Are your online meetings safe from third party AI bots?
Advice for keeping unwelcome cyber-risks out
The Information Security Team is sometimes asked about unusual entities in Teams meetings, often not people at all but so called 'bots'. Unapproved bots are not allowed in Teams meetings and you must not introduce them. This article tells you how to stop others from doing so too. Currently the only approved Generative AI in University Teams meetings is the paid version of Microsoft Copilot, available via the link on the right under the AI & ML Competency Centre.
Oxford currently has quite permissive default settings on Teams meetings so this article will attempt to help you to make your meetings more secure. Currently, even if you don't invite bots, it is possible for participants to forward your meeting invitation to third party tools such as AI transcription bots. This is a huge security risk as they may then have access to sensitive personal information. You should be alert to these unwelcome intrusions and treat them as a serious cyber security threat. Failure to do this may lead to loss of confidentiality, availability, or integrity of information and may mean that you, as the meeting organiser, need to report a data breach possibly leading to penalties for our University from the Information Commissioner's Office.
If you suspect that a data breach has happened you must report it without delay.
Steps to take to keep the bots out
One of the easiest things to do when setting up a meeting is to untick the "allow forwarding" option
You can also choose "meeting options" and be more restrictive on "Who can bypass the lobby?" and "Who can admit from the lobby". We recommend setting the "bypass the lobby" setting to "People who were invited" and the "admit from the lobby" option to "Organisers and co-organisers". Please be aware that "people in my org" means EVERYBODY in Oxford University using a Nexus Office365 account. For a large meeting or one where a non-attendee has organised it (perhaps an EA/PA) you should also give the co-organiser role to one or more people who will be in the meeting, and willing to manage who attends.
Please note that these are screenshots from Outlook on Windows. The layouts may be a bit different on other desktop platforms/mobile devices.
Once you have set up a meeting you can go back to its settings either from the "Meetings options" button, as above or you can get to the equivalent on a web browser by choosing "Meeting options" just below the details of the meeting itself.
Once you are in the meeting
Once you're in the meeting and everyone is present you can also lock the meeting. We recommend this for meetings where sensitive topics may be discussed. We also recommend you advise participants to take care with what goes in the chat as it is possible in some cases for people to be able to see the chat without ever being or having been in the meeting.
If you have forgotten to secure your meeting before starting it you can always remove unwanted or unknown participants from it by going to the participants list and removing them.
Need Transcription?
Whilst it is dangerous to use third-party bots that have not had proper security assessment, it is OK to use the inbuilt Teams Transcription facility that you can turn on if you are able to record the meeting, and you can also use Microsoft's Copilot if you have access to that. You can find out more about Buying Generative AI Licences (including Copilot) from the AI & ML Competency Centre:
We encourage you to consider carefully the effect of recording a meeting, potential impacts on ‘academic freedom’, and whether people might feel less able to express their views if they are concerned that they are being recorded.
With thanks to IT Services for the initial draft of this article
