15 Mar 2024 | Security in Videoconferencing, Video conferencing
Used in critical contexts, out-of-band communications contribute to protecting exchanges and ensuring the continuity of business activities for organisations in crisis situations.
Definition
An out-of-band communication refers to communications made outside of the usual networks. It uses reserved and secure channels to remain operational at all times. For example, in case of a cyberattack or a failure on the main network. In this out-of-band setup, the flows of audio, video, and data communications are generally encrypted end-to-end. This protects confidential or highly sensitive exchanges from any eavesdropping.
Use cases for out-of-band communications
Multi-factor authentication (MFA)
Multi-factor authentication involves verifying a user’s connection request before granting them access to a resource. To do this, it uses at least two factors, one of which typically involves an out-of-band communication. Indeed, after entering their credentials (first factor), the user will receive a verification request (second factor) on, for example, an encrypted application. To send this request, the MFA will use a different network. The aim is to limit the risk of data interception in the event of vulnerabilities on the network used for the initial connection.
Sensitive communications
Moreover, in the context of remote or hybrid work, collaborators use communication tools that are not always secure. However, within sensitive organisations, such as Essential Service Operators and Vital Importance Operators, protecting critical communications is a fundamental criterion. For their confidential online meetings, involving classified subjects or benefiting from a protective designation, the use of out-of-band communication systems is essential.
Business continuity
Furthermore, as European organisations are required to enhance their cybersecurity with the NIS 2 directive, crisis management and business continuity policies are becoming major topics. The deployment of out-of-band communication tools addresses these challenges. Indeed, in the event of a crisis, teams benefit from dedicated and secure communication channels. They can thus respond to incidents and ensure business continuity.
In public administrations, which rely on traditional communication means, the implementation of a communication system outside traditional networks has numerous benefits. It especially guarantees the continuity of public service.
Secure video conferencing for out-of-band communications
End-to-end encrypted secure video conferencing is suitable for setting up out-of-band communications internally. In sensitive contexts, collaborators particularly need to use a secure communication solution that is accessible at all times outside of traditional networks.
Tixeo offers a secure video conferencing solution, certified and qualified by ANSSI
Its end-to-end encryption, from client to client, prevents any interception of audio, video, and data exchanges, regardless of the number of participants in the online meeting.
In the on-premise version, the solution is deployed on a company’s dedicated server, without impacting the general network security policy. In case of a crisis, Tixeo can operate without an internet connection, isolated on the company’s infrastructure. This allows internal use only, for critical communications, and ensures the continuity of activities. Secure video conferencing thus helps to strengthen the cyber-resilience of organisations.
Finance: why is secure video conferencing your ally in crisis management?
14 Mar 2024 | Security in Videoconferencing, Video conferencing
Lawyers utilise secure video conferencing for exchanges with their clients or peers. But what are the criteria to ensure the security of communications and the data of the individuals involved in legal proceedings?
Confidentiality of video conferencing for lawyers
The confidentiality of communications is the primary criterion for choosing a secure video conferencing tool for lawyers.
Lawyer consultations
When a consultation between a lawyer and their client cannot be held in person, due to personal constraints or time savings, the consultation can be conducted remotely. In this context, it must allow both parties to exchange information easily and confidentially. End-to-end encryption of audio and video communication streams is therefore essential: thanks to this technology, only the participants in the online meeting have access to the exchanges.
Document sharing
In the context of legal proceedings, a lawyer may need to exchange documents with their client or colleagues. The transmission of legal files also requires end-to-end encryption, to prevent any external interception.
Discussions among colleagues and peers
Lawyers also need to exchange information with colleagues, whether on the move or working remotely. They are also led to discuss with other professionals in the justice sector, such as bailiffs or clerks. All these online meetings deal with legal files that also require the highest security.
Try Tixeo for free
Personal data protection
The use of a video conferencing solution also involves the collection and processing of personal data from individuals involved in legal proceedings.
GDPR Compliance
It is crucial for legal professionals to ensure that the integrity of the personal data of individuals involved in legal proceedings is respected. For lawyers, in particular, this corresponds to respecting professional secrecy and the legal process. Therefore, the secure video conferencing tool used to discuss legal cases must be fully GDPR compliant.
