Conference calls present a significant and overlooked security gap in the enterprise, according to a new research study from LoopUp.

The firm polled 1000 business professionals and found that whilst 70% said it was normal to discuss confidential information on conference calls, more than half admitted that it is also normal not to know who was on the line. This is often due to imperfections with traditional dial-in conferencing, LoopUp pointed out, as with a lack of visibility and control over meetings users cannot see who’s joined or take action to remove unwanted guests.

“Tools with web-based UIs can help in this respect, but are used only in the minority of cases”, LoopUp said in its report.

What’s more, it was discovered that 66% of professionals use the same passcodes to dial-in to calls for up to a year or more which, as is the case when failing to regularly change any form of log-in credential, opens users and businesses up to security risks should they fall into the hands of malicious actors.

However, dial-in conferencing remains the primary way business people participate in conference calls, regardless of whether they have access to web or video conferencing tools.

“It’s not surprising that the majority of business people still default to dial-in to join their conference calls,” said LoopUp co-CEO, Steve Flavell. “While there is an abundance of capable software products for conferencing, most business people neither have the time nor inclination to learn how to use them, and they certainly don’t want to learn by trial and error during their meetings.”

Unfortunately, dial-in conferencing offers a subpar user experience which impacts productivity and costs businesses money, he added. “Even more critically, it can put sensitive information at risk.”

Speaking to Infosecurity Steve Durbin, managing director, Information Security Forum, said it’s vital that employees are taught to treat dial-in information with care, as it is often company confidential information.

“Never disclose the chairman’s code outside of a small number of trusted individuals, monitor who has the code and how it is being used and only share participant codes with users that are required,” he added.

“For those calls that are truly confidential – perhaps board calls or those with investors where the content is not intended to be made public – consider using a different calling bridge from the norm. For smaller companies, WhatsApp and Skype are effective ways of pulling together small groups for calls where you are able to at least know who you have on the call.”