Cisco WebEx online solutions help enable global employees and virtual teams to meet and collaborate in real time as though they were working in the same room. Businesses, institutions, and government agencies worldwide rely on Cisco WebEx solutions to simplify business processes and improve results for sales, marketing, training, project management, and support teams. Overview of WebEx privacy For all of these organizations and their users, privacy is a fundamental concern. Online collaboration must provide multiple levels of security; from scheduling meetings to authenticating participants to sharing content. Cisco WebEx is a very secure environment yet it can be configured as a very open place to collaborate. Understanding the privacy features as siteadministrators and end-users can allow you to tailor WebEx to your business needs. WebEx Site Administration Effective privacy begins with WebEx Site Administration; which allows administrators to manage and enforce privacy policies for host and presenter privileges. For example, an authorized administrator can customize session configurations to disable a presenter s ability to share applications or to transfer files on a per-site or a per-user basis. Cisco recommends use of following features for protection of your meetings: Feature All meetings must be unlisted Benefits Even meeting titles can reveal sensitive information. For example a meeting entitled Discuss acquisition of Company A can have financial impacts, if revealed ahead of time. Creating unlisted meetings maintains the privacy of sensitive information. For listed meetings, the meeting topic and other information is displayed on your site for authenticated users as well as unauthenticated users and guests to see. Unless your organization has a specific business need to display meeting titles and information publicly, all meetings should be marked as unlisted. To enable this setting for all users: From the site administration portal, check the following box: Page 1Page 1
Meetings must have password (strong) The most effective step to strengthen the security of your meeting is to create a high-complexity, non-trivial password (strong password). A strong password should include a mix of uppercase and lowercase letters, numbers and special characters (for example, $Tu0psrOx!). Passwords protect against unauthorized attendance because only users with access to the password will be able to join the meeting. Following the practice of requiring passwords for all meetings ensures all meetings created by hosts are secured. Please note: Use of a strong password will not affect the meeting join experience of authorized attendees. Participants can easily join a meeting by clicking on the URL in the meeting invitation through email, via WebEx mobile application or other channels like Jabber. To enable this setting: In site administration portal, check and configure the following boxes: Page 2Page 2
Do not allow Join Before Host Consider enforcing this option for all hosts. This option is recommended for listed meetings; as external attendees could leverage the scheduled meeting for their own purposes, without the host s knowledge or consent. To enable this setting in site administration, uncheck the boxes shown below to prevent your users from allowing attendees to join before the host: To manage policy settings for all users on your site, the following features are also available in WebEx Site Administration. Feature Host Account Management Account creation Account passwords Functionality Lock out an account after a configurable number of failed login attempts Automatically unlock a locked-out account after a specified time interval Deactivate accounts after a defined period of inactivity Require a user to change password at next login Lock or unlock a user account Activate or deactivate a user account Require security text on new account requests Require email confirmation of new accounts Configure rules for self-registration of new accounts Require specific rules for password format, length, and re-use Prohibit easily guessed passwords (for example, password ) Set a minimum time interval before password change Page 3Page 3
Recommended security practices for hosts As a host, you are the final decision maker concerning the security settings of your meeting. Always remember that you control nearly every aspect of the meeting, including when it begins and ends. Follow the security best practices below when scheduling and hosting meetings based on your business needs for keeping meetings and information secure. When scheduling a meeting Schedule unlisted meetings Benefit To enhance meeting privacy settings, hosts can opt not to list the meeting on the meeting calendar. To do this, remove the check mark from this option to help prevent unauthorized access to the meeting and hide information about the meeting, such as its host, topic, and starting time. An unlisted meeting does not appear in the meeting calendar on the Browse Meetings page or on your Personal Meetings page. To join an unlisted meeting, attendees must provide a unique meeting number Unlisted meetings require the host to inform the meeting attendees, either by sending a link in an email invitation, or hosts can enter the meeting number via the Join Meetings page. Please Note: Listing a meeting reveals meeting titles and meeting information publicly. If a meeting is not password protected, anyone can join it. Tip: Choose a level of security based on the meeting's purpose. For example, if you schedule a meeting to discuss your company picnic, you probably need to set only a password for the meeting. On the other hand, if you schedule a meeting in which you will discuss sensitive financial data, you may not want to list the meeting on the meeting calendar. You may also choose to restrict access to the meeting once all attendees have joined it. Choose the meeting Topic carefully A listed meeting or a forwarded invitation email could, at a minimum, reveal the meeting titles to unintended audiences. Meeting titles can unintentionally reveal private information, so ensure that titles are carefully worded to minimize exposure of sensitive data, such as company names or events. Page 4Page 4
