Thank you for cross-posting this @Iulia Popescu look for a follow-up article soon 

Whenever possible, use two-factor or multi-factor authentication.  If this is not possible in the video conference software, it can be implemented on the devices or network logins. 

Great discussion, @Jamie Horner and @Aaron Weiler. I am little late to the party, but I brought refreshments.

We all know that network security is only one part of cybersecurity. The other parts include the hardware that lives on the network, the firmware/software that runs on the hardware, the dependent packages that make up the software, not to mention mobile devices like cell phones, and your vehicle or headset if you are tethering your phone via Bluetooth. Plus all the humans involved! AV always starts and ends with humans.  If you forget to mute your microphone before you say something confidential, is that the network admin's fault? No, but it may be a breach of security, privacy and/or compliance.

Security, privacy, and compliance need to be part of everyone's job.  The biggest problem in AV Land is everyone is focused on getting things working so they can sell and install them faster.  A product or protocol that gives little headache is considered favorable. Ever heard the terms, "plug and play" or "plug and pray"?  News flash: God is not going to configure your device to be secure on the network!

I never forget the first time an AV sales rep showed me how easy it was to pull up the unprotected webpage of the DSP device he was pitching; how I could listen to any stream locally on my computer, with no password needed. That was a "feature" he was touting, but in my eyes, it was a clear vulnerability.  Add in the fact that there was no record or log of who was using the product's website or when they were listening...

So, in this case, is it this the rep's fault for showcasing this feature/vuln?  Is it the product manufacturer's responsibility to NOT include those features?  Is it the AV consultant or integrator's job to only choose safe and secure products?  Is it up to the client to verify?  Or do we keep doing what most AV integrators keep doing and put it all on the network security folks? 

The answer is all of the above.  Cybersecurity is everyone's responsibility, end to end. 

I really appreciate this article, especially the reminder about SQL injection attacks in web forms. If readers are creating custom webpages that require logins for intranet or dealer access, often known as "dealer portals" in the AV industry, be sure to check your inputs!  Don't assume your user is going to type only their username and password, they may be typing a malicious SQL command along with it! 

Really glad to see security in schools being discussed, let's keep it going!

I have been recently posing this question to industry contacts: how can we take all the AV knowledge we have acquired in the real world, and then sell those same professional services in the metaverse? For instance, if you are a home theater expert, you could apply that knowledge to virtual home theaters. If you are a stage manager, you can manage live events online. Some of this is already happening, with folks like Joey at DNA hiring virtual engineers, or live folks mixing zoom rooms just like they used to mix camera feeds. So how do we approach higher level topics like sound masking, acoustics, and event lighting in the virtual world like we have been doing for years in the real world? 

One of the most recent attack techniques involves MFA fatigue, which is when a bad actor gains access to your email and login and then pushes MFA to your phone until you click "Approve".  

I have heard closer to 80% of attacks are due to human error, but numbers aside, human risk continues to be the biggest vulnerability.  This SANS report is very insightful and helpful

SANS 2022 Security Awareness Report: Human Risk Remains the Biggest Threat to Your Organization’s Cybersecurity | SANS Institute