As the workforce returns to the office, it's estimated that up to 50 percent of employees will be remote for part of the workweek, while others will remain remote full time. In 2021 and beyond, we will see a true hybrid workforce.
AV/IT managers are planning to create more collaboration rooms to facilitate a new work dynamic and an ecosystem to ensure seamless collaboration and productivity—near and far. As more AV equipment and solutions are added to the network and workers move between the office and home, bringing their favorite devices, software, and platforms, company data becomes exponentially more vulnerable.
Mitigating #WFH Risk
For more than two decades, companies have relied on the encrypted connection a virtual private network (VPN) provides to enable employees to access corporate email and safely transmit data over the internet while traveling or working from remote locations.
In March 2020, when the workforce at large was sent home to work, home Wi-Fi networks, personal laptops, and devices became the mode of connection and workflow. Matthew Rakes, managing director, Information Technology and Cybersecurity at Unity Aluminum, suggested that depending on how well the IT department has defined route policies, a VPN might not mitigate all risks. “One of the problems you can run into is if someone has a compromised local network or device and they attach via VPN to the enterprise, then that device now has traffic flowing into your network.”
There's a degree of Big Brother that has been assumed acceptable when employees are on corporate property. “This is where I think we need to train users' expectations to understand better that when you're using a particular application, that we are going to be Big Brother, even if we are going to be hands-off of the rest of your network,” Rakes said.
The term “Big Brother” often conjures the idea that evidence is being gathered against the user. “I often think that the best view of this is quite the contrary,” Rakes added. “We should actually be seen more as defenders of the castle.” A strong, secure IT department should first and foremost aim to protect employees and the company data equally. “We should seek to not only protect data, but we should seek to help protect and defend the people that represent your company, and the best way to do that is providing them with secure tools that help them to know that they don't find themselves in a compromising situation,” he said.
Mitigating a Hybrid Office Security Risk
As AV/IT managers prepare to increase the number of meeting rooms to enable seamless collaboration and videoconferencing for hybrid environments, they will be adding networked AV equipment, and dealing with an influx of personal devices.
Rakes is taking a long-term approach to adding technologies as employees return. “We are looking at what solutions and technologies we can acquire now that alleviate our immediate pain, but will allow us to better transition into higher efficiency once people come back to the office.” Post-COVID, Unity Aluminum will continue to have a flexible remote work policy. “But we recognize that one of many benefits of being in the office is collaboration,” Rakes said. “We are leveraging tools from Mersive, Cisco, and Microsoft, which helped us to bridge the gap.”
Whenever possible, Rakes deploys a cloud-first model for IT and AV solutions. “That takes a lot of onus off IT departments when you don't have to worry about security patches because Microsoft Azure is already handling that for you,” he said.
Unity leverages a suite of Cisco technologies for its wired and wireless on-premise networks. “We use Cisco identity services and Cisco capabilities that work as an umbrella that can identify known pieces of hardware and dynamically insert them on the correct VLAN, regardless of what network they initially connect to,” Rakes said. Moving toward a “zero trust” security model, “with Cisco Duo Security, you're able to achieve a dynamic resilience, so when someone connects to a network, enters their credentials to authenticate to that network, then it says, ‘Oh hey, I know who this person is. I can dynamically put them on the correct VLAN,’” he said.
When choosing AV solutions, Rakes looks to companies with a security-first approach. “One of the things we like about Mersive is the way they handle the communication from the Solstice client back to a pod is different than many other AV solutions,” Rakes said. “Mersive went from the approach first of, ‘How do we secure the transmission of that traffic?’ and then, ‘Now let’s make sure that the audio-video protocols work.’”
When it comes to security and BYOD/BYOM devices, the primary challenge is the verification and enforcement of an organization’s security policy. “Organizationally owned assets can be standardized and remotely managed. This allows the organization to enforce security best practices on network devices,” AV/IT industry consulting solutions architect of AVCoIP, Paul Zielie, said. “BYOx devices could bring in malware, which once inside the organizations, can do serious damage.”
The best way to mitigate risk is to require a security package run on the BYOD hardware. “If employees want to use these devices on the organization’s network, require that the security package needs to be running while connected,” Zielie said. “You then use a port level security protocol like 802.1x, which checks that it is running before data is passed.”
In Their Own Words
We asked experts from leading AV/IT manufacturers and providers with a security-first approach to share their insight on the new era of AV/IT security.
Nathan Holmes, Director of Training and Development
It is not realistic to add protection services to every device that may be added to a collaboration space, but there are still several steps AV/IT managers can take to enable safe, secure, and seamless collaboration and productivity. Segregating remote connectable collaboration areas from the rest of the corporate network, employing a Next-Gen firewall solution with unified threat protection services, and ensuring that your IT team is up to date on cybersecurity threats and employs best IT practices are some easy first steps to securing your corporate networks while supporting a remote workforce.
