Due to COVID-19, many financial services employees now handle intellectual property, sensitive communications and confidential data from home — a change that occurred in tandem with the already growing adoption of video technologies by banks and credit unions.
However, not every home network is encrypted and not every video conferencing solution is adequately secure. For bankers and credit union staff working remotely with these tools, the risk is significant — a single breach could have catastrophic consequences for both customers’ privacy and the financial institution’s reputation.
Large banks remain split over the security fitness of the most popular video conferencing tools. For example, Standard Chartered PLC instructed employees not to use Zoom or Google Hangouts due to cybersecurity concerns. But with user experience, price and security all top of mind, you need to take a critical look at your own video conferencing solutions to ensure they are secure, cost-effective and equip employees with the tools they need to continue working efficiently.
4 Key Video Security Concepts to Measure Your Usage By
A helpful rule of thumb is that your video conferencing tools shouldn’t inform your IT security policy — they should fit into it. Ultimately, you don’t want to create more work for your IT administrators. Here are four security considerations when choosing a video conferencing tool for your financial institution:
1. Comprehensive Encryption: Although there are various ways to encrypt video conferencing platforms, end-to-end encryption has become the de facto bar. True end-to-end encryption ensures that no party outside your organization has access to your communications and data. (This includes even the company that made the tool or law enforcement.)
This is a must-have security feature for highly regulated institutions, but it isn’t always included in free products and services. So, before committing to a solution, confirm that end-to-end encryption is part of the package.
2. Access Controls: To ensure security, you must guarantee that only invited participants join meetings and receive the information communicated in them.
Access control features like one-time, disposable meeting URLs and passcodes prevent outsiders from eavesdropping. It’s also important that these access controls extend to recording and sharing permissions to prevent unauthorized sharing of information after the meeting ends.
3. Historical Data Analysis: The ability to audit past meetings and events is just as important as ensuring real-time security. Look for a tool that supports retrospective insights: Who was on the call? Where were they calling from?
While this security feature is not necessary for daily use, when regularly dealing with sensitive information and strict regulations, it can become essential when you need to establish how and with whom information was shared.
4. Trust: Your organization’s network should have its own security rules and firewalls, but the security of a video conferencing tool is somewhat beyond your IT department’s direct control because employees might use it on their home networks.
For this reason, request penetration tests and details about how and where the tool stores your company’s data. Be proactive in determining why the tool you choose is the most secure option.
And don’t blindly trust features and certifications listed.
With any enterprise-grade video conferencing service, these security mechanisms should be available out of the box. Base-level security such as end-to-end encryption shouldn’t be presented as an add-on feature, but as an integral building block engineered into the tool.
- Will Live Mobile Video Banking Become the Branch of the Future?
- Mobile Video Banking Ready to Rock: Insights From Early Adopters
Recognize that Clunky Video Services Will Cause Employees to Risk DIY Solutions
At most organizations, natural tension exists between the desire to give users control over security (the ability to toggle encryption, access control and other protections on and off to improve usability) and the concern that this control may make the platform less secure. There’s sometimes a perception that the more options you offer outside of fundamental security must-haves, the more doors you leave open to threats.
In reality, a tool without any security configurability is not user-friendly. It also won’t appease your IT department, which may still want a hand in ensuring the security of the tool. In general, onerous security policies — those that are constraining, too convoluted for users to understand and often impossible to measure success of — do more harm than good because they create their own security vulnerabilities.
For example, policies that completely prevent recording of meetings frequently result in attendees taking pictures or screenshots of content that are not securely stored and shared the way that recordings would be.
When security policies are too rigid and approved tools are not intuitive to the user, employees will quietly procure and use less secure apps that offer the path of least resistance. For instance, making it overly difficult (or even prohibited) for external guests to join meetings may drive employees to use unauthorized tools to conduct those meetings. In fact, this type of behavior is the basis of the business model for many of today’s most popular collaboration apps — and it creates a major security hole in the form of “shadow IT.”
Shadow IT can manifest itself on many fronts, from document sharing to video conferencing. And in a highly regulated industry like banking and finance, any security vulnerability is an unacceptable risk. All the more reason to ensure the video conferencing tool you choose is user-friendly right alongside your security policy.