Meetings move online amid new security fears

The huge shift to homeworking has seen an explosion in online conferencing products. But what are the pitfalls of such platforms and how might they evolve in the future?

From 10 million daily users at the start of the year, Zoom soared to 200 million users in March, with its share price doubling by the start of April.

As new users raced to adopt videoconferencing for both work and social connections there was a surge of fears about cyber security because the ease of use that made Zoom so popular also made it vulnerable to abuse.

Some security flaws allowed hackers to steal users’ Windows login credentials, while other weaknesses allowed attackers to eavesdrop on conferences or obtain sensitive video recordings. 

As the firm scrambled to patch its weaknesses, chief executive Eric Yuan admitted in a blog post that the nine-year-old service was being used in “unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.

“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socialising from home,” he wrote. 

Scrambling to connect a massive global market

Zoom is not alone, as the entire online conferencing sector races to serve new customers, shore up its defences and anticipate new products needed by a global market suddenly shy of face-to-face meetings. 

Cyber-security specialists say some of the best alternative videoconferencing and chat software providers, for both security and ease of use, among Zoom’s rivals include: Skype and Microsoft Teams (up to 50 participants); FaceTime and Signal for privacy; Google Hangouts Meet (up to 250 participants); Google Duo; and Jitsi (free, encrypted, open source, up to 75 participants).

Paul Harragan, director of cyber security in mergers and acquisitions for EY, says the security dangers affect many providers.

“I was speaking to an executive the other day and five minutes before the end of our meeting somebody else joined the call. He said, ‘I have to hang up because my next meeting has just dialled in’, and I thought, if you were able to spoof someone’s email, you could potentially hijack meetings just by guessing the meeting details.” 

Matt Palmer, a Jersey-based cyber-security adviser to the finance sector through the Cyberclaria consultancy, says it is “incredibly dangerous” that many services do not have a specific code for each conversation, so people dial in and out of a conference call line.

“Most companies have configured tools like Skype to support a fluid way of working, so you end up with a code for an individual rather than a specific conversation. It’s going to take a while before everybody works out how to use these tools properly, ranging from suppliers getting the cryptography right to users getting the compliance side of things right, and what you show of your home environment.

A lot of these tools are about file sharing and instant messaging, as well as video communication: do you know who is talking to whom, when and what about? Because normally you’d have that record for six years in financial services

Matt Palmer
Cyber-security adviser, Cyberclaria

“In some conference calls you can remotely activate the microphones of participants. You can understand why the organiser might want to adjust the microphone of someone on the other end, but they could hear all sorts of things in a home environment.”

Another issue is the need for audit trails, says Palmer, which are crucial in areas such as financial services. 

“A lot of these tools are about file sharing and instant messaging, as well as video communication: do you know who is talking to whom, when and what about? Because normally you’d have that record for six years in financial services.

“If you’re going to keep a record of video calls, where is that data going to be stored? If not, how are you going to deal with regulation and compliance? We’re now having a big uptake of these tools without going through normal due diligence.”

Work still to do on improving user experience

Chris Wallis, founder and CEO of cyber-security firm Intruder Systems, says he expects virtual reality (VR) to play a big part in future conferencing. 

“When you have more than one or two people on a conference call the whole thing can descend into a mess. New VR developments could put us virtually into a meeting room. You’d be able to see visual cues on who was about to talk, without the solution choosing who it thinks is the speaker and muting feedback from other participants.

“I was on a video call the other day with 40-odd people and it was annoying with microphones feeding back, so the industry has work to do to improve the experience.”

“Deep fake” audio and video techniques are a future security threat, Wallis says, because criminals could, for example, pretend to be a chief executive ordering an employee to transfer money to a certain bank account. 

Bob Nicolson, head of consultancy at cyber-security specialists Nicolson Bray, says the dangers are exacerbated by the likelihood of a massive shift to online meetings.

“[At the beginning of the year], you’d have a face-to-face sales meeting, but a lot of organisations will now look to videoconferencing for that and for internal meetings and will reduce their spending on travel. There’s going to be a shift.”  

Nicolson says Zoom could look to Microsoft’s success in overcoming its own security problems in the early 2000s.

“There’s no reason why an organisation like Zoom with a much smaller product set can’t reinvent themselves.”

Meeting the needs of disabled users  

Dr Marion Hersh, senior lecturer in biomedical engineering at the University of Glasgow, says it is crucial that providers keep the needs of disabled users in mind as they develop new products.

“If you’re disabled you might be using assisted technology or doing things slightly differently, so service providers need to remember that,” Hersh says, noting that technologies to overcome some of the barriers facing disabled people are not always accommodated by conferencing services.

“There should be audio as well as audiovisual options, preferably from a phone as well as a computer. Designers should follow web content accessibility guidelines and the links and controls need to have a text version and not just be graphical because that excludes people who use screen readers or have graphics turned off.”

Conferencing technology can exclude people if it requires fast response times, Hersh says. It should also support captioning, “but this cannot be totally automatic, or accuracy will be poor.

“Moving meetings online could improve accessibility for many people but this shift is happening so quickly there has been little time to think about how to meet the needs of different types of users and what training is required.”

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top