Steve Flavell, co-CEO, LoopUp
Steve Flavell, co-CEO, LoopUp

According to a report by the Identity Theft Resource Centre and CyberScout, US companies and government organisations suffered from more than 1,000 data breaches in 2016 – up 40 percent from 2015 – with hacking and phishing attacks accounting for the majority of incidents. It's no wonder businesses are going to ever greater lengths to safeguard their networks and protect customer information.

According to the Cyber Security Ventures, global cyber-security spending will increase by 12 to 15 percent year-over-year through 2021. This increase in security spending is driven by a number of factors, including the desire to protect sensitive data, comply with regulatory requirements and reduce the overall number of security incidents and breaches.

But despite the increasing attention paid to security, there is one area that has been around for over 25 years and remains notably absent from the list of security priorities - remote working and remote meetings.

What's the worst that could happen?

In a survey by Research Now, 99 percent of conference callers admitted to hosting meetings where they were unsure of who was in attendance. Perhaps even more alarmingly, 60 percent considered this lack of security to be the norm.

How is this possible?

The answer is fairly obvious:  dialing in – the most common way people join conference calls. While it can be a frustrating process, it's pretty easy to do, so most people default to this basic method. But the biggest downside is the lack of visibility of who is actually on the call. With dial-in, every call is essentially a “black box”.

This security challenge is compounded even further by “reservationless” conferencing. With reservationless, meeting hosts have their own dedicated conferencing facility with a dial-in number and access code that they can share widely with guests – colleagues, clients, or external partners and vendors. These numbers and codes are used time and again and often end up in many different hands. The value that reservationless provides is severely undercut by the security issues introduced with dial-in.

Understanding the risks

In recent years, there have been some high-profile cases that call out this security hole. During the 2008 presidential primaries, Barack Obama's campaign lawyer managed to obtain the dial-in details for a media conference hosted by the Clinton camp. Not only was he able to join unnoticed, he even started speaking to the press attendees, taking his opponents by surprise.

In 2012, the FBI admitted that it hosted a conference call with Scotland Yard and other foreign police agencies about a joint investigation of a hacker group and its allies, only to find that the hackers themselves were on the call. The eavesdroppers simply obtained an email containing the dial-in details.

These are very high profile examples, but the implications are just as real for the average business.

Like with any area of security, conference call threats fall into two broad categories: the malicious, and the unintentional. Malicious actors can include professional phishers, disgruntled former employees or even competitors. These perpetrators will use the opportunity to gather information for competitive advantage, blackmail, or worse.

Then there are the non-malicious, accidental breaches. These include scenarios where the host has scheduled back-to-back meetings and a guest inadvertently gatecrashes a confidential conversation, or when someone simply gets the day or time of the meeting wrong. Even well-intentioned meeting organisers can make fairly serious security gaffes – like posting conference call credentials on an event website – without realising the repercussions (phishing, fraud, etc).

So, how do you address security on conference calls?

Training is not the answer. Most professionals have neither the time nor inclination to attend training on how to host secure conference calls.

Many conferencing services offer a “roll-call” capability, but this is typically painful to use and doesn't work in the case of the malicious actor. An unwelcome guest could simply not record their name.

Some of the more capable software products for remote meetings will offer a level of visibility of attendees on the call, but most of these products are fairly complicated and tend to go unused because people don't know how to use them.

The best way to address conference call security is to move users away from dial-in to an alternative. But if an alternative method is to take hold, it has to be just as easy, ideally even easier. “Dial-out”— where the conferencing product calls the user on a number of their choice when they're ready to join – offers a solution that is just as simple. It also offers a better experience and provides the meeting host with visibility of who's on and who's speaking.

Only by gaining this level of visibility and control can businesses ensure the same level of confidentiality for remote meetings as for physical ones. Working towards a world where dial-in diminishes – and one day disappears – will make conference calls and remote meetings so much more secure.

Contributed by Steve Flavell, co-CEO, LoopUp

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.