#stayhome is not just a popular tag around social networks these days, but also a harsh reality for businesses forced by the coronavirus pandemic to send most of their staff home to work remotely. Face-to-face meetings have been replaced by video calls. But corporate conferences are there to discuss more than just the weather, so before you commit to a videoconferencing app, take a look at its data protection mechanisms. \u00a0To be clear, we have not conducted lab-based testing on these apps; we browsed publicly available sources for information about known problems in the most widely used software.<\/p>\n
Google offers two video call services: Meet and Duo. The first is an app that integrates with Google\u2019s other services (the G Suite). If your company uses those, Hangouts Meet will fit in nicely.<\/p>\n
Among Meet\u2019s advantages, the vendor cites<\/a> reliable data-processing infrastructure, encryption (not end-to-end, though) and a set of protection tools, all active by default. Like most other business products, G Suite, including Google Meet, conforms to advanced security standards and offers configuration and access-rights-management options among its features<\/a>.<\/p>\n The mobile app Duo<\/a>, on the other hand, protects data using end-to-end encryption. However, it is an application designed for private users, not for businesses. Its conferences can accommodate only up to 12 participants.<\/p>\n Other than some messages reminding us all that Google collects user data and therefore can be a threat to trade secrets we were unable to find concrete information about these apps\u2019 security performance. That does not mean that Google services are flawless, but they are backed by a very strong security team that tends to fix problems before they cause any trouble.<\/p>\n In Slack, you can create multiple chat workspaces for teams, conveniently shown in one window, plus channels inside your workspace dedicated to different projects. Conferencing is limited to 15 participants.<\/p>\n Slack complies with a bunch of international security standards<\/a>, including SOC 2. The service can be configured to work with medical and financial data and allows companies to select a region for data storage. And joining a Slack workspace requires either an invitation or an e-mail address using the corporate domain<\/a>.<\/p>\n Slack also offers its customers flexible risk management instruments, integration with Data Loss Prevention (DLP) solutions, and data-access-control tools. For example, administrators can restrict<\/a> the use of Slack from personal devices and the copying of information from its channels.<\/p>\n According to Slack\u2019s developers, only a limited number of businesses<\/a> really need end-to-end encryption, and implementation of the feature can limit functionality. Therefore, Slack apparently has no plans to add end-to-end encryption.<\/p>\n Slack also lets you integrate third-party apps, whose security is not Slack\u2019s responsibility.<\/p>\n Also, researchers have found vulnerabilities \u2014 serious ones \u2014 in Slack. Slack has patched the following: a bug that allowed attackers to steal data<\/a> and one enabling interception of a user\u2019s session<\/a>.<\/p>\n Microsoft Teams integrates with Office 365, which is its main advantage for a corporate user. In response to the increased demand for work from home tools, Microsoft is now offering a free six-month Microsoft Teams trial, but free users will not be able to configure<\/a> user settings and policies \u2014 a potential security compromise.<\/p>\n Teams complies<\/a> with a number of international standards, can be set up to work with confidential medical data, and boasts flexible security management options. Under some service plans, additional tools, such as DLP or outgoing file scanning, can be integrated into Teams. Our solution for protecting MS Office 365<\/a> scans the data exchanged through Teams to prevent malware from spreading through the corporate network.<\/p>\n Data sent to the server, whether chats or video calls, is encrypted, but again we are not<\/em> talking about end-to-end encryption. Speaking of storage and processing, the information never leaves the region in which your company operates.<\/p>\n It is a good idea to monitor vulnerabilities in Teams. Microsoft typically patches vulnerabilities quickly, but they do arise from time to time. For example, researchers recently found a vulnerability<\/a> (since patched) that enabled account takeover.<\/p>\n The cloud version of Skype for Business<\/a> \u2014 the predecessor of Teams in Office 365 \u2014 is gradually becoming a thing of the past, but you can still install it locally<\/a>. Some users find it more convenient than Teams, and Microsoft will continue to support the local version of Skype for the next couple of years.<\/p>\n Skype for Business encrypts information, but not end-to-end, and the service\u2019s protection is configurable. It also uses local server software, so video calls and other data never leave the corporate network \u2014 an obvious advantage.