Indeed, most video conferencing software hosts their data outside European territory and are then subject to lenient extraterritorial data protection laws. This is the case with the US Cloud Act: this series of extraterritorial laws allows American authorities to compel publishers located on American territory to provide data related to electronic communications, stored on American or foreign servers.
At any time, user data can thus be compromised.
Tixeo responds to CCBE’s questions about secure video conferencing for lawyers
As part of its guidelines on the use of remote working tools, the Council of Bars and Law Societies of Europe (CCBE) has compared the general conditions of frequently used video conferencing tools. This resulted in 6 questions that lawyers should ask themselves before choosing a secure video conferencing solution.
Tixeo, a secure, certified, and ANSSI-approved video conferencing solution, has chosen to respond:
To what extent are the applicable general conditions accessible and transparent?
Tixeo’s general conditions are available on request, depending on the offer concerned. Furthermore, its privacy policy, which concerns clients and users of the solution, is available on its website.
Who is responsible for data processing?
Depending on the cloud video conferencing offer chosen, Tixeo is either the data controller or processes personal data on behalf of its clients. In the context of its on-premise video conferencing offer (TixeoServer), the clients are responsible for processing the personal data of their users.
Where is the data stored?
All personal data collected and processed by Tixeo is hosted in France. Its secure cloud video conferencing offer benefits from ANSSI-certified SecNumCloud hosting.
Tixeo never sells or transfers personal data to a third country, except to Switzerland, which benefits from an adequacy decision. Data can therefore be transferred to our partner Ubcom in Switzerland, only with the explicit consent of the concerned individual.
None. Indeed, user data benefits from the protection of French hosts, committed to data security, GDPR compliant, and SecNumCloud certified.
Tixeo is the most secure video conferencing solution on the European market. Designed according to a Secure by design approach, it integrates security at every stage of its design to its deployment in organisations. Its proprietary end-to-end encryption technology ensures total confidentiality of exchanges, regardless of the number of participants in the online meeting. Lastly, Tixeo is 100% GDPR compliant.
Organisations in sensitive sectors such as defence, industry, or justice now trust Tixeo for their confidential communications.
Find all the information on personal data processing by Tixeo
Try Tixeo for free
27 Feb 2024 | Security in Videoconferencing, Video conferencing
As prime targets for cyberattacks, companies in the finance, banking, and insurance sectors must be prepared to manage major crises. It is by reacting quickly and in a coordinated manner that they will ensure their business continuity.
A dramatic increase in cyber risk for european banks
In 2022, according to the Financial Services Information Sharing and Analysis Center – FS-ISAC, cyberattacks through distributed denial of service (DDoS) targeting financial institutions increased by 73%.
The European Central Bank (ECB) now considers cyber risk as a major risk to financial stability.
How can this be explained?
Remote collaboration and the interconnection of systems can explain the proliferation of cyber threats within banks and finance organizations. Indeed, the accelerated digitalization of these organizations does not always come with enhanced security.
Furthermore, the primary factor in cyberattacks remains human. Employees generally do not have sufficient knowledge of cybersecurity best practices (unsecured communications, weak passwords, phishing, etc.). Their practices thus become a privileged entry point into companies’ information systems. Cyber attackers take advantage of these vulnerabilities to conduct attacks, thereby accessing sensitive financial information or disrupting the economic balance of an organization.
Lastly, the tense geopolitical context leads some state or quasi-state cybercriminal organizations to target the financial stability of a nation.
Crisis Management for Finance: a key point of the DORA Regulation
Banks and finance sector organizations must now strengthen their IT security and prepare to overcome upcoming crises.
The DORA regulation aims at these two objectives: improving the cybersecurity and cyber resilience of financial organizations to ensure continuity in their service provision. This regulation will come into force across Europe by the end of 2024.
How to Prepare for the Application of the DORA Regulation?
The benefits of secure video conferencing
Secure video conferencing tools meet the needs for confidentiality, reactivity, and business continuity of organizations in a context of increasing cyber threats.
To limit Cyber Risk
Finance sector companies digitalize certain sensitive meetings. This is the case for executive committees or management boards, financial negotiation meetings, or audits and compliance reviews.
Holding these exchanges remotely saves time for the parties involved. However, it must demand the use of a video conferencing solution with the highest level of security. Audio, video, and data communications must be protected against any eavesdropping, thanks to true end-to-end encryption technology. Thus, resorting to secure video conferencing is a first line of defense against computer espionage and data theft.
