Why risks related to information sharing via calendars and online meeting tools should be included in your annual it risk assessment.
Threat-based risk assessments typically focus primarily on digital and paper information. But what about conversations - people talking and attending online meetings? The kind of information shared in online meetings should be considered just as sensitive. And here's the problem: Eavesdropping can be harder to protect against than securing endpoints.
For a malicious insider, this could be an ideal attack vector. But instead we tend to implement technological solutions/quick fixes that too often focus on securing traditional it systems, networks and endpoints from external threats.
Larger organisations commonly share calendars simply because it makes sense, both in terms of efficient workforce planning, transparency and from an HR perspective.
So let's stop for a moment and think about the potential risks involved when sharing a calendar within the company and/or with external third parties:
- Others accessing the shared calendars can read confidential notes in meeting details for reconnaissance purposes
- If file sharing between participants in calendars is enabled, confidentiality could be at risk because documents can be read/downloaded by the rest of the organisation
- Potential eavesdropping on confidential online meetings
In short, shared calendars and online meetings are perfect platforms for malicious employees/third parties to gather confidential information.
At NorthGRC, we have performed a test based on a shared calendar appointment for an online/phone meeting via Lync or Skype. The calendar appointment included details on how to join the meeting.
Without any difficulties, we succeeded in joining the meeting via phone anonymously, using a simple method to avoid providing a name. Nobody in the meeting had any chance of knowing someone else was listening in. Just as easily, we could have recorded the entire conversation as an audio file.
Attending the meeting online via a browser would notify the meeting leader that an anonymous user had joined. However, in the case of larger online meetings with many people attending, chances are no one would have noticed.
And what about online and/or phone meetings with external third parties such as business advisors, PR and marketing agencies, lawyers, etc.?
What online meeting tools are they using? Are those tools assessed by internal security on a regular basis (or even known to them)? How does the third party manage access and passwords to online meetings?
I suggest you begin including risks related to information sharing via calendars and online meeting tools in your annual it risk assessment.
