Co-op cyber attack: Staff urged to keep cameras on in meetings

[SerendipityJane]

So they weren't already.

(Checks notes)

Yup, in 2008, when I was running IT strategy for a very large company, one of the rules we wrote into the IT guide for WFH/remote working was that all attendees should be verified outside of the call. And the team put quite some work into ensuring there were several ways (a camera being the easiest).

As I get older I have less patience for outfits that are authors of their own misfortune. Don't act like it comes as a surprise. (See also pandemic and business continuity disasters.

https://www.bbc.co.uk/news/articles/cg72k851dd8o

I agree - amazing they didn’t require this already.

As a non IT person, what’s the risk of not having cameras on pls?

If the camera isn’t on how do you know who is in the meeting?

So people can see who is who. Not just some initials on a screen.

I've had lots of meetings - especially large ones with over 300 attendees where cameras and microphones are off.

Do they not have MFA / 2FA for login?

It's all very well to say keep your camera on if it's a meeting of five people. Less so when the CEO is addressing five hundred.
Or if any of the staff is an identical twin (it happens!).

I used to work in a well established software company where security was vital and we all had MFA setup - you couldn't log on to internal systems just with username and password, you needed a special device or an app work had set up on your phone or your work laptop too. And that was half a decade ago.

We have Microsoft Authenticator, Facial Recognition login, authorised devices can only login and access the system..

Which I think is a bit better than looking at 500 faces on a camera to make sure people are on the call who say they are.

It's 2025. Not 2008

Of course, if someone has got in, they then could have made up an account or gained access to get these codes etc.

So a literal reboot, start again with fresh passwords etc. Verified in person might be good.

But I am not sure that having your camera on for a 500 person meeting is the most sensible solution in the long run to make sure that everyone is who they say they are on the call.

Don't call that a meeting (or fall for your companies bullshit that it's a meeting).

That's a congregation.

It's all very well to say keep your camera on if it's a meeting of five people. Less so when the CEO is addressing five hundred.

As stated previously that's not a meeting. That's a broadcast. And any company that fails to comprehend the distinction fairly much deserves all they get.

We have Microsoft Authenticator, Facial Recognition login

Yeah, good ;luck with that.

But I am not sure that having your camera on for a 500 person meeting

That's not a meeting. That's a sermon.

You were talking about security though.
Either it's insecure to have your camera off when you are on a Teams call or it's not

The number of people in a meeting shouldn't make a security difference/

Are you saying those types of 500+ meetings should be a video everyone can watch rather than a dial in meeting? Is there a more secure way to do it?

500 people in a room is not a meeting. It's a rally.

Often, yes, but even if its live nothing sensitive should ever be shared in such a big meeting! When have you ever been in such a big "meeting" that you couldn't have watched as a video at a more convenient time?

It's still not a meeting.

And yes, obviously only a fucking idiot would broadcast sensitive information to an unverified audience. Just because Pete Hegseth does it doesn't make it big or clever.

As stated initially, I am a little bit weary of companies getting their just desserts for incompetence, and then trying to pretend "how could we have known ?".

Best way to know is to listen to the people you pay to advise you, not treat them as some sort of enemy that needs to be defeated in the name of mammon.

What about 50 people, 70 people? Senior leadership team? All able to chip in and comment and discuss. Sensitive info often shared amongst LT. That’s still a meeting. And you can’t see all the faces.

Sensible move from the coop at the moment, but it’s not a ridiculous baseline to be ok with cameras off sometimes. It’s much harder to log into a teams call these days than it would have been to join a remote call via a dial in number like we often did 15 years ago. If anyone is able to get into our teams meetings then they probably can get onto the rest of our systems and we have much bigger problems than info being shared in meetings.

Congregation, broadcast, sermon, rally. Lots of words there but I'm still not clear if @SerendipityJane is saying if there are 100 / 200 / 300 attendees they should all be on camera?

Also are we saying the Co-Op's issues were caused by someone who shouldn't be there sitting in on a meeting?

Yeah, feels more likely that someone hacked in, got into all the systems, and from there could also attend meetings if they chose. Not that the security breach is the hacker attending meetings as a first issue. Clearly it has the chance to make it worse when a breach has occurred, but I’m not at all sure this is the first line of defence.

Did you swallow a thesaurus?

It's called a meeting, it goes into your calendar and it's called a meeting.

HTH

Re videos on? Guess you need to read up on deep fakes eh?

I think what the OP is trying to say is that there is a distinction between a large 500 people "meeting" where the presenter is giving annual results, or delivering a health and safety presentation, or making some other high level announcement where 498 out of the 500 people on the call are just sitting listening, OR a smaller <12 people meeting where there is discussion going on and decisions being made.

anyone speaking or making decisions in a meeting should have camera on.

if there are people who are just listening to info (as in the 500 person broadcasts) then camera-off is fine.

there might be some ambiguity around 20 person meetings, but I still think everyone should have camera-on at least at the start to introduce themselves and set the tone.

I still don't understand the security issue that is solved by having a camera on or off in a Teams meeting.

Can you explain what you think the security issue is - and how having a camera on would solve it?

As I said, there are plenty of security systems in place to ensure that the correct people are logged into a Teams meeting.

Authenticator
Authorised devices
PIN login
Facial recognition