The onset of the COVID-19 pandemic has precipitated a mass movement towards remote working and the tools needed to facilitate distanced collaboration. In the absence of meeting face to face, it is natural that we should seek solutions to compensate for this most human way of communicating. While video conferencing applications cannot fully substitute the benefits of face to face contact, they do enable us to collaborate with colleagues, conduct negotiations or simply connect with family and friends. They have become an important tool in helping us adjust to the new normal. Organisations that suddenly had a pressing need to fill this gap may have found themselves hastily advancing these applications through their procurement process.
Organisations and their staff each play a role in the successful adoption of these tools, from the due diligence performed during the procurement process, to testing, rollout, and staff training and awareness around how to use these applications. In this article, we look at what employers should be considering when reviewing video conferencing applications, including carrying out due diligence, analysing privacy and security policies and putting in place appropriate governance to manage their rollout.
Due Diligence
In choosing a video conferencing application appropriate for the organisation, it is necessary to consider the organisations’ context, use-case and risk profile.
- Context – What is the type of organisation? A government agency may have different requirements than an SME;
- Use-case – What are the organisation’s needs? Is it purely for video conferencing, or will other collaborative features be necessary, such as file sharing and integration with other systems?;
- Risk profile – The previous two attributes will contribute to determining a risk profile. Depending on the assessed risks to the organisation and its employees, this may drive the need for specific requirements when it comes to security controls that an application provides.
Market Research
When assessing the options, it would be wise to carry out research not only on the tool & its functionalities, but also the company behind the tool. Examining press stories, discussion forums and user reviews of the application (e.g., available in mobile app stores) can be useful in giving an indication of whether the application and the company behind it have met user expectations or have had negative coverage (for example, in the case of a data breach). Look at the revenue model of the provider – if the platform is being provided free of charge, it can be a signal that there may be further processing of users’ data (e.g., for profiling and advertising purposes) to remunerate the provider. Additionally, organisations should investigate whether an adequate support channel is provided, and what response times can be expected.
Privacy and governance framework
Employers should pay attention to the providers privacy policy, ensuring that it meets the necessary transparency requirements of the General Data Protection Regulation (GDPR). In a report on privacy policies of video conferencing services produced by NOYB (European Center for Digital Rights), they note that services such as GoToMeeting (LogMeIn) and Zoom state that they may also receive information from other sources including publicly available databases, or “enrich” this data with information they already have. In this situation, such companies are combining data sets to augment their user profiles. Employers should consider whether such processing is appropriate, and employees should be informed of this processing. Any processing that is being carried out by the processor should be outlined in a Data Processing Agreement (DPA), in line with Article 28 of the GDPR.
Security assurance
Many providers will give information relating to their security practices, whether they certify or align to relevant security standards and an overview of the controls in place to secure the software. If the provider is certified to a standard such as ISO:27001 or holds a SOC 2 attestation, this can be an indication of commitment to security and give a certain level of assurance.
With respect to the video conferencing application itself, the following is a list of security-related attributes to aid in assessment:
- Has the application been independently penetration tested?;
- Is there a regular release pattern to the software? If a conferencing tool has not had an update for several months, it could be vulnerable to recently discovered security vulnerabilities. Likewise, many updates in quick succession can be an indication of security vulnerabilities needing to be fixed on foot of an update to the application.
- Is end-to-end encryption provided? This ensures that communication between participants is not accessible by the service provider and adds an additional layer of security to protect from third parties attempting to access;
- Communication should also be encrypted during transit using HTTPS/TLS. This is different from the end-to-end encryption mentioned above. HTTPS/TLS encryption still leaves the possibility open that the service provider could access the communication, but is an additional layer of protection preventing malicious third parties from doing so;
- Is it possible to integrate the authentication mechanism with your organisation? Supporting features such as Single Sign On (SSO) enable an organisation to integrate the video conferencing platform’s authentication mechanism with that already in use by the organisation, enabling a consistent approach to access and identity management;
- Does the application support Multi-Factor Authentication (MFA)? Adding an additional authentication factor (e.g. generated keycode) provides for another layer of security.
Company Usage Policy
Employers should develop a company policy covering the use of the video conferencing application. This policy should be kept up to date with the latest relevant advice regarding configuration and acceptable uses of the application. The aim of this policy is to provide clear guidance on the use of the tool so that there is staff awareness of how to minimise privacy and data protection risks and ensure the protection of business information. Guidance regarding items to include in this policy can be found in our article ‘Video Conferencing Applications – advice for employees’.
A video conferencing application is not for life
Events such as COVID-19 may result in the need to accelerate adoption of solutions such as video conferencing applications without the capacity to do as thorough an assessment as may be carried out under normal circumstances. This does not preclude the ability to carry out a review once it has been implemented. The organisation may decide to review the implementation of the tool within a six-month period, for example. This would ensure that a reasonable time has elapsed in order to assess if issues have been observed with the platform and ensure that it is meeting business expectations and compliance standards. Should a privacy or security incident occur sooner than that, an expedited review should be triggered.
Trilateral has significant experience helping our clients carry out data protection assessments during the procurement and implementation processes. Please feel free to contact our advisors, who would be more than happy to help.
