New Work From Anywhere (WFA) Guidance: CIS Videoconference Security Guide

New Work From Anywhere (WFA) Guidance: CIS Videoconference Security Guide

New Work From Anywhere (WFA) Guidance: CIS Videoconference Security Guide 1365 2048 Mark Arnold

Work From Anywhere (WFA) Update: Securing Videoconferencing


In early April, we here at Lares led a webinar, What Credit Unions Need to Know About Online Meeting Security, in response to the rapid adoption of video conferencing in the early stages of the COVID-19 pandemic. Organizations encountered security challenges (e.g. bombing)  that rattled business leaders’ confidence in these solutions, tasked with moving staff en masse and in haste to videoconferencing mode. Work from Home (now, WFA) risks that presented themselves at the outset of the pandemic still demand continuous strategic vigilance. We have been tracking recommendations and posting our own (see list below). The Center for Internet Security CIS has released two new resources worth checking out: CIS benchmarks for Zoom and a CIS Videoconferencing Security Guide.

What’s in the Guidance?

The CIS Benchmark for Zoom details security configuration recommendations for Zoom while the  CIS Videoconferencing Security Guide (VSC) is a vendor-agnostic guidance for securing videoconferencing. As such, the CIS VSC reflects a common set of security best practices applicable to a wide range of videoconference solutions.

Common Videoconferencing Security


What I appreciate about the CIS Guides is their consistency to map recommendations to the CIS 20 Controls. In this benchmark guide, there are seven VSC recommendations:

  1. Know the Network
  2. Know the Software
  3. Update  Systems
  4. Change Default Passwords
  5. Use of Anti-Malware
  6. Videoconferencing Specifics

The CIS VSC team gives a sub-control from Implementation Group 1 for each recommendation and a corresponding task to execute. The following table illustrates the specific VSC guidance mapped to a control group.

These recommendations and sub-controls help companies define and coordinate shared security responsibilities for videoconferencing. Companies are encouraged to determine and delineate telework responsibilities from corporate ones to mitigate issues like meeting bombing and stolen meeting links.

A CIS VSC Feature Summary


We mentioned at the outset that the CIS VSC is a vendor-neutral guide for videoconferencing security. The following figure shows how a few of the common platforms compare.

The commonality and number of security features indicate the focus on security as a priority of videoconferencing providers. This development bodes well for leaders who are attempting to capture the WFH/A swell’s upside. Frictionless transition to all- or majority remote models is the current wave of digital transformative models. More secure videoconferencing helps to ease concerns, embracing this change. The CIS VSC, in particular, is a helpful guide for leaders along the way.

In Summary

The Lares Research and vCISO teams continue to track issues concerning the forcibly converged network. In so doing,  we can better advise our clients on ways to manage their risk as the pandemic persists. Guides like the CIS VSC are helpful to benchmark the security of videoconferencing in organizations. Business and risk leaders should consider the CIS VSC to measure videoconferencing risk in their overall risk management programs.

Don’t forget to read our WFA resources listed below and be on the lookout for more Lares telework recommendations.

List of Lares Work from Home (WFH) and Telework Resources:


Where There is Unity, There is Victory

[Ubi concordia, ibi victoria]

– Publius Syrus

Contact Lares Consulting logo (image)

Continuous defensive improvement through adversarial simulation and collaboration.

©2019 Lares, LLC | All rights reserved.
    Privacy Preferences

    When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Some types of cookies may impact your experience on our website and the services we are able to offer. It may disable certain pages or features entirely. If you do not agree to the storage or tracking of your data and activities, you should leave the site now.

    Our website uses cookies, many to support third-party services, such as Google Analytics. Click now to agree to our use of cookies or you may leave the site now.