To manage crisis and ensure business continuity
In case of disruption to the information system, the main collaboration tools may become inoperative. Resorting to a secure video collaboration solution then becomes essential:
- to allow dedicated teams to discuss crisis management operations securely
- to ensure the continuity of employee and company activities
- to guarantee the confidentiality and protection of exchanges throughout the crisis and avoid further data leaks
Secure video conferencing meets the crisis management needs of the finance sector by ensuring team effectiveness and communication security.
How to choose the right ally?
The DORA regulation also underscores the fundamental importance of establishing policies on finance sector crisis management and risks related to information and communication technologies. This implies choosing highly secure ICT service providers and subcontractors.
The certification and qualification by ANSSI help companies, especially those in finance, make this choice. Indeed, ANSSI’s security visa guarantees the reliability and high level of security demands for a product, essential for facing crises and gaining cyber resilience. It is equivalent to a government recommendation for its use.
Choosing a secure video conferencing solution certified and qualified by ANSSI is therefore recommended, especially in the context of business continuity planning and cyber risk management.
Tixeo is the only secure video conferencing solution certified and qualified by ANSSI for over 6 years.
Try Tixeo for free
28 Apr 2023 | Security in Videoconferencing, Video conferencing
“Zoombombing” in video conferencing is still going strong. It disrupts increasingly strategic online meetings, often with malicious intent. To avoid this, video conferencing security must be maximised at all levels.
What is “zoombombing” in online meeting?
“Zoombombing” is an unwanted intrusion into an online meeting. During the health crisis and the containment, the sudden and massive use of video conferencing caused this phenomenon to explode. Zoombombing” got its name from the large number of intrusions by malicious people during Zoom videoconferences.
Indeed, intruders can have different objectives when they join a videoconference, ranging from simply disrupting the meeting to retrieving sensitive data such as the names of participants, the purpose of the meeting, documents or shared screens…
Serious consequences for organisations
An intruder in a videoconference is not only disruptive to the conduct of the meeting. It also represents a danger for the confidentiality of the information exchanged.
In its latest flash on the risks linked to video conferences, the DGSI cites the example of an intrusion into a company’s video conference to broadcast messages of a terrorist nature. The cause? No control over access to the online meeting: registration was free and the application password had a very low level of security. This lack of protection made it easier for individuals to break in.
Similarly, a recent Federal Reserve videoconference was cancelled after pornographic images appeared and were distributed by an anonymous participant in the meeting. About 100 representatives of major US banks were present during this online meeting. This disruption has led to the risk of data theft and tarnished the organisation’s reputation.
A must: the security of the video conferencing software used
These intrusions can be avoided if the videoconferencing software used is “Secure by design“. This principle consists of designing software by addressing security concepts from the very first stages of its design, in order to prevent the risks of security breaches.
Access to the software or its functionalities are thus subject to strict analysis from the moment they are created. As a result, as soon as a vulnerability is discovered, it is immediately corrected before the software is deployed.
End-to-end encryption
For video conferences, end-to-end encryption is one of the essential security criteria. This data transmission system (audio, video and data) guarantees total confidentiality of communications. Indeed, only the sender and the recipient(s) are able to decrypt the data exchanged, without any decryption phase between them.
It is therefore impossible to eavesdrop or spy on an end-to-end encrypted video conference from outside the meeting. Therefore, end-to-end encryption makes it even more difficult to intrude into an online meeting.
The key role of the videoconference organiser
The security of the video conferencing software is a first barrier against “zoombombing” in online meeting.
However, to ensure maximum protection, it is important that the meeting organiser is able to :
- easily manage the participants and exclude an unwanted participant at any time
- moderate the speaking rights in the meeting
- adapt the security level according to the sensitivity of the meeting
Controlling access to online meetings
When a videoconference login link is shared, some unwanted guests have the opportunity to login and access the meeting directly.
With Tixeo, if someone clicks on a videoconference login link, he/she indicates his/her name and accesses a waiting room. The organizer receives a notification of this access request. The organiser can then decide whether or not to include this person.
Similarly, at any time during the online meeting, the organiser can exclude a participant if he or she considers that the participant is suspicious.
