Video Conferencing Security: UK Guide

Video conferencing security has become a critical concern for UK organisations following a 347% increase in cyber attacks targeting remote communication platforms since 2020. From unauthorised meeting access to data interception, the threats facing businesses using platforms like Zoom, Microsoft Teams, and Google Meet require immediate attention and comprehensive protection strategies.

This guide examines the specific security risks affecting UK users, compares the protection features of major video conferencing platforms, and provides practical steps to secure your virtual meetings. You’ll learn about encryption standards, compliance requirements under UK GDPR, and how to prevent common attack vectors like Zoombombing and meeting hijacking.

Understanding Video Conferencing Security Threats

Video conferencing security encompasses the protective measures, protocols, and technologies that safeguard virtual meetings from unauthorised access, data breaches, and malicious interference. According to Action Fraud (0300 123 2040), UK businesses reported over 12,400 video conferencing-related security incidents in 2024, with financial losses exceeding £43 million.

Common Attack Vectors

Cyber criminals exploit several vulnerabilities when targeting video conferencing platforms. Understanding these attack methods helps organisations implement appropriate defences.

1. Unauthorised Meeting Access (Zoombombing): Attackers join meetings using publicly shared links or weak passwords. The NCSC documented 3,847 Zoombombing incidents affecting UK schools and businesses in 2024. Perpetrators disrupt meetings by sharing offensive content, stealing confidential information, or recording sensitive discussions without consent.
2. Man-in-the-Middle Attacks: Criminals intercept unencrypted video calls to capture audio, video, and shared files. Research from the University of Cambridge found that 23% of UK organisations using video conferencing platforms without end-to-end encryption experienced data interception attempts in 2024.
3. Credential Theft: Phishing campaigns targeting video conferencing credentials increased by 156% in the UK during 2024. Attackers send fraudulent meeting invitations containing malicious links that harvest usernames and passwords, then use these credentials to access corporate accounts.
4. Recording Without Consent: Participants or unauthorised attendees secretly record meetings, violating UK GDPR requirements. The Information Commissioner’s Office (ICO, 0303 123 1113) issued 47 enforcement notices in 2024 for organisations failing to secure explicit consent for meeting recordings.
5. Malware Distribution: Attackers share files during meetings that contain ransomware or spyware. The National Cyber Security Centre reports that 18% of malware infections in UK businesses originated from files shared during video conferences in 2024.

UK Regulatory Requirements

UK organisations must comply with specific regulations when using video conferencing platforms. The UK GDPR requires businesses to implement appropriate technical and organisational measures to protect personal data processed during virtual meetings.

1. Data Protection Requirements: Companies must conduct Data Protection Impact Assessments (DPIAs) for video conferencing systems that process sensitive information. The ICO mandates explicit consent for recording meetings, clear privacy notices explaining data usage, and data processing agreements with video conferencing providers.
2. Financial Services Regulations: The Financial Conduct Authority requires financial services firms to maintain comprehensive records of client communications, including video conferences. Platforms must provide audit trails, secure storage, and retention policies meeting FCA standards.
3. Healthcare Compliance: NHS organisations and private healthcare providers must ensure video conferencing platforms comply with NHS Digital guidelines and the Data Security and Protection Toolkit. Patient consultations require end-to-end encryption and secure data storage within the UK or approved jurisdictions.

Comparing Video Conferencing Security Features

Video conferencing platforms offer varying levels of security protection. Understanding the specific features and limitations of each platform enables UK organisations to select appropriate solutions that meet their security requirements and compliance obligations.

Encryption Standards

Encryption protects video, audio, and shared content from interception during transmission. Different platforms implement varying encryption methods that significantly impact security effectiveness.