<\/p>\n The product won\u2019t be supported forever. Unless Microsoft changes its plans, support for the application will end in July 2021, and Skype for Business Server 2019 will be on extended support until October 14, 2025.<\/p>\n Cisco WebEx Meetings is quite a narrow-focus service for videoconferencing.\u00a0 Cisco WebEx Teams is a full-featured coworking service that, among other things, supports video calls. As far as the scope of this post, the difference is in encryption approach.<\/p>\n Cisco WebEx Meetings includes business-class services and end-to-end encryption. (The option is off by default, but the provider will activate it<\/a> on request. Doing so somewhat limits the utility\u2019s functionality, but if your employees deal with confidential information in meetings, it is certainly a good option to consider.) Cisco WebEx Teams provides end-to-end encryption only for correspondence and documents<\/a>;, whereas video and audio calls are decrypted at Cisco\u2019s servers.<\/p>\n Only this March, the vendor patched two WebEx Meetings vulnerabilities<\/a> threatening remote execution of code. And early last year, a serious bug was found in WebEx Teams client<\/a>. It allowed the execution of commands with the current user\u2019s privileges. Cisco is known to be serious about security, though, and updates its services quickly.<\/p>\n WhatsApp was built for social communication, not business, but the free app can cover the videoconferencing needs of small companies or teams. The program is not suitable for large business; videoconferencing is available only for up to four participants at a time<\/a>.<\/p>\n WhatsApp has the indisputable advantage of true end-to-end encryption<\/a>. That means neither third parties nor WhatsApp\u2019s employees can view your video calls. But unlike business apps, WhatsApp offers almost no chat and call security management options, only what\u2019s built in.<\/p>\n Just last year, attackers distributed Pegasus spyware<\/a> through WhatsApp video calls. The bug was fixed, but remember, the app is not meant to offer business-class protection, so at the very least, users should follow cybersecurity news carefully.<\/p>\n The cloud-based videoconferencing platform Zoom has been in the news since the beginning of the epidemic. Its flexible pricing (with free 40-minute conferences up to 100 participants) and user friendliness have attracted tons of users, but the platform\u2019s foibles have also attracted tons of attention<\/a>.<\/p>\n The service complies with the SOC 2<\/a> international security standard, offers a separate HIPAA-compliant service plan for health-care providers, and has flexible configuration. Session organizers can block out participants even if they have the right hyperlink and password, ban recording, and more. If needed, Zoom can be set up in such a way that no traffic leaves the company.<\/p>\n Zoom has been actively addressing reported vulnerability issues, and the company says it plans to prioritize product security<\/a> over adding new features.<\/p>\n Zoom claims to have implemented end-to-end encryption, but the claim is not quite justified. With end-to-end encryption, no one other than the sender and the recipient can read transmitted data, whereas Zoom decrypts video data on its servers<\/a>, and not always in your company\u2019s home country<\/a>, either.<\/p>\n Vulnerabilities of varying severity have been discovered in Zoom applications. Zoom\u2019s Windows<\/a> and macOS<\/a> clients were reported to have a bug (already fixed<\/a>) that let hackers steal the computer\u2019s account data. Two more bugs in the macOS app<\/a> potentially allow attackers to completely take over the device.<\/p>\n In addition, many reports surfaced of Internet trolls<\/a> visiting open conferences, unprotected with passwords, to post dubious comments and share screens with obscene content. On the whole, you can fix the problem by configuring your conference<\/a> properly, but Zoom has also added default password protection<\/a> to be on the safe side.<\/p>\n Amid news of security issues in Zoom, large players have disparaged the service. But all services have vulnerabilities, and in Zoom\u2019s case, explosive popularity has brought tremendous scrutiny.<\/p>\n There is no such thing as a perfectly secure videoconferencing app \u2014 or any other kind of app, for that matter. Choose a service whose downsides are not problematic for your business. And remember, choosing the right app is only step 1.<\/p>\nSecurity \u2014 Google Duo<\/h4>\n
Vulnerabilities and downsides<\/h4>\n
Slack<\/h2>\n
Security<\/h4>\n
Vulnerabilities and downsides<\/h4>\n
Teams<\/h2>\n
Security<\/h4>\n
Vulnerabilities<\/h4>\n
Skype for Business<\/h2>\n
Security<\/h4>\n
Vulnerabilities and downsides<\/h4>\n
WebEx Meetings and WebEx Teams<\/h2>\n
Security<\/h4>\n
Vulnerabilities and downsides<\/h4>\n
WhatsApp<\/h2>\n
Security<\/h4>\n
Vulnerabilities and downsides<\/h4>\n
Zoom<\/h2>\n
Security<\/h4>\n
Vulnerabilities and downsides<\/h4>\n
Choose the app that suits you best<\/h2>\n