Alan Brill, Kroll Ontrack
Alan Brill, Kroll Ontrack
As a cybersecurity investigator, it's tempting to focus on the latest and greatest from the world of hacking. Some attacks being successfully carried out are mind boggling in their technical sophistication. But we try to approach incidents with an open mind, and sometimes that results in seeing things that normally fly well under the cyber investigator's radar.

Think about this scenario.

Company “T” holds a weekly marketing phone call using a dial-in conference line. Senior colleagues from around the country call a designated number and discuss opportunities, plans, problems and issues with clients. Generally, about 20 people participate, but the number varies based on vacations, travel schedules, and more

Sharon, one of the senior people usually on the call, resigned last month. It is generally known that she joined a competitor. What isn't known is that she hasn't missed a marketing conference call since she left. The dial-in number hadn't changed in years, nor had the access code. It was particularly easy since the call leader's assistant invariably opened the line at least five minutes before the call, so the leader wouldn't hear the “There are 15 parties in conference, including you” message – not that anyone checked on who was or wasn't present. No one counted the number of beeps that signaled when someone entered the call, unless they were really late, when they might be asked “who joined?” Sharon just dialed in, ignored the cue to “say your name followed by the pound key” after the beep, then simply pressed the pound key and entered the meeting, listening and taking notes with her phone muted.

Company “J” on the other hand, which runs a very similar call each week, and which had a manager named Ralph who was regularly on the call and also left to join a competitor, reacted differently to Ralph's departure. Before the next meeting, the recurring meeting was cancelled, and a new invitation sent out with a new dial-in number and participant passcode. Even if Ralph wanted to sneak a listen, he couldn't (unless someone gave him the new numbers).

While phone conference lines vary, they don't provide for a lot of security. Once the leader opens the conference line, depending on the particular system, one might hear a “now joining” followed by the person's name or, on some systems, merely a beep-tone. There's no easy way to know exactly who is or isn't on a call, particularly one with several participants.

For this reason, we recommend the following best practices for recurring calls about non-public information:

  • When a call participant leaves the company (or moves within the company to a job where access to the call isn't needed), change the conference dial-in number, the participant passcode, or both.
  • Before you send a revised meeting invitation with the new codes, STOP and look carefully at the distribution list. Is each person named still someone who should be included? A client recently told us that when they looked at one of their important meeting lists, they were shocked to discover the names of several people who were unknown to the current meeting host– they had left or transferred to other jobs years ago, but the list was never updated!
  • At least annually (we would really suggest more often), check each list to see if it is current. If you find people who shouldn't participate, update the list, change the dial-in number and/or codes, and send out a new invitation.
  • If a conference bridge number was assigned to a former employee, that number should be cancelled at exit and the invoice checked for any use post-departure. However, before accusations fly (and here's a good reason to seek legal counsel before ever doing that), an investigation may show that another company employee is now using that number, but never updated the account, or that the number was used for a regularly scheduled call and is still being used. (But based on best practice, you should change it now.)
  • If you have a bad feeling that someone has been listening in – a competitor seems to know a lot about the last meeting for example – we strongly suggest that your first call be to your company's general counsel or outside legal counsel. In many cases, the company providing the conference line may be able to supply a list of the phone numbers that were connected to the conference. If one of those is the number of a competitor or former employee, there may be the potential for either a civil action or even criminal charges, and you want to be in close touch with your company's counsel for guidance.

Conference call bridges are usually not thought of as openings where sensitive data may leak from your organization, but just because you don't think of it doesn't mean it's not happening. Taking the steps we've suggested can help reduce that risk, by making sure that your phone conference audience is the one you intended, without extra unknown and unwanted guests.