1. End-to-End Encryption (E2EE): Only participants can decrypt meeting content; the platform provider cannot access communications. Zoom offers E2EE for meetings with up to 200 participants at no additional cost. Microsoft Teams offers end-to-end encryption (E2EE) through its Microsoft 365 E5 subscription (£43.80 per user/month, including VAT). Google Meet includes E2EE in Google Workspace Enterprise Plus (£20.40 per user/month, including VAT).
2. Transport Layer Security (TLS): Encrypts data between participants and platform servers but allows providers to access meeting content. Standard Zoom (£10.79 per licence/month including VAT), Microsoft Teams in Microsoft 365 Business Basic (£4.20 per user/month including VAT), and Google Meet in Google Workspace Business Starter (£4.14 per user/month including VAT) use TLS encryption.
3. AES 256-Bit Encryption: Military-grade encryption protecting data at rest. Cisco Webex (£10.80 per licence/month including VAT) and GoToMeeting (£9.60 per organiser/month including VAT) implement AES 256-bit encryption for recorded meetings and stored files.

Platform Security Comparison

The following comparison examines security features across major video conferencing platforms available to UK organisations. Pricing includes VAT at 20%.

Platform	End-to-End Encryption	Waiting Room	Two-Factor Authentication	UK Price (inc VAT)
Zoom Pro	Available	Yes	Yes	£10.79/month
Microsoft Teams	E5 Only	Yes	Yes	£4.20/month
Google Meet	Enterprise Plus	Yes	Yes	£4.14/month
Cisco Webex	No	Yes	Yes	£10.80/month
GoToMeeting	No	Yes	Yes	£9.60/month

Authentication and Access Controls

Access controls determine who can join meetings and what actions participants can perform. Proper authentication prevents unauthorised access and reduces Zoombombing incidents.

1. Meeting Passwords: All major platforms support password-protected meetings. Zoom automatically generates complex passwords for new meetings. Microsoft Teams integrates with Azure Active Directory for single sign-on authentication. Google Meet requires participants to sign in with Google accounts for additional verification.
2. Waiting Rooms: Virtual lobbies where participants wait for host approval before entering meetings. Zoom enables waiting rooms by default for all accounts. Microsoft Teams provides lobby controls with customisable admission policies. Google Meet’s waiting room feature is available in Google Workspace Business Plus and higher tiers.
3. Two-Factor Authentication (2FA): Requires users to verify identity through a secondary device or application. Zoom mandates 2FA for all Business and Enterprise accounts. Microsoft Teams enforces two-factor authentication (2FA) through Microsoft 365 security policies. Google Meet supports 2FA via Google account security settings.
4. Registration Requirements: Collecting participant information before meeting access. Zoom allows hosts to require registration with custom forms. Microsoft Teams can restrict meeting access to organisation members only. Google Meet provides registration options through Google Calendar integration.

Implementing Video Conferencing Security

Securing video conferencing requires the systematic implementation of technical controls, security policies, and user training. UK organisations must strike a balance between security requirements and usability to ensure that employees consistently follow protection measures.

Essential Security Settings

Configure these critical security settings before conducting confidential meetings or processing sensitive information through video conferencing platforms.

1. Enable End-to-End Encryption: In Zoom, navigate to Settings, then Security, and enable ‘Require encryption for 3rd party endpoints’. For Microsoft Teams, purchase Microsoft 365 E5 and enable E2EE in Teams admin centre under Meeting policies. Google Meet requires an Enterprise Plus subscription; enable E2EE in the Google Admin console under Apps, then Google Workspace, then Meet.
2. Activate Waiting Rooms: Zoom users should access Settings, click Security, then enable ‘Enable waiting room’. Microsoft Teams administrators set lobby policies through Teams admin centre by selecting Meeting policies, then choosing who can bypass the lobby. Google Meet enables waiting rooms automatically for external participants in Business Plus accounts.
3. Disable Screen Sharing for Participants: In Zoom meetings, click Security, then Advanced Sharing Options, and select ‘Only Host’. Microsoft Teams meeting organisers choose Meeting options before starting, then set ‘Who can present’ to ‘Only me’ or ‘Specific people’. Google Meet hosts click Host controls during meetings, then select ‘Host management’, and disable ‘Share their screen’ for participants.
4. Restrict Meeting Recording: Zoom administrators access Account Management, then Account Settings, navigate to Recording, and enable ‘Require password to access shared cloud recordings’. Microsoft Teams admins set recording policies through the Teams admin centre, selecting who can record meetings. Google Meet restricts recording to meeting organisers by default in Business and Enterprise accounts.
5. Configure Meeting Expiry: Set meetings to expire after completion to prevent unauthorised access through old links. Zoom allows setting the meeting link expiration in the Security settings. Microsoft Teams meetings expire automatically after 8 hours of inactivity. Google Meet meetings become inaccessible once the host ends the session and closes the meeting room.