AV/IT managers are accustomed to creating an Information Security (InfoSEC) plan for their respective businesses, but these plans are typically based upon most, if not all, employees residing within the controlled corporate network hardware area. With the move toward BYOD and BYOM, the InfoSEC plan should include strategies that allow employees to join the collaboration space through devices that may not employ protection services. To mitigate security threats for all devices, we recommend the following course of action: The development and execution of a comprehensive security policy that includes unified threat protection, provides each employee with the networking equipment they need to work remotely, ensures devices include active information security services, actively manages and updates these services, provides secure VPN access for each employee, and ensures there is a specific policy and procedure for connecting non-company-owned equipment to the corporate network.
Paul Harris, CEO/CTO
When choosing new products and solutions to integrate into collaboration rooms, taking into consideration the “new norm” will be especially important. COVID-19 is our first modern day pandemic and will not be the last. Being ready at a minute’s notice to shift from in-office to remote in a collaborative fashion will be key to a successful business. As we have learned, it is not just about remote, but the safety of the rooms where people do have to gather.
Touchless-based systems are now crucial to keeping employees safe and successful. Aurora Multimedia has developed several technologies to address these needs. Aurora started with thermal temperature readings with gestures, and then migrated that technology into conference rooms. Aurora’s RXM-1, ReAX Media Server will allow voice commands, hand gestures, and QR codes for remote control pages on a user’s cell phone or laptop, as an example. Selecting sources is as easy as raising your hand. But it goes into deeper details, such as telling how many people are in the room, so as to not violate occupancy maximums.
Additionally, the use of real-time facial recognition allows access into the system and even can restrict individuals that do not have authorization/access—providing enhanced security. During the process, it reads the temperature of the occupants, as temps can change during the day and most systems currently are focused on initial entry for detection. Overall, this enhanced technology makes it possible for a safer, more sophisticated, and more secure workplace that is now easier than ever to use.
Dana Corey, SVP and GM
This year, companies were faced with many unforeseen challenges when the pandemic first prompted stay-at-home orders. From technical and security issues, to ensuring teams had the appropriate software and hardware technologies, to simply trying to manage team communication and efficiencies within a distributed workforce—they were forced to figure out a new way to work, with little time to plan for it.
With this increase in remote work and a hybrid workforce, organizations big and small are looking to invest in the most practical tools that enable team-wide communication and collaboration from anywhere, and this transition is requiring AV/IT managers to rely on data to support their plans for business continuity and return to work.
Workspace intelligence analytic solutions are a critical component to this movement, as they will allow decision-makers to take immediate action to re-evaluate the meeting room, UC hardware and software ROI, as well as guide future planning, which is especially helpful for the return to work and hybrid work strategy planning happening all around the world right now.
Available in Q1 2021, Avocor Aquarius provides real-time business intelligence of meeting space usage and environmental data, such as presence detection, attendee impact on room temperature, humidity, and light conditions—data that can be leveraged by AV/IT facility managers to make critical decisions about space management, find real-time cost savings in heating and cooling, and future hardware and software purchases.
David Martens, Enterprise Product Security Architect
AV/IT managers should look for vendors who have product security embedded in their DNA. Good product security means integrating security in all phases of the lifecycle of a product. Security requirements have to be taken along from the very start—together with the functional requirements—and even after the product has been released, the implementation of a patch management strategy and a responsible disclosure policy will allow customers to keep their product secure. Product vendors have to be transparent about how they manage product security.
When it comes to the BYOD device used to participate in the meeting—it has to be well managed, and the latest security patches have to be applied—otherwise a malicious hacker could gain access to confidential data. A second challenge is the diversity of UC&C platforms; the host should set up the meeting with the correct access permissions to prevent any unwanted participants by configuring enforcement of access credentials, the use of a lobby room, etc.
Of course, remote working poses its own unique set of security challenges. Quite a lot of organizations had to go remote almost overnight, and this has been a huge task for a lot of IT teams. Though setting up a VPN infrastructure is one thing—configuring it correctly, maintaining, and patching it are crucial to prevent malicious actors entering your network. Migration to the cloud for office applications is being adopted rapidly to enable the hybrid working model, but it nevertheless opens up serious security risks. Phishing attempts get more and more sophisticated, which requires the enforcement of multi-factor authentication to mitigate. A more recent attack vector is the roll-out of malicious Azure apps, that, once granted permission, can access your emails or personal files. A strict corporate policy on which kinds of applications employees are authorized to install is crucial to keep your endpoints healthy.
BenQ America Corp.
