowing, or being able to implement, proper security on their videoconferencing usage," he says.
George Waller, co-founder and executive vice president of Zerify, agrees that SMBs typically don't have the financial and technical resources that larger companies have.
"Therefore, they are far more vulnerable to even the most basic attacks such as email, phishing and ransomware," he says. "Post-pandemic, many SMBs are still working with limited staff and budgets. Therefore, it's easier to trip them up and cause a devastating data breach."
Meanwhile, this sector often faces financial constraints that could make a cyberattack an extinction-level event. According to a recent IBM breach report, the average size of a data breach in the US is now $9.44 million, and 60% of small businesses go out of business within six months of a data breach.
"When cybercriminals steal sensitive, confidential, or classified data, they can make you pay a ransom to get it back," Waller explains. "They can also sell it to other nefarious people, who can use that data to embarrass or profit from your organization."
Unfortunately, amid the challenges, SMBs are often more of a target than they realize.
"While an attacker’s potential take is smaller, the effort is low, the risk is low, and SMB organizations often have less investment in cybersecurity than a larger organization," Parkin explains. "They can be particularly susceptible to ransomware and business email compromise attacks."
2FA, Zero Trust Help Secure Video Conferencing
Fortunately, there are some basic steps that businesses of any size can take to ensure the videoconferencing system they're using doesn't fall into the "low-hanging fruit" category for cybercriminals.
For one, they should ensure their platforms and apps offer two-factor authentication (2FA) for both the meeting creator as well as for the meeting participant, and make sure that login links cannot be shared; most videoconferencing platforms have such basic security features and offer advice on how to use them.
Ricardo Villadiego, CEO and founder of Lumu, says businesses for instance should enable security features such as ID and password and end-to-end encryption that allow SMBs to control access to conversations.
"Avoid repeating passwords, lock down microphones and speakers, and authenticate every user prior to entering a videoconference," he says. "Limit the kind of files and links that can be shared via videoconferencing tools, keep meeting recordings only accessible with a password, and don't discuss information that you wouldn't discuss over the telephone."
Waller adds that snooping on video calls via spyware is a threat that SMBs should be aware of, too.
"Make sure that your camera, microphone, and audio-out data streams are locked down and cannot be spied on with malware," he says. "Organizations should also use an anti-keylogging and anti-screen scraping technology and make sure that AV software is up to date."
Lurey, meanwhile, advises SMBs to protect videoconferencing platforms with a zero-trust security architecture that requires all users be authenticated, authorized, and continuously validated before they can access the application.
"Choose a provider wisely and check that it provides end-to-end encryption," he says. "Most major platforms do."
He adds that it's also imperative to configure the platform correctly by enabling built-in security capabilities and providing consistent enforcement to ensure those security features are never disabled.
Finally, Parkin advises that there are other vulnerabilities in some videoconferencing platforms that require specific steps to counter and stresses the importance of keeping the videoconferencing software up to date. Security teams should also proactively monitor network behavior for anomalous activity and make sure to read terms and conditions of the videoconferencing platform being used.
He adds that with a changing threat landscape, the challenge for SMBs in particular is finding the balance between defending against known threats, being positioned to stay ahead of emerging ones, and managing the risk specific to their environment.
"Small businesses are often resource restricted when it comes to cybersecurity, which means they need to be efficient with the resources they do have," he says. "But focusing on things like user education, which can deliver a lot of value for the investment, can help."