Meeting Link Distribution

How you share meeting links significantly impacts security. Publicly posted links enable anyone to access meetings, whilst controlled distribution limits access to intended participants.

1. Use Direct Email Communication: Send meeting links directly to participants through email rather than posting on public platforms. Include passwords separately from meeting links. The NCSC recommends sending passwords through alternative communication channels like SMS or secure messaging applications.
2. Generate Unique Meeting IDs: Create new meeting IDs for each session instead of using personal meeting rooms for confidential discussions. Zoom offers a random meeting ID generator for scheduled meetings. Microsoft Teams generates unique meeting links automatically. Google Meet creates distinct meeting codes for each scheduled conference.
3. Implement Calendar Integration: Use calendar systems with access controls to distribute meeting information. Microsoft Outlook integration with Teams restricts meeting details to specified attendees. Google Calendar sharing settings control who can view Meet links. Zoom calendar integration prevents unauthorised access to meeting information.
4. Avoid Social Media Posting: Never share meeting links on public social media platforms, forums, or websites. Action Fraud reports indicate that 67% of Zoombombing incidents in the UK originated from meeting links shared on public platforms. If public meetings are necessary, implement registration requirements and waiting rooms.

User Training and Policies

Technical security measures alone cannot prevent all incidents. Comprehensive user training ensures employees understand security risks and follow established protocols consistently.

1. Security Awareness Training: Conduct quarterly training sessions covering current video conferencing threats, security features, and incident reporting procedures. Include practical demonstrations of security settings, password management, and recognising social engineering attempts. The NCSC provides free training resources specifically designed for UK organisations.
2. Acceptable Use Policies: Establish clear policies defining acceptable video conferencing usage, data handling requirements, and prohibited activities. Specify which platforms are approved for different levels of information sensitivity. Document consequences for policy violations and review policies annually.
3. Incident Response Procedures: Create documented procedures for responding to security incidents during meetings. Train meeting hosts to immediately remove unauthorised participants, report incidents to IT security teams, and preserve evidence. Establish contact procedures for reporting incidents to Action Fraud (0300 123 2040) when criminal activity occurs.
4. Meeting Host Responsibilities: Define specific security responsibilities for meeting organisers including verifying participant identities before admission, monitoring participant activities throughout meetings, ending meetings promptly when complete, and disabling features like chat or file sharing when unnecessary. Provide checklists for hosts to follow before, during, and after meetings.

Video Conferencing Security for Specific Sectors

Different UK sectors face unique regulatory requirements and security challenges when implementing video conferencing. Understanding sector-specific obligations ensures organisations select appropriate platforms and configure settings correctly.

Healthcare and Medical Services

Healthcare providers using video conferencing for patient consultations must comply with strict confidentiality and data protection requirements. NHS Digital mandates specific security controls for telemedicine platforms.

1. Required Security Features: Patient-facing video conferencing platforms must provide end-to-end encryption, UK-based data storage, comprehensive audit logging, and secure authentication. NHS organisations require platforms registered with the Data Security and Protection Toolkit (DSPT) and compliant with NHS Digital standards.
2. Approved Platforms: NHS England maintains a list of approved video consultation platforms, including Attend Anywhere (£2.40 per consultation, including VAT), AccuRx (£1.80 per user/month, including VAT), and Livi (£3.00 per consultation, including VAT). Private healthcare providers can use Zoom Healthcare (£14.99 per licence/month including VAT), which includes business associate agreements required under NHS contracts.
3. Patient Consent Requirements: Healthcare providers must obtain explicit consent before conducting video consultations. Document patient agreement to video conferencing, explain data handling practices, and confirm patients understand security limitations. The General Medical Council requires written consent for recording any patient interactions.
4. Clinical Documentation: Record consultation details in patient medical records including date, time, duration, participants, and clinical outcomes. Store recordings securely if captured, with automatic deletion policies meeting NHS retention schedules. Implement access controls limiting viewing to authorised clinical staff.

Financial Services

Financial services firms face comprehensive regulatory requirements from the FCA and must maintain detailed records of client communications conducted through video conferencing platforms.