Bob Wudeck, Senior Director of Business Development
When selecting new products and solutions to integrate into collaboration rooms, ensure they follow the latest IT network best practices. Every solution in the room should minimize the organization’s attack profile, limit access to content and data, and reduce data interaction.
For example, wireless presentation systems (WPS) are a hot item, as they complement the BYOD and BYOM trends—allowing multiple presenters to collaborate simultaneously, and they are an affordable and more flexible alternative to HDMI. However, many WPS are shown to have several network vulnerabilities. To avoid this, AV/IT managers should utilize a WPS that operates independently of the network, doesn’t require proprietary software or apps, and has 100-percent 128-bit AES encryption. InstaShow includes these features and more for use in even the most high-security applications. It prevents unexpected access and helps organizations comply with emerging personal information laws.
When you go remote, you face significant cybersecurity challenges. According to Threatpost, the majority of cyberattacks target apps and devices with known vulnerabilities. As a result, IT managers closely monitor and limit the apps and hardware that run on their company’s network. However, IT managers have much less control over the apps and devices remote workers use. A recent survey by Malwarebytes found 28 percent of respondents use personal devices for remote work instead of company-approved equipment—a problem known as “ghost IT.” Exacerbating this are home Wi-Fi networks running on consumer-grade modems without a dedicated firewall. IT managers must ensure employees are using secured devices, and prevent the download of unscreened apps.
Rashid Skaf, President, CEO, and Co-chairman
I recommend that when looking at new solutions, you ensure that the products or the vendors that you’re looking at are adaptable, flexible, and manageable. When it comes to security, that has to be part of the DNA of the company you’re talking to. Security is not something that you can “add” to the mix. It’s not an ingredient; it is an underlying, foundational piece that you need to put into place, and if you don’t feel like that’s part of what you’re looking at, then you should keep looking.
Part of what we do at Biamp is have customer panels and advisory boards from banks, government facilities, and education facilities globally that help ensure our security protocols will allow us to be on their network. That is always helpful, because security standards are not something that are static, but get modified over time, so you have to be able to adapt to new standards.
Jamie Trader, VP, Global Product Line Management–Video and Control
One thing is certain in today’s blended work environment: Collaboration happens on the network. Organizations go to great lengths to secure their network. Best practices and regulatory compliance combine into a shape of highly curated security goals, aimed at preventing impact to CIA (confidentiality, integrity, and availability) of data.
No longer nice-to-have, there is organizational expectation that any networked device—AV or IT—is able to, and will, maintain a security posture in alignment with those security goals. So, what does that mean for the AV/IT manager who today has a vast spectrum of networked AV devices to choose from? It’s simple.
AV/IT managers today need to evaluate how legitimately a product supports the IP and network protocols that have been long-established for delivering defense in layers—whether talking about the AAA of access control (authentication, authorization, and accounting), adherence to standard IP protocols like VLAN tagging for segmenting traffic, or perhaps evaluating what types of encryption is available and what traffic is being encrypted. Not all products are created equal, and some that claim enterprise-level security don’t always provide mitigation capabilities to conform to your particular security posture.
Reputable solutions will possess these attributes—being available and supportable by the manufacturer. The AV/IT manager selecting new products doesn’t need to define the security posture—they will just need to be able to implement the risk mitigation actions outlined for them. Make sure the products you choose support those actions.
Brian Cockrell, Intel Unite Solution Product Owner and Co-founder
A modern collaboration platform should include a suite of security features to guard against a variety of risk scenarios. Robust encryption should be in place. The Intel Unite solution uses end-to-end TLS (transport layer security) encryption between a participant’s device and a room hub, whose connection to the server—on-prem or cloud—is also end-to-end TLS encrypted. In addition to encryption, there should be protections against unauthorized access to sessions, such as a rotating PIN, and the ability for participants to lock a meeting, as well as expel unwanted participants. Other security features include keystroke lockout, protected guest access, and the ability to authorize use by individual. Finally, content shouldn’t leave the organization’s network and use data should be anonymous. These protections should be embedded in software that is easy to learn and use. Otherwise, disuse becomes the primary protection. Good for security, but bad for collaboration. The Intel Unite solution is a good example of a collaboration platform that includes all these features.
When a new collaboration platform is combined with peripherals and plugins—especially in BYOD, BYOM, and remote environments—the result is a staggering number and variety of potential risks—some foreseeable, others novel. Do the research and choose tech wisely. Has the software been vetted by other users? Where is data going and is it sufficiently protected? What data is collected and where is it stored? Once the risks and benefits are fully understood, weigh those against a risk profile and choose the tools that provide the best balance.