Managing participants’ rights
Until all the participants in the videoconference are assembled, it is preferable that only the organiser has the microphone open. This avoids noise from everyone arriving and the risk of an intruder speaking up and attracting attention.
The organiser can also ask each participant to activate their webcam, so that there is no doubt about who is present, as recommended by the DGSI.
Choose the right security level
Tixeo allows the organizer to choose a higher or lower security level depending on the sensitivity of the videoconference.
For example, with a standard security level, it will be possible to share a connection link to the meeting and to connect to it from a web browser.
With a maximum security level, participants will have to create a user account and connect to the online meeting from the software.
Avoiding sharing information about an online meeting
Finally, information about a videoconference is sometimes inadvertently shared. For example, in shared agendas, where the list of participants, the purpose of the meeting or the login link is accessed. But it also happens that photos of meeting rooms with a video conference in progress are published on social networks, even though the name of the network or the connection identifiers can be seen on the screen.
Vigilance must be exercised when sharing this type of information as it can lead to “zoombombing”.
Tixeo, Secure by Design video conferencing software, integrates security in the design of its solution. Its end-to-end encryption technology secures communications, regardless of the number of participants in the videoconference.
27 Mar 2023 | Security in Videoconferencing, Video conferencing
When participating in an online meeting, there are certain aspects that should alert you to the level of security. Here is how to spot them to avoid spying on videoconferences.
In its flash #91 on economic interference, the DGSI (General Directorate for Internal Security) gives several examples of suspicious video conferences that have consequences for the integrity of the company.
Its objective is to encourage French companies to be extra vigilant during their online meetings, which are often strategic and sensitive. Indeed, the risks of espionage and economic interference, via unsecured video conferences, are increasingly important. To avoid these risks, organisations must ensure that their exchanges are well secured.
The main characteristics of an unsecured videoconference :
Uncontrolled access to the online meeting
Some videoconferences are accessible through a shareable login link. They allow additional participants to be invited at the last minute but can also lead to intrusion by potentially malicious persons. In 2020, the intrusion of Dutch journalist Danier Verlaan into a confidential videoconference was highly publicised.
To facilitate access to a secure videoconference, it is possible to share a connection link, but only if the organiser can validate the participants’ entry. This requires the organiser to check the identity of the person before allowing him or her to attend the exchange. If in doubt, it is always advisable to refuse the request or to ask for more details about the need to attend the meeting. Without this validation, anyone can connect and access the videoconference information (communications, files, etc.) or spread malicious messages.
Unencrypted communication flows
Audio, video or data exchanges can be spied on if they are not strictly protected by end-to-end encryption. This data transmission system only allows the sender and the recipient(s) to decrypt the data without any decryption phase between them. This avoids spying on videoconferences.
Some non-European video conferencing software claims this type of encryption but is subject to foreign regulations, such as the Cloud Act. The latter obliges publishers to provide back doors in their software to allow the authorities to listen in on communications under certain conditions. However, these back doors represent a security flaw and can be discovered by hackers who will use them to spy on videoconferences.
What is a back door and how does it relate to video conference spying? The answer in video!
The DGSI recommends the use of end-to-end encrypted video conferencing solutions to avoid the risk of spying on videoconferences. Tixeo’s end-to-end encryption technology, certified and qualified by ANSSI, prevents any eavesdropping on communication flows, regardless of the number of participants in the online meeting. Moreover, as a European and sovereign solution, Tixeo’s end-to-end encryption is subject to the GDPR.
Suspicious behaviour by participants
Finally, the threat during a videoconference can sometimes be internal to the company. In this case, it is necessary to be attentive to certain suspicious signals emanating from the participants. In its flash, the DGSI discusses the striking example of a 100% teleworking employee who never shows herself to the webcam and records the videoconferences in which she participates. The capture of strategic information represents a danger of industrial espionage for a company. In case of doubt, it is important to avoid talking about sensitive subjects if confidentiality is no longer guaranteed.
Companies must protect their video conferences from espionage
Choosing a secure video conferencing tool
French companies are regularly victims of economic interference due to security breaches during online meetings and this is detrimental to their economic sovereignty. The security of their videoconferencing tool must therefore be at the heart of their concerns. With remote working, sensitive meetings are now done online and expose the company’s strategic data.