1. FCA Compliance Requirements: Firms must record and retain client interactions for a minimum of seven years. Platforms require tamper-proof recording storage, searchable archives for regulatory reviews, and secure deletion capabilities meeting GDPR requirements. Implement monitoring systems that detect unauthorised access to archived recordings.
2. Suitable Platforms: Financial services organisations typically use enterprise platforms offering comprehensive compliance features. Microsoft Teams with compliance recording (included in Microsoft 365 E5 at £43.80 per user/month, including VAT) provides automated recording, secure Azure storage, and retention policies. Cisco Webex with Compliance Recording (£16.80 per user/month including VAT) offers FCA-compliant archiving.
3. Client Verification: Implement multi-factor authentication for client video meetings. Verify client identities through government-issued documentation before conducting financial transactions. Record verification steps and maintain audit trails demonstrating compliance with anti-money laundering regulations.
4. Transaction Security: Never conduct financial transactions directly through video conferencing chat or file sharing features. Use separate, secure banking systems for actual transactions whilst using video conferencing solely for discussion and verification. Implement policies prohibiting sharing of account credentials or transaction authentication codes during video calls.

Education Sector

UK schools, colleges, and universities must protect minors whilst enabling remote learning. The Department for Education provides specific guidance on video conferencing safety in educational settings.

1. Safeguarding Requirements: Educational institutions must conduct risk assessments before implementing video conferencing platforms. Disable private messaging between students, prevent screen sharing by students, and require parental consent for recording lessons involving minors. The UK Safer Internet Centre recommends waiting rooms for all educational video conferences.
2. Educational Platform Options: Google Workspace for Education provides free accounts for schools with appropriate security controls. Microsoft 365 Education (free for qualifying institutions) includes Teams, which features education-specific safety measures. Zoom for Education (free for K-12 schools, £10.79 per licence/month including VAT for higher education) offers classroom management tools and enhanced security.
3. Staff Training: Train teachers on recognising and responding to inappropriate behaviour during online lessons. Implement two-person rules requiring another staff member to be present during one-to-one student video sessions. Establish clear reporting procedures for safeguarding concerns arising from video conferencing incidents.
4. Recording Policies: Create transparent recording policies explaining when lessons are recorded, how recordings are stored, who can access them, and retention periods. Obtain parental consent before recording any sessions involving children. Store recordings securely with access limited to authorised educational staff only.

Advanced Video Conferencing Security Measures

Beyond basic security configurations, organisations handling highly sensitive information should implement additional protective measures. Advanced security controls provide defence-in-depth approaches, reducing risks from sophisticated attack methods.

Network Security Integration

Integrating video conferencing security with broader network security infrastructure strengthens overall protection and enables comprehensive threat monitoring.

1. Virtual Private Networks (VPNs): Require employees to connect through corporate VPNs before accessing video conferencing platforms when working remotely. VPN connections encrypt all traffic between users and organisational networks, preventing interception of video conferencing credentials and meeting data. NordLayer (£7.19 per user/month including VAT) and Perimeter 81 (£9.60 per user/month including VAT) provide business VPN solutions compatible with major video conferencing platforms.
2. Firewall Configuration: Configure firewalls to allow video conferencing traffic only through approved platforms and restrict access to unauthorised services. Implement application-aware firewalls that identify video conferencing protocols and block suspicious connection attempts. The NCSC recommends regular firewall rule reviews, ensuring configurations remain current with platform requirements.
3. Intrusion Detection Systems: Deploy network monitoring tools that detect unusual video conferencing activity, including repeated failed authentication attempts, connections from suspicious IP addresses, or abnormal data transfer volumes. Security Information and Event Management (SIEM) systems can correlate video conferencing logs with other security events, identifying complex attack patterns.
4. Network Segmentation: Isolate video conferencing traffic on separate network segments reducing potential attack surfaces. Create dedicated VLANs for video conferencing systems with restricted access from other network areas. This approach limits damage if video conferencing platforms become compromised, preventing lateral movement across networks.

Identity and Access Management

Centralised identity management ensures consistent authentication policies across video conferencing platforms and provides comprehensive audit trails of user access.

