Online Meetings Policy
SparkFabrik is a remote-friendly company in its DNA, we tend to use all forms of online collaboration tools, from terminal sharing to full-fledged virtual meetings software.
For this reason, we believe that is important to have some shared guidelines on how to run effective and secure online meetings. Security and privacy are the most important ones because misconfigured public meetings can lead to very bad issues, that can compromise the public image of the company as well as reveal confidential information about us or our customers.
For this reason, our employees and team members must adopt these recommendations: only approved services must be used; the approved services must be configured according to the provided directions for both public and private activities.
The list of approved online meeting tools is in order of preference:
- Slack Huddles
Google Meet is, at the time of writing, our standard solution fully integrated with the other Gsuite products we use, and it is the right solution for small-sized meetings (up to 10 participants), like standups, quick meetings with the customers, one on one and so on, but it comes also with some limitations compared to other more advanced platforms like Zoom, which offers better quality and it's well suited for running medium/big sized events, like webinars, remote hackathons, company meetings and such.
Huddles are the Slack audio/video meetings that we can use only internally for quick calls with other employees and team members, given that they already have a configured Slack account.
General recommendations for security and privacy
The host of an online meeting should always ensure the following items:
- The meeting is always protected by an authorization mechanism (password, Gsuite, etc.)
- Accounts from outside the organization must be approved manually to access the meeting.
- Screen sharing must be requested and approved by the meeting host and always ready to stop it, in case of abuse by the presenter.
- Video recording (if any) must be requested and approved must be explicitly requested to all participants before starting. Their explicit consent must also be recorded at the beginning of the session.
Tips to run a high-quality virtual meeting
Some of the points come from this super cool post from the MIT Media Lab: https://www.media.mit.edu/posts/a-few-simple-tips-for-better-online-meetings-covid-19-edition they also have a community-editable document here
- Designate a facilitator: We highly recommend having a facilitator who can keep an eye on group dynamics and guide the conversation. It can be the host or to make it simple, a shared role, rolling among the participants.
- The key to a good video call is the audio: Nothing improves the quality of a video meeting as much as a headset and good audio etiquette. Make sure all participants use a headset or a good directional microphone and encourage participants to mute themselves when they are not speaking. If necessary this is one of the areas where it’s ok for the facilitator to get a little heavy-handed if necessary. Bad audio from one or two participants can ruin the meeting for everyone else. In addition, all participants should be in a quiet space when they connect.
- Raise your hand/use a speaker queue: This may sound like we’re back in elementary school, but it’s amazing how well the conversation flows if all participants “raise their hand” to indicate they want to chime in. It’s the facilitator’s job to make sure that people are asked to speak in the order in which they added themselves to the queue.
- Use the calendar to set up a meeting: Most of the tools nowadays allow you to create a meeting from within your calendar tool, you can see here the instructions for Google Meet and Zoom
- Make sure you have enough bandwidth: If you are experiencing connection issues or just using a low-quality connection, you can try to:
Anyone inside the organization can create new meetings, by heading to: https://meet.google.com
You can just follow these steps:
- In a web browser, enter https://meet.google.com.
- Click Join or Start a meeting.
- (Optional for G Suite users) Type an optional name for your meeting or leave blank. Click Continue.
- Click Join now.
- To add someone to a meeting, choose an option:
- Click Copy joining info Copy and paste the meeting details into an email or another app.
- Click Add people and choose an option:
- Under the Invite section, select a name, or enter an email address and click Send invite.
- Under the Call section, enter a phone number and press Call. This feature is currently available only for US and Canadian numbers.
Users inside the organizations are not covered with a paid membership, it is generally granted just for specific use cases (like online webinars, public meetings with more than 10 participants, virtual conferences, hackathons etc.), if you think you need it, ask your team leader or our accounting department.
Anyway, Zoom can also be used without a paid membership. With the free plan, you can also host meetings but you have some limitations, you cannot record in cloud (just locally) and group meetings have a 40-minutes duration limit.
By the nature of this platform, the security risks are very high when a meeting is misconfigured, when you decide to use it, especially when someone outside the organization will join, the host must strictly follow the following steps:
PASSWORD PROTECT YOUR MEETINGS: The simplest way to prevent unwanted attendees and hijacking is to set a password for your meeting. Passwords can be set at the individual meeting, user, group, or account level for all sessions. To do so, first sign in with your account at the Zoom web portal. If you want to set up a password at the individual meeting level, head straight over to the "Settings" tab and enable "Require a password when scheduling new meetings", which will ensure a password will be generated when a meeting is scheduled. All participants require that password to join the meeting. Subscription holders can also choose to go into "Group Management" to require that everyone follows the same password practices.
AUTHENTICATE USERS: When creating a new event, you should choose to only allow signed-in users to participate.
JOIN BEFORE HOST: Do not allow others to join a meeting before you, as the host, have arrived. You can enforce this setting for a group under "Account Settings."
LOCK DOWN YOUR MEETING: Once a session has begun, head over to the "Manage Participants" tab, click "More," and choose to "lock" your meeting as soon as every expected participant has arrived. This will prevent others from joining even if meeting IDs or access details have been leaked.
TURN OFF PARTICIPANT SCREEN SHARING: No-one wants to see pornographic material shared by a Zoom bomber, and so disabling the ability for meeting attendees to share their screens is worthwhile. This option can be accessed from the new "Security" tab in active sessions.
USE A RANDOMLY-GENERATED ID: You should not use your personal meeting ID if possible, as this could pave the way for pranksters or attackers that know it to disrupt online sessions. Instead, choose a randomly generated ID for meetings when creating a new event. In addition, you should not share your personal ID publicly.
USE WAITING ROOMS: The Waiting Room feature is a way to screen participants before they are allowed to enter a meeting. While legitimately useful for purposes including interviews or virtual office hours, this also gives hosts greater control over session security.
AVOID FILE SHARING: Be careful with the file-sharing feature of meetings, especially if users that you don't recognize are sending content across, as it may be malicious. Instead, share material using a trusted service such as Box or Google Drive. At the time of writing, Zoom has disabled this feature anyway due to a "potential security vulnerability."
REMOVE NUISANCE ATTENDEES: If you find that someone is disrupting a meeting, you can kick them out under the "Participants" tab. Hover over the name, click "More," and remove them. You can also make sure they cannot rejoin by disabling "Allow Removed Participants to Rejoin" under the "Settings: Meetings - Basic" tab. To simplify this process you can always (and we suggest doing so) clip the Participants tab to the main window and leave it always there, so it is easily reachable at every moment.
CHECK FOR UPDATES: As security issues crop up and patches are deployed or functions are disabled, you should make sure you have the latest build. To initiate the check, open the desktop application, click on your profile in the top-right, and select "Check for updates." Linux does not have an auto-update feature, so you must do it manually and regularly using these commands:
cd /tmp && wget https://zoom.us/client/latest/zoom_amd64.deb && sudo dpkg -i zoom_amd64.deb && cd -
You should also read carefully this whitepaper from Zoom: https://zoom.us/docs/doc/Securing%20Your%20Zoom%20Meetings.pdf