What to include in a secure video conference policy

If your organisation uses video conferencing, make sure you're aware of the potential risks and how to mitigate them.

The use and popularity of video conferencing is growing all the time. Convenience and need for businesses to reduce costs, work smarter and accelerate business processes make it a must-have technology for many. It’s also a more environmentally responsible way to conduct business, saving on travel and its associated costs, including time.

Video enables people to share ideas and images, and gain easy access to in-house experts, allowing troubleshooting to happen in real time. Having multiple offices no longer means teams working in isolation. Technologies such as VoIP and desktop video conferencing software enable telecommuting, and individuals and teams can conduct low-cost, face-to-face meetings without anyone having to leave their desk. Speed, reliability and bandwidth are no longer real issues: On an IP network, the ongoing costs of running a video conference are minimal, and video conferencing facilities can even be hired by the hour.

However, like any ICT service, the use of video conferencing has inherent vulnerabilities and associated security risks. New technologies always carry the risk of accidental or inadvertent security breaches due to user ignorance or misunderstanding, and a compromised video conference can be a rich source of information for an attacker. Discussions that cover sensitive topics in detail or include related sensitive issues not initially on the agenda could be recorded and played back at a later date.

Like other services on a network, attackers may try to gain unauthorised access to or intercept video traffic. Streaming protocols such as H.323 and the Session Initiation Protocol (SIP) used in video conferencing are vulnerable to a variety of attacks, and video conferencing equipment and software tend not to offer robust security.

This means the underlying network -- and the policies that govern its use -- have to provide the security. The protocols used for video conferencing must be allowed through the firewall, which will require opening additional ports. Ensure your firewall can handle the necessary protocols, and log analysers can be set to monitor and detect any unauthorised or unusual use. Other perimeter defences will also have to be updated to handle the new traffic. In addition, firewalls should control the times of day when video traffic is allowed through. As video adoption in the organisation grows, check that your security devices and the rest of the network can handle the increased flow of traffic.

Video traffic should be encrypted if sensitive information is being discussed, but encryption can only protect data while in transit, as sound and images are only encrypted once they’ve been recorded. Anyone present at either end of the conference could use a mobile phone to capture both video and sound unencrypted.

It is important to create a secure video conference acceptable usage policy so users are clear about what is and is not allowed. The policy should cover who can use video conferencing internally and with whom they can connect -- trusted clients or partners only, for example. Most importantly, it should state what type of information can be discussed.

Your classification policy will help you here, and remember that video recordings can be stored and replayed at a later date. Setting an agenda is one way to help keep discussions from drifting to sensitive topics that should not be recorded. Any rules and restrictions should be displayed clearly in any conference room.

Anyone participating in a video conference should be positioned so he or she cannot be easily overheard or overlooked. Ideally, create a dedicated video conferencing room. This has the advantage of keeping video conferencing equipment secure in a lockable location, and makes it easier to control access to the control interfaces of any equipment.

If the room has windows looking out onto other work areas, ensure video cameras are not positioned where they could inadvertently film sensitive documents or computer screens on surrounding desks, or microphones pick up sensitive conversations taking place nearby.

In instances where video conferencing is conducted directly from users’ desks, then cameras should be positioned to focus solely on the individual, and the sensitivity of the microphone should be tuned to a minimum to reduce the risk of other conference participants seeing or hearing something inappropriate.

In either case, cameras and microphones should be disabled when not in use, either by disconnecting the power, connection cables or using lens caps. Access to the video conferencing application on a desktop system should require a

log on and log off for each video conference. Due to the widespread abuse of video codecs to spread viruses, any auto-update or download of codecs should be disabled.

The latest video conferencing applications boast features such as file exchange and remote camera control, and these should be disabled unless they are required. Remote control of cameras should only be allowed by authenticated and trusted users. Consider this also when dealing with third parties who may be collaborating with you on one particular project but are competitors in others.

If you decide to use a professional media company to handle video conferencing, check that they are financially sound, have a good security model and professional reputation with responsive customer support. They should also only use standards-based, non-proprietary products.

User awareness of the security implications of virtual meetings and their responsibilities when using video technologies are essential to keeping this form of communication secure. Finally, bear in mind that although video certainly offers a better way to explain complex issues than email, researchers have found that those participating in a video conference have to work harder to interpret information delivered during a conference than they would if they attended a face-to-face meeting1. Consider allowing a little extra time for the Q and A session at the end before reminding everyone to turn off their cameras and mikes once the conference ends.


1Ferran, Carlos and Watts, Stephanie. “Videoconferencing in the field: A heuristic processing model,” Management Science 54, no. 9 (2008)

About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.

Read more on Security policy and user awareness