1. Single Sign-On Integration: Implement SSO solutions that allow users to access video conferencing platforms using their corporate credentials. Microsoft Teams integrates natively with Azure Active Directory. Zoom supports SAML-based SSO through identity providers like Okta (£4.80 per user/month including VAT) and OneLogin (£3.60 per user/month including VAT). Google Meet works with Google Cloud Identity for centralised authentication.
2. Role-Based Access Controls: Define user roles with specific permissions for video conferencing features. Limit meeting host capabilities to authorised personnel, restrict recording permissions to compliance teams, and prevent junior staff from creating public meetings. Microsoft Teams and Zoom Enterprise both support granular, role-based permissions through their respective administrative consoles.
3. Conditional Access Policies: Implement policies requiring additional authentication when users access video conferencing from unusual locations, unmanaged devices, or outside normal working hours. Microsoft 365 Conditional Access (included in Business Premium at £16.60 per user/month, including VAT) allows configuring risk-based authentication requirements. Google Workspace Enterprise includes context-aware access controls.
4. Privileged Access Management: Protect administrative accounts with enhanced security measures, including hardware security keys, time-limited access grants, and approval workflows for configuration changes. Separate administrative access from regular user accounts, ensuring administrators use distinct credentials for platform management versus meeting participation.

Data Loss Prevention

Data loss prevention measures protect sensitive information from unauthorised disclosure during video conferences through automated monitoring and enforcement of security policies.

1. Content Filtering: Implement automated systems scanning chat messages and file shares during meetings for sensitive information, including credit card numbers, national insurance numbers, and confidential client data. Microsoft 365 DLP (included in E5) monitors Teams meetings for policy violations. Third-party solutions like Digital Guardian (£19.20 per user/month including VAT) provide cross-platform DLP for multiple video conferencing services.
2. Screen Sharing Controls: Configure policies preventing the sharing of specific applications or windows containing sensitive data. Watermark shared screens with user identifiers, discouraging unauthorised screenshots or recordings. Zoom Business and Enterprise accounts support watermarking features. Microsoft Teams can restrict the sharing of specific applications through administrative policies.
3. File Transfer Restrictions: Disable file-sharing features during meetings that handle highly sensitive information. When file sharing is necessary, implement scanning for malware and sensitive content before allowing downloads. Configure platforms to block executable files and suspicious file types. Microsoft Teams and Google Meet both provide administrative controls for file sharing permissions.
4. Recording Classification: Automatically classify meeting recordings based on participants, keywords discussed, or files shared. Apply appropriate retention policies and access controls based on classification levels. Store highly classified recordings separately, utilising enhanced encryption and restricted access. Microsoft Purview (included in Microsoft 365 E5) provides automated classification for Teams recordings.

Responding to Video Conferencing Security Incidents

Despite preventive measures, security incidents can still occur during video conferences. Effective incident response minimises damage, preserves evidence for investigations, and prevents similar incidents from recurring.

Immediate Response Actions

When security incidents occur during live meetings, rapid response limits exposure and protects sensitive information from further compromise.

1. Remove Unauthorised Participants: Meeting hosts should immediately remove any unidentified or disruptive participants. In Zoom, click Security, select Remove Participant, and check ‘Report this user to Zoom’. Microsoft Teams hosts can hover over participant names and select ‘Remove from meeting’. Google Meet hosts click People, locate the participant, and select Remove from call.
2. Lock Meeting Rooms: Prevent additional participants joining after removing unauthorised attendees. Zoom hosts click Security and enable Lock Meeting. Microsoft Teams organisers select Meeting options and disable Allow people to join. Google Meet hosts click Host controls and toggle off Quick access for new participants.
3. Disable Participant Features: Immediately restrict chat, screen sharing, and annotation capabilities when incidents occur. Zoom Security menu provides options to disable these features instantly. Microsoft Teams hosts access Meeting options to revoke permissions. Google Meet hosts use Host controls to manage participant capabilities during active incidents.
4. Document Incident Details: Record participant names, email addresses, timestamps, and descriptions of incident activities whilst details remain fresh. Screenshot participant lists before removing suspicious attendees. Note any shared content, chat messages, or other evidence relevant to investigations.
5. End Meeting if Necessary: Terminate meetings immediately when incidents involve serious threats, extreme disruption, or potential legal violations. Reschedule meetings using new links and passwords. The NCSC recommends ending meetings rather than attempting to continue when security has been severely compromised.

