BT has offered video conferencing capabilities with BT Cloud Phone Meetings which are powered through our partnership with RingCentral and Zoom. We want to help our customers understand the recent Zoom security and privacy questions that have dominated press headlines and let you know what we are doing to help mitigate risks for BT Cloud Phone Meetings users.
Q: What can I do to help keep my BT Cloud Phone Meetings sessions secured?
A: There are a number of best practices that are recommended for ensuring that your meetings are as secure as possible. See BT Cloud Phone Meetings Security Features for Preventing Meeting Abuse to learn more.
Q: How do you provide customers with transparency regarding BT Cloud Phone’s security?
A: Independent third-party verification and honest and transparent communication are the best ways to ensure we are continuing to provide our customers with the best transparency and assurance, not just the best security, in the industry. Each year we undertake multiple annual security audits, working with multiple audit firms, and using multiple frameworks. Our SOC2 and SOC3 audits include more than security criteria. We include security, availability, and confidentiality criteria in those audits. Our SOC2 audit report is available upon request. We have achieved and maintained our HITRUST certification for multiple years. We’re not just committed to transparency. We’re committed to making it easy for our customers to obtain and work with our audit materials.
Q: What is the approach to data privacy for BT Cloud Phone?
A: When it comes to privacy, we protect the personal data of those who use our services and process customer data in accordance with our Privacy Notice. Privacy at BT is an ongoing program that is always evolving, is adaptive of new laws and regulations, with a dedicated Privacy department that has data privacy as their sole job responsibility. BT complies with the privacy and security requirements of the General Data Protection Regulation (GDPR), and HIPAA.
Q: How does BT Cloud Phone approach encryption?
A: Since cloud communications involve multiple endpoints, it’s important to make sure encryption extends beyond data in a data center. We implement encryption in our software and mobile apps. We use industry standard encryption with well-understood implementation designs. Depending on the communication modality, we use TLS, SIP over TLS, SRTP, and WebRTC encryption standards.
Q: What network and infrastructure security practices do you employ?
A: To secure our network and infrastructure, we protect the network and application perimeter with firewalls and session border controllers. We require authentication through a production VPN for administrative access and then further authentication for local infrastructure systems, ensuring that only authorized personnel have access to the production environment. Telemetry measures include intrusion-detection systems, system logs multiple types of analytics and more. Operational processes include system and service-level monitoring, system hardening, change management functions and internal and external vulnerability scans. These service operations controls are discussed in more detail in our SOC2 audit report.
Q: Should end-users of BT Cloud Phone Meetings powered by Zoom be concerned about security and privacy, and what can users do to reduce any occurrence of ‘Zoombombing’?
A: Regarding BT Cloud Phone Meetings, two highly publicized issues are that Zoom’s iOS application shared certain user data with Facebook via an SDK in a manner that wasn’t clear in their privacy notice, and that Zoom had inadvertently routed some customer traffic through China. We want to report that neither of these issues are present in BT Cloud Phone Meetings. Another highlighted issue has been unauthorized participants joining meetings and in some cases screen sharing inappropriately (aka Zoombombing).
With respect to Zoombombing in particular, some effective security measures you should use in every BT Cloud Phone Meeting:
• Set passwords for your meetings
• Lock your meetings once all of your participants have joined and
• Use the waiting room feature to control participant access to your meetings
• Set advanced sharing options to control who can share and when they can start sharing
Over the past several days, Zoom has announced several updates like as a default requiring passwords for every meeting, and we will work quickly with Zoom to apply these updates to BT Cloud Phone Meetings.
For more best practices, see BT Cloud Phone Meetings Security Features for Preventing Meeting Abuse.