Christopher Jaynes, PhD, Founder and CTO
The new hybrid workplace will need Bring Your Own Meeting (BYOM) solutions in more spaces than ever before, so it’s critical that enterprises select vendors and solutions that are secure and scalable to large numbers of rooms. Security models that focus on the personal device and how it works in concert with a secure platform, then, are more important than they were in the past. IT must view the personal device ecosystem as a new part of the enterprise infrastructure. AV/IT managers must look closely at collaboration technologies that are secure and scalable under these new conditions.
There are several key attributes that can be found in solutions that are hybrid workplace-ready. These include capabilities like exponential response times on communication ports to dent brute force attacks, code obfuscation, enterprise-grade encryption ciphers, and even methods to log suspicious events to inform managers of attempted attacks. I recommend looking not only at security features, but at the company’s security legacy. Unfortunately, multiple meeting collaboration platforms were in the news for security breaches in the last couple of years.
Security is never a one-time consideration, and can’t be only defined by a set of fixed features; instead, it’s an exercise in diligence. New vulnerabilities are being explored every day and countermeasures must be looked at almost continuously. Look for vendors that perform regular penetration tests and continually harden their solutions with new layers of security capabilities. Software-based solutions have become increasingly important, as they allow vendors to roll out continuous updates as new security features become available.
Ronald Rousseau, Manager, Platform Product Management
To provide the best network security, AV/IT managers should look for conferencing systems that feature audio encryption. For example, Shure features products that include Shure Network Audio Encryption to help protect networked audio connections from security breaches. The technology safeguards confidential content without compromising audio quality. It is based on the AES-256 algorithm that has been widely adopted by leading financial institutions, government agencies, and healthcare providers that are concerned with data security.
Until now, however, such robust security was not available to protect networked audio signals. With the right software, like Designer, it is easy to configure features and activate, while being compatible with current technology. For IT managers who want more control and uniformity, the use of encrypted audio helps level the playing field, and it can be used for wired and wireless encryption.
While no network is completely secure, an IT manager can take steps to improve security. Network audio encryption can be combined with other network security measures like device access control and network partitioning to create a multi-layered security solution.
Nicole Corbin, Director of Product and User Experience
There are a number of important considerations when choosing new solutions to integrate into collaboration rooms; chief among them is security. Utelogy has introduced a program called Utelligence, which is intended to drive a higher level of security standards, create more robust APIs, as well as offer complete and meaningful metrics. Devices with a rich API provide ease of management and monitoring and even remote fixing, which ultimately means more uptime, a better user experience, and significantly reduced support costs. I would recommend any devices which adhere to these standards above all others.
BYOD/BYOM, security challenges such as data leaks, malware, unsecure networks, et cetera are nothing new, however they have become more prominent in the work-from-home era. Your IT department should be well versed in the importance of implementing MFA, SSO, VPNs, MDM, keeping device software up to date, and setting stringent password protocols. It would also be beneficial to choose devices (Utelligent devices) that use secure protocols such as SSH, HTTPS, and WSS. These security strategies need to be well thought through, audited periodically, and distributed to all employees.
Remote work opens up different kinds of security threats and concerns. Since your company should now have established BYOD/BYOM protocols, you can begin creating your remote office policy. A few recommendations would be to make sure all employees lock their screens before leaving their work area, use headphones on calls if they are not alone, keep a tidy workspace, dress appropriately if on video, and ensure they have access to adequate Wi-Fi. These recommendations not only help with security threats, but will also mitigate threats on a company’s image and brand reputation.
Andrea Mayer, Inside Sales Manager
When the workforce does return to the office, hybrid meetings will be the norm. It is paramount for meeting participants to be able to have a secure, positive experience in the physical meeting space, while also having the ability to interact easily with remote workers at the same time.
Bring Your Own Device/Bring Your Own Meeting was already popular, but since the pandemic, it is now essential and here to stay. People want in-room, “touchless meetings” with simple, secure, fully encrypted wireless connectivity, and they expect a consistent, secure meeting experience—whether they are participating in-person or remotely.
Reducing in-room infrastructure and focusing on single-box, multi-functional, all-in-one appliances such as WolfVision Cynap—that include built-in, encrypted, room-to-room streaming capability, Zoom, Teams, and WebRTC functionality, and that can be easily controlled and administered remotely using proprietary software—help to simplify the task of AV managers in delivering a secure, flexible collaboration solution.
Like Cynap presentation and collaboration solutions, selected products should have a range of security features—preferably customizable—that can meet a diverse range of enterprise security policies. For example, it should be possible to disable network interfaces not in use, restrict browser access, and disable any features, such as streaming, recording, snapshots, USB ports, et cetera, if they are not required. When a meeting ends, it is critical that no data is ever stored on the system. A closed operating system is also desirable, such as the Cynap Linux system, that does not permit installation of any third-party applications.