ENISA offers some practical advice to SMEs with regard to the security and privacy aspects that should be considered upon the selection and use of online communication tools.
The coronavirus outbreak has affected and changed the way small and medium sized enterprises (SMEs) across the EU are doing business, both internally and externally with suppliers and customers. Indeed, SMEs face the new challenge of working remotely in a way that it is still productive, efficient but also secure. Online communication tools (including video/audio conferencing, instant messaging, remote document sharing/file exchange, internet streaming) are key to help SMEs follow-up with these novel working regimes. Among other aspects, the security and privacy settings of such tools are fundamental for efficient operation.
Taking into consideration the variety of online communications tools available today, ENISA offers some practical advice to SMEs with regard to the security and privacy aspects that should be considered upon the selection and use of online communication tools.
Tips for the selection of an online communication tool
- Make sure that the tool supports encrypted communication. It is especially recommended to rely on tools that support end-to-end encryption and provide sufficient information on applied key-sizes and algorithms.
- Opt for a choice that supports centralized management, such as call restriction policy, password policy, virtual meeting rooms and eavesdropping prevention.
- Assess the security settings, in particular make sure that the tool supports strong authentication, such as Multi-Factor Authentication (MFA).
- Review carefully the configuration options, considering in particular whether the service can be run in-house or relies only on external storage of data; if possible, prefer in-house implementations and ensure that integration with existing business tools and/or Single Sign On (SSO) can be provided.
- Read the privacy policy of the tool carefully, in particular as regards the following key aspects: types of personal data stored by the tool; location of the data; possible transfers of data to third countries; retention periods of data; default privacy settings/behaviour of the tool. Make sure that the app does not send data to social media for advertisement or other unwanted purposes. Consult your Data Protection Officer (or your privacy contact person if you do not have a DPO) if available for further assessment in case of doubt.
- Utilize available work resources such as work email and laptop to access the service; restrict if possible use from personal devices. In case it is necessary to use the tool from mobile phones, verify the permissions that the tool (app) asks and advise the users accordingly (e.g. for participation to a telephone call, granting permission for access to camera or location data would not be required).
- Ensure that only official distributions of the client are used and if it is not possible prefer the use of the web client. Verify that the latest version of the software is used and that security patches are applied in a timely manner.
- Make sure all meetings are password protected. Avoid sharing conference links and meeting passwords outside the intended participants. Invite users from within the tool if possible and ask them to refrain from sharing the link. In case that Single Sign On is not supported, advise all users to protect their account by selecting strong passwords and enabling multi factor authentication.
- Verify the default settings of the tool and make sure that all users are aware of them. Apply, where possible, default settings that protect users’ privacy (e.g. video deactivated by default, no audio/video recording, no central storage of instant messages, etc.). Refrain from recording the meetings unless there is a specific need for this. In case of recording, ensure that all meeting participants are informed and agree with the recording.
- Advice the users to use the chat, audio, camera and screen sharing functions wisely. For example, it advisable to not use video on a call when it is not needed. Moreover, users should ensure that only the window they want to share is on their screen and they should prevent their email or chats from becoming visible during meetings. When using video, users should make sure that their background is neutral and does not reveal any personal data of theirs or other confidential information.
This article was inspired upon a research performed by CERT.LV: the Information Technology Security Incident Response Institution of the Republic of Latvia. CERT.LV operates under the Ministry of Defence of the Republic of Latvia and is part of the EU CSIRTs Network.