Omicron’s ‘ushering of the new year’ is causing several higher education and K-12 institutions to revert to temporary remote learning. At the same time, many business owners have already extended work-from-home operations for the immediate future. Hybrid or fully remote, regardless of the set-up, this now means IT and cybersecurity ‘behind-the-scenes’ heroes have to trepidatiously gear up for the third year of cybercrimes taking place on video conferencing platforms.
Since March 2020, disruptions on video conferencing platforms are taking center stage. Zoombombings continue to show us the ugly side of bigotry and hate crimes, where outside intruders attack different groups or individuals based on their religion, race, or sexuality. No organization is immune to the shortcomings of platforms that stress performance over security, and as such, both the private and public sector alike continue to experience threats beyond Zoombombing, including sensitive corporate and customer data being exfiltrated with ease. Since it is a real, wide, and underappreciated threat, StrikeForce endeavored to study this topic for a year and concluded that standards should be set immediately in this ‘wild west’ of vulnerable video conferencing.
“There are governance measures and best practices regarding how data should be handled across virtually every medium except video conferences – this makes no sense and must be addressed,” explained Joe Krull, Aite-Novarica.
Collaborative and remote video communications are now ubiquitous. It, therefore, is imperative that all related parties, including federal and state governments, technology providers, and private and public sector organizations, each be accountable to not only put their own protocols in place but work in collaboration with one another. However, tackling this wild west is complex and can’t all happen simultaneously. A foundation is needed as a stepping stone to creating a larger framework for the future that can and should be adopted by all parties involved.
Following in the footsteps of other big techs, i.e. Google and Microsoft, who are committed to carrying out Biden’s Cybersecurity Executive Order (EO) in other areas, StrikeForce is dedicated to the EO by specifically carving out and leading the charge in moving towards privacy and security standardization in the video conferencing and collaboration industry.
Recognizing the need for an objective, foundational structure back in November 2020, StrikeForce commissioned Aite-Novarica to conduct a study before shedding light on crucial standardization considerations. The study included discussions with financial service technology professionals, video conferencing vendors and users, attendance at virtual industry events, and the author’s own experience as a former chief information security officer and cybersecurity consultant.
Aite-Novarica Study Conclusion: Confirms Need for Immediate 4-Level Classification Foundation
Based on the response from the cross-industry stakeholders that participated in this research, the study concluded that a foundational schema is needed to classify the various levels of video conferencing sessions based on data security and privacy priorities. Once classifications are established, security and privacy technology protocols must then be implemented and executed in accordance with levels of importance.
Aite-Novarica and StrikeForce are urging the industry to come together, consider, and adopt the following 4-Level schema as the first step to standardization. This is based on participants’ responses who concluded that this is one of the smartest and quickest ways forward. The schema below was also developed following NIST and CISA guidelines to comply with the Cybersecurity Executive Order requirements and suggestions. The hope is also to be considered a ‘best-agreed practices’ consideration and jumping-off point for future standardization.
| NIST – FIPS Data Classification | Description | Regulatory Compliance & Framework | Potential Impact on Organizations & Individuals |
|---|---|---|---|
| Level I: Low Risk |
Public Information: Public Websites, Press Releases, Marketing Materials, Social & Networking Events, “Non-Sensitive Discussions with Business Partners” |
NIST | Limited |
| Level II: Moderate Risk |
Sensitive: HR & Employee Records, Employee Directory, Unpublished Research, Supplier Contracts, Student Records (FREPA) |
GDPR, HIPAA, CCPA, NIST | Serious |
| Level III: High Risk | Highly-Sensitive: Intellectual Property, Strategy and M&A, Customer Personal Data, Health Records, Banking /Financial Accounts, Credit Card #, Social Security #, Drivers License Info |
Sarbanes-Oxley, Gramm-Leach-Bliley PCI DSS, GDPR, HIPAA, HITECH, CCPA, NIST |
Severe or Catastrophic |
| Level IV: Sensitive / Controlled Unclassified Information (CUI) | Federal Agencies: For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive Homeland Security Information, Sensitive Security Information (SSI), Critical Infrastructure Information (CII) |
“US State/Territory Privacy Requirements” |
Catastrophic |
We have now published the study and conclusions in a white paper and urge the industry to consider them and respond. To download the white paper, go to https://strikeforcetech.com/secure-collaboration-whitepaper/