Secure meeting with complex password Exclude Meeting Password from invitations Require attendees to have an account on your site Using complex meeting passwords for every session is the most important step you can take to protect your meeting. While uncommon, site administrators may choose to allow the creation of meetings without passwords. Under most circumstances, protecting all meetings with a strong password is highly recommended. Please Note: Adding passwords to your meetings does not affect the meeting join experience of authorized attendees. Participants can easily join a meeting by clicking on the URL in the meeting invitation through email, via the WebEx mobile application or other channels like Jabber. Do not reuse passwords for meetings. Scheduling meetings with the same passwords weakens meeting protection considerably. If you invite attendees to a meeting, the meeting password does not appear in the email invitations that attendees receive. You must provide the password to attendees by another means, such as by phone. For highly sensitive meetings, exclude the meeting password from the invitation email. This prevents unauthorized access to meeting details if the invitation email message is forwarded to an unintended recipient. When this setting is enabled, all attendees must have a user account on your site to attend the meeting. For information about how attendees can obtain a user account, ask your site administrator. Options to enable this setting are shown below: Use entry or exit tone or announce name feature Restrict available features Request that invitations not be forwarded Using this feature prevents someone from joining the audio portion of your meeting without your knowledge This feature is enabled by default. To adjust the settings, Select Participant > Entry and Exit Tone. (Not available for Training Center) Limit the available features, such as chat and audio, if you allow attendees to join the meeting before the host. Request that your invitees do not forward the invitation further, especially for confidential meetings. Page 5Page 5
Assign an alternate host Assign an alternate host to start and control the meeting. This keeps meetings more secure by eliminating the possibility that the host role will be assigned to an unexpected, or unauthorized, attendee, in case you inadvertently lose your connection to the meeting. Note: When inviting attendees to a scheduled meeting, you can designate one or more attendees as alternate hosts for the meeting. An alternate host can start the meeting and act as the host. Thus, an alternate host must have a user account on your Meeting Center Web site During the Meeting Restrict access to the meeting Validate identity of all users in a call Remove a participant from the meeting Share Content or Applications, Not Desktop Lock the meeting once all attendees have joined the meeting. This will prevent additional attendees from joining. Hosts can lock/unlock the meeting at any time while the session is in progress. To lock a meeting, Select Meeting > Restrict Access. Tip: This option prevents anyone from joining the meeting, including participants who have been invited to the meeting but have not yet joined it. To unlock a meeting, select Meeting > Restore Access Accounting for every attendee via a roll call is a secure practice. Ask users to turn on their video or state their name to confirm their identity. Please Note: o To attend a meeting via phone, a caller only needs to know a valid WebEx dial-in number and the nine-digit meeting ID. Meeting passwords do not prevent attendees from joining from the audio conference portion of WebEx o If attendees without an account are allowed to join the meeting, then unauthorized users can identify themselves with any name in your meeting. Participants can be expelled at any time during a meeting. Select the name of the participant whom you want to remove, then select Participant >Expel Use Share >Application instead of Share >Desktop to share specific applications and prevent accidental exposure of sensitive information on your desktop. After the Meeting Assign passwords to recordings The best way to prevent unauthorized access to recordings is to not create recordings. If recordings must be created, you can edit meeting recordings and add Page 6Page 6
passwords before sharing them to keep the information secure. Passwordprotected recordings require recipients to have the password in order to view them Delete Recordings Delete recordings after they are no longer relevant. WebEx Personal Conferencing (PCN Meetings) Personal Conferencing (PCN) in site administration Personal Conferencing security for hosts Do not enable Join before Host for PCN for any user unless you fully understand the security impact and require this functionality.. PCN Meetings use two randomly assigned 8-digit access codes for controlling and accessing a personal conference (a host access code and an attendee access code). These codes are static and are always available without prior scheduling. If a PCN meeting is scheduled in advance, the host receives an invitation with both host & attendee code while invitees receive a separate invitation which includes (only) the attendee access code. With Join before Host disabled (recommended), a host must dial the WebEx Access number for the audio bridge and enter the host access code and host PIN before attendees can join the meeting. With Join before Host enabled, attendees can join the meeting without the host being in attendance. Enabling this setting can result in unintended consequences including misuse of teleconferencing minutes. Create a strong Host PIN and protect it. Your PIN is the last level of protection for prevention of unauthorized access to your personal conferencing account. Should a person gain unauthorized access to the host access code for a PCN meeting, the conference cannot be started without the host PIN. Protect your host PIN and do not share it. Conclusion User Guides and Knowledge Base articles for enhancing security and privacy Taking a few extra steps when configuring site settings and when scheduling and participating in a WebEx meeting can greatly enhance the meeting s security and privacy. Cisco WebEx Quick Start Guide WebEx Security White Paper What Level of Security Should I have for my Scheduled Meeting? How Do I Require All Meetings or Training Sessions to be Unlisted for the Entire Site? How Do I Schedule an Unlisted Meeting? How Do I Change an Unlisted Meeting to a Listed Meeting? Page 7Page 7
Page 8Page 8