Steps to More Secure Web Conferences

By Tara Swords

Web conferencing is a technological blessing to budget-crunched organizations. It saves time and money that would be spent on travel to and from meetings and helps keep workers productive. Web conferencing is also instantaneous -- just a few clicks of the mouse, and thousands of people from around the world can gather in a virtual conference room.  With audio, video, and graphics right on the desktop, Web conferencing makes long-distance communication richer and more efficient. At the same time, online technical support via Web conferencing offers customers a more effective, interactive means of conducting business.

But what happens when sensitive company and customer information is shared in a Web conference? CIOs need to take steps to ensure that employees are safeguarding sensitive company financial information and complying with laws to protect personal data.

Issues to consider
Web conferencing has become as indispensable as the telephone or email, and it's affordable enough to be a good collaboration tool for organizations of any size. But Stacey Quandt, research director of security solutions and services at Aberdeen Group, says CIOs should need to remember that web conferencing can also be a potential security threat.

"While the very nature of the Internet has made such collaborative communications fast and easy, it has also opened up personal and private data to opportunistic hackers and white-collar criminals," Quandt says. "Organizations that do not encrypt data, voice, and video communications run the risk of inadvertently releasing confidential information such as financial statements, [information about] mergers and acquisitions, and intellectual property."

Under a series of laws approved over the past few years in the United States, organizations need to better control the flow of information about corporate finances, in addition to protecting personal information about customers.

CIOs can mitigate the potential risks of Web conferencing in two ways: by using the right kind of technology and by establishing internal guidelines for employees. Here's how:

• Decide whether to use a hosted solution or deploy one in-house Each scenario has advantages. By choosing a hosted solution, an organization doesn't have to deploy or maintain it, and the Web conferencing application never even involves the organization's servers. On the flip side, IT executives don't have much control over the host's security practices -- but they will still pay the price for any data inadvertently leaked during a Web conference. "At a minimum," Quandt says, "organizations should seek solutions that support secure sockets layer (SSL), which encrypts the content" shared in a Web conference.
• Be sure your current network security is up to par  According to a September 2005 report from Gartner, Inc., "A robust, well-managed corporate security infrastructure is a necessary prerequisite for Web conferencing security."
• Take special care when sending invitations  Invitations to Web conferences typically include a phone number to an audio bridge, a URL for the visual portion of the conference, and passwords and PINs. IT managers should enable a "do not forward" setting if they can. Although someone with bad intentions could copy and paste the information into a new email, that will help prevent accidental forwards.
• Authenticate participants  Require the conference moderator to approve all participants when they try to join the conference. If highly sensitive information will be shared during the conference, don't allow guest registration -- only allow people with official logins and passwords to attend. In addition, consider assigning a unique PIN to each person who attends, not a single PIN for everyone to use. "Access control and authentication software will ensure that there is an audit log of the users that logged into the Web conference," Quandt says. "Access controls also allow administrators to add users, delete users, and lock down the rights of users."
• Watch what you share  If the group is jointly viewing documents during the Web conference, you might want to disable any features that would allow participants to download them. Quandt also suggests that organizations "encrypt Web conference content and data to restrict meeting content to authorized viewers only." But if data is too sensitive, don't risk it. Find an alternate means of delivery to the people who need it.
• Make sure employees practice good security hygiene  No amount of technology can prevent all human carelessness, so IT managers need to ensure that employees make security a top priority. Advise them to never use speaker phones in an open area, and tell meeting attendees to watch out for "hot" microphones. It's easy for people to forget they're wearing a microphone and unintentionally broadcast off-the-record comments to the group.

Remember, too, that not all Web conferences require the same level of security. When participants are sharing confidential financial results or launch plans about a new product, security is paramount. But when they are hosting a marketing event for customers and prospects, they might want as many people to attend as possible. Adjust the security to the event.

Web conferencing is here to stay, and it will only get more sophisticated to mimic the experience of in-person collaboration. If done properly, Web conferencing offers tremendous benefits to the company. But CIOs must be vigilant to prevent the exposure of sensitive data and customer information -- not to mention the loss of a competitive advantage and the potential fines that could result.

Tara Swords is a Chicago-based journalist who regularly writes about business and technology.