'Who Just Joined?' - Business' Glaring Security Flaw

Businesses spend billions protecting sensitive information, but are they missing an obvious flaw?

Share this article

Share this article

Businesses spend billions protecting sensitive information, but are they missing an obvious flaw?


'Who Just Joined?' - Business' Glaring Security Flaw

Businesses spend billions protecting sensitive information, but are they missing an obvious flaw?

Share this article

For obvious reasons, law firms treat client confidentiality as sacrosanct. However, security breaches are on the rise. According to PWC’s annual law firms’ survey, 73% of law firms reported suffering from a security incident in 2016, up 11% from 2015, with phishing attacks accounting for the majority of breaches.

With stats like these, it’s no wonder law firms are going to ever greater lengths to safeguard clients’ confidentiality.

In last year’s ILTA legal technology purchasing survey, security management was recognised as the biggest challenge facing IT teams. Email, cloud computing and BYOD are just three of the technologies called out for their security implications.

However, notably absent is mention of conference calls – a daily activity between lawyers and their clients. However, this isn’t unusual. Rarely does one hear security concerns voiced about this 25 year old business activity.

But does this apparent lack of concern stand up to a very basic level of scrutiny?

“Who just joined?”

This is arguably the most asked question on conference calls, caused by the dominant method of joining – dialing in with numbers and codes. In a 2017 survey by Sapio Research, commissioned by LoopUp, over 50% of conference callers considered it quite normal not to know who was present on their conference calls.

Why has this been allowed to continue? Well, fundamentally, everyone knows how to use dial-in. As the host, you can share dial-in numbers and access codes with the confidence that all your guests will indeed appear on the call. It may lead to a tremendous amount of frustration given its black box nature, but it’s unlikely to be a catastrophe. That is, unless it’s not secure.

What’s the worst that could happen?

The driving force behind the ubiquity of conference calling today, was the arrival of ‘reservationless’. The host no longer needed to reserve a facility, specifying call duration and the number of guests. Instead, each host got their own dedicated facility that could be used whenever.

But dial-in and reservationless are a problematic combination. The same numbers and codes are used time and time again, by many different people, and sometimes for years on end. Then factor in the innate lack of visibility that comes from dialing in, and this is not what you’d expect from a secure service for sensitive, confidential conversations.

Even presidential campaigns have fallen victim to this forgotten hole in security. During the 2008 presidential primaries, Barack Obama’s campaign lawyer obtained the dial-in details for a media conference hosted by the Clinton camp. He managed to join unnoticed and speak with press attendees, much to the surprise of his opponents - to put it mildly.

What’s more, in 2012, the FBI admitted to hosting a conference call with several international police agencies about a joint investigation into a hacker group, only to find that the hackers had also joined the call. To add insult to injury, the eavesdroppers didn't need to hack into the call, they simply obtained an email containing the dial-in details.

While these are very high profile examples, the highly sensitive nature of many client calls means that there are rich pickings for professional phishers to exploit in general business life.

And then there’s the non-malicious, accidental security breaches. For example, we’ve all been on conference calls where the host has scheduled back-to-back meetings and the guests inadvertently gatecrash confidential conversations or someone simply gets the day or time of the meeting wrong. These may generally be less damaging, but they’re still highly embarrassing for the host.

What’s not the solution?

Training is the first obvious non-answer. Let’s get real – lawyers, like most business professionals, have neither the time nor inclination to attend training on how to host conference calls.

What about adding roll-call? Most conferencing services offer that capability. There are two problems here: first it’s painful as calls are interrupted whenever anyone joins or leaves. Second,  a malicious uninvited guest could simply not record their name. Would everyone hang up then? Unlikely.

What about some of the more capable software products for remote meetings? They offer a level of visibility to guard against such security breaches. The problem here is that the major players’ products tend to be quite feature-heavy and off-putting.

Most lawyers want something simple that just works. They don’t feel comfortable running the risk of user error and looking foolish in front of clients. So they shy away from such feature-heavy tools and resort to the ‘safety’ of the devil they know – dial-in.

So, what is the solution?

Reservationless is understandably attractive. It feels wrong to go back to a world of not being to host meetings unless you’ve booked them in advance. But dial-in is another thing altogether. If we were to invent conference calling today, dial-in surely wouldn’t be in the mix. It only persists because it’s engrained in our conferencing ritual, not because it’s a good experience.

How might we tempt people to move away from dial-in? Here are three considerations:

1)      Keep dial-in in the mix, at least for now

Even if just as a back-up, retain dial-in as a secondary joining option. That way, you still cater for the late adopters, and you offer a familiar safety net to the earlier adopters. It simply isn’t realistic to go cold turkey on this one.

2)      Make the new way even easier than dial-in. And offer added value for using it

If an alternative to dial-in is to take hold, it has to be just as easy, and ideally even easier. How about having the meeting dial out to you? Better still, how about getting visibility of who’s on and who’s speaking as an extra pay-off?

3)      Add features super selectively and exceptionally

Hosting a conference call is a very risk-averse activity, and too many features scare people. Training internal users isn’t realistic and training external guests is impossible. As such, only add truly important features, for an exceptional user experience.

Leave out the rest and let more specialist users who need more features use more.  For most legal professionals, less – done well – is more.

Working towards a world where dial-in diminishes – and one day disappears – will make conference calls and remote meetings much more secure.

Related Articles
Get news to your inbox
Trending articles on Opinions

'Who Just Joined?' - Business' Glaring Security Flaw

Share this article