How to Keep Teleconferencing Tools Secure at Agencies
In spring 2020, organizations across government and private industry scrambled to figure out how to keep themselves secure as office buildings emptied and workers established home offices with little to no warning.
Among the top concerns, says Branko Bokan, cybersecurity expert at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, were the growing use of file sharing as well as the use of personal equipment, including devices, networks, and communication and collaboration software. Another key concern was physical security, such as sensitive materials that could be seen on desks during teleconferencing sessions or smart home devices that might be listening to discussions regarding private or classified data.
RELATED: How are agencies securing teleconferencing tools to support their missions?
CISA Offers Guidance on Secure Telework
Early in the pandemic, CISA created the Center for Excellence in Telework to provide recommendations regarding remote work to government agencies, private industry and end users. The National Security Agency has also released guidance regarding telework security, including a list of best practices that it produced in partnership with CISA.
Following are some of their recommendations for agencies struggling to balance communication and security needs in today’s teleconferencing era.
- Limit the number of authorized teleconferencing tools to one or two, and make sure clients are centrally managed and properly updated, Bokan advises. When employees need to accept meeting invitations from outside organizations that use applications not authorized by the agency, CISA recommends they join via web-based sessions as opposed to downloading software.
- Ask the following questions when choosing teleconferencing platforms, says Neil Ziring, NSA’s technical director of cybersecurity. Does the service employ end-to-end encryption? Can users see and control who connects? Does the privacy policy allow the vendor to share data with third parties? Has the service or app been reviewed or certified for use by a nationally recognized security organization or government body? (For other questions, read NSA’s “Selecting and Safely Using Collaboration Services for Telework.”)
- Establish a policy for videoconferencing, and educate users on that policy and best practices, says Bokan. The policy should include a plan for hardening sanctioned platforms so that they restrict capabilities such as file sharing and remote device access, he adds.
Remain vigilant with traditional cybersecurity best practices, educating users about phishing and the importance of secure passwords, says Bokan. A CISA analysis found that while the shift to remote work posed new vulnerabilities, the threats themselves have remained the same. “Adversaries didn’t come up with anything new,” Bokan adds. “They shifted their focus to remote workers, but they are the same old techniques.”
For more recommendations, see CISA’s “TIC 3.0 Interim Telework Guidance” and videoconferencing recommendations for agencies and end users, as well as NSA’s “Best Practices for Securing Your Home Network” and “Selecting and Safely Using Collaboration Services for Telework.”