Tixeo is the only French video conferencing solution to be certified and qualified by ANSSI thanks to its end-to-end encryption. The software is Secure by Design: security is an integral part of its design process.
Raising employee awareness
Tixeo helps its customers and users to protect their communications and personal data. A security that also requires an awareness of the teams, especially in telecommuting.
It is essential that employees understand the risks of unsecured video conferencing and master the best practices. For each online meeting, organisers and participants must be able to gauge the appropriate level of security and thus adapt their vigilance accordingly (verification of guests, webcam activated for all, high level of password intensity, etc.).
Depending on the sensitivity of the meeting, Tixeo allows to activate a standard or maximum security level. For a confidential meeting, the organizer can set conditions to access the videoconference (installation of the client software and creation of a user account). Each participant will have to identify himself before accessing the videoconference.
30 Jan 2023 | Security in Videoconferencing, Video conferencing
Communicating within and outside the company has never been easier. However, the security of video conferencing software is still rarely taken into account and often exposes users’ personal data.
The urgency of data protection
The GDPR 2022 barometer of Data legal drive indicates that 74% of the data and privacy professionals surveyed believe that employees are more and more attentive to the protection of personal data by the company.
This is not surprising when you consider that in 2021, one out of two French companies was the victim of a cyber attack (CESIN study). Computer attacks generally lead to data theft, which exposes employees and undermines the financial stability of organisations.
In companies, videoconferencing tools process and transmit a multitude of sensitive and confidential data and become prime targets for hackers.
GDPR compliance
First and foremost, video conferencing software must be sovereign and compliant with the GDPR.
Within the European Union, the GDPR firmly regulates the protection of personal data, requiring software publishers to be transparent about their processing. It also excludes any possibility of transferring data to a third country, without a contractual agreement in advance.
The absence of a backdoor in the software
Some major video conferencing software, located outside the European Union, comply with foreign legislation. These authorise the listening of communications. This is the case of the Cloud Act, a series of extraterritorial American laws which allow the authorities to force publishers located on American territory to provide data relating to electronic communications. This data can be stored on American or foreign servers.
Video conferencing: is it necessary to choose a European solution?
Tixeo is committed to data protection
As a European and secure solution, Tixeo is 100% compliant with the GDPR and puts personal data protection at the heart of its commitments. Indeed, its customers, evolving in sensitive sectors (defense, health, industry…) require a reliable video conferencing tool with a maximum security level and with all the guarantees to respect the integrity of their employees’ personal data.
In the Tixeo GDPR guide, select your user profile to find all the essential information you need to know about
- the processing
- use
- hosting
- storage
- the protection
of your personal data.
Features of a secure video conference
A secure video conferencing software offers additional guarantees for personal data protection. This is the case of Tixeo.
Secure by Design: an architecture designed for data security
To be secure, a secure video conferencing software must be Secure by Design. In other words, it must take security into account from the very first steps of its design to its deployment. This process makes it possible to determine potential points of failure in the software at an early stage and to work out solutions to correct them during its development.
As a result, Secure by Design video conferencing software will be much more robust than traditional video conferencing software.
Deployment that minimises security impacts
Deploying a video conferencing tool must not disturb the security of the company’s internal network. With Tixeo, Secure by design video conferencing software, there is only one port to open to deploy the solution. Thus, the security policy of the company network is preserved. This saves time and security!
End-to-end encryption
It is no longer a secret that communications in an unsecured video conference can be listened in on. Only end-to-end encryption avoids the risk of eavesdropping.
This technology enables all audio, video and data streams to be encrypted, regardless of the number of participants in the online meeting. It thus guarantees total confidentiality of exchanges.
Tixeo’s secure video conferencing includes end-to-end encryption through a server (AES 256 encryption), while easily adapting to network variations.
[How it works] End-to-end encryption
Taking into account the location of the publisher
It should be noted that the location of the video conferencing editor is an important criterion to take into account, if the software claims end-to-end encryption. Indeed, in some countries, it is sometimes impossible to fully encrypt communications.
For example, since 2001 in the United States, the Patriot Act requires software publishers to add backdoors to their systems. This back door is a secret entrance that allows the authorities to access the software’s data. If a malicious entity discovers it, personal data can be compromised.
Video conferencing: do you (really) know how your personal data is handled?