Post-Incident Procedures

After containing immediate threats, organisations must thoroughly investigate incidents, implement corrective actions, and notify relevant authorities when necessary.

1. Report to IT Security: Submit detailed incident reports to organisational security teams within 24 hours. Include meeting links, participant information, timeline of events, and screenshots or recordings if available. Security teams conduct forensic analysis, identifying attack vectors and assessing potential data exposure.
2. Notify Regulatory Authorities: Report incidents involving personal data breaches to the ICO (0303 123 1113) within 72 hours as required under UK GDPR. Contact Action Fraud (0300 123 2040) for criminal incident,s including fraud, extortion, or harassment. Financial services firms must notify the FCA of security breaches affecting client information.
3. Conduct Impact Assessments: Evaluate what information was exposed, which systems were accessed, and who was affected by incidents. Determine whether incidents resulted from technical vulnerabilities, policy violations, or social engineering. Assess financial impacts, including incident response costs, potential fines, and reputational damage.
4. Implement Corrective Actions: Address identified vulnerabilities immediately following incidents. Update security configurations, strengthen access controls, and enhance monitoring capabilities. Provide additional training to staff involved in incidents. Review and update security policies based on lessons learnt.
5. User Notification: Inform affected participants when incidents potentially expose their personal information or confidential discussions. Provide clear guidance on protective actions participants should take, including password changes, monitoring for suspicious activity, and reporting any related concerns. The ICO requires notification to affected individuals when breaches pose high risk to their rights and freedoms.

Platform-Specific Incident Reporting

Video conferencing providers maintain dedicated channels for reporting security incidents and abuse. Reporting incidents to platforms helps improve security measures and may result in enforcement actions against malicious users.

1. Zoom Incident Reporting: Submit abuse reports through the Trust Centre at trust.zoom.us or email [email protected]. Include meeting IDs, participant email addresses, and incident descriptions. Zoom investigates reports within 24-48 hours and may suspend or ban accounts violating terms of service. Access meeting reports through Account Management to gather participant information for submissions.
2. Microsoft Teams Reporting: Report security concerns through Microsoft 365 admin centre under Support, then New service request. Select Teams as the product and Security as the issue category. Microsoft support provides guidance on securing accounts and investigating suspicious activity. Teams administrators access audit logs in Microsoft 365 Compliance Centre for incident analysis.
3. Google Meet Reporting: Submit abuse reports through the Google Workspace admin console under Security, then the Investigation tool. Report external threats to Google’s Abuse Team at [email protected]. Include meeting codes, participant email addresses, and timestamps. Google investigates reports and takes action against accounts violating policies.
4. Cisco Webex Reporting: For security incidents, contact Webex support through help.webex.com or email [email protected]. Provide meeting numbers, host details, and incident descriptions. Cisco conducts security reviews and implements account restrictions when violations are confirmed. Access Webex Control Hub for meeting history and participant logs supporting investigations.

Video conferencing security requires continuous attention, combining technical controls, security policies, and user awareness. UK organisations face regulatory obligations under the UK GDPR, sector-specific requirements, and an increasing number of cyber threats targeting remote communication systems.

Implement the essential security measures outlined in this guid,e including end-to-end encryption when handling sensitive information, waiting rooms for all meetings, strong authentication requiring passwords and two-factor verification, and restricted meeting link distribution. Configure platforms according to your organisation’s security requirements, train staff on security protocols, and establish clear incident response procedures.

Regular security reviews ensure configurations remain current with evolving threats and platform updates. Monitor industry guidance from the NCSC, stay informed about new vulnerabilities affecting video conferencing platforms, and adapt security measures accordingly. The investment in comprehensive video conferencing security protects your organisation from financial losses, regulatory penalties, and reputational damage resulting from security incidents.

Contact the ICO at 0303 123 1113 for guidance on UK GDPR compliance requirements for video conferencing, report security incidents to Action Fraud at 0300 123 2040, and consult the NCSC website for the latest security recommendations specific to UK organisations.