To Zoom or Not to Zoom? The Security Is the Question
Zoom has become a very popular videoconferencing solution with widespread use, but many security concerns have started to surface. And some of these concerns are so common that organizations, school systems, and companies are banning its use.
What are the concerns with Zoom?
Zoom has been found to have weaker encryption. Encryption should protect data from end to end as it flows from your computer to the devices of the people in your meeting. If this traffic is unencrypted, it can be intercepted and accessed by an unauthorized party. Depending on the content of your conversations, document sharing, or chats, sensitive information could be exposed.
Zoom meeting IDs have also been found to be susceptible to brute force attacks or easily guessed. By using specialized software or reusing meeting IDs, bad actors can obtain the meeting ID to “Zoombomb” your meeting. Numerous organizations and industries have reported their videoconferences – from AA meetings to online classes – being Zoombombed, resulting in privacy concerns and sharing of offensive or inappropriate content. This type of attack has become such a problem that the U.S. Department of Justice is warning that Zoombombing can result in state or federal charges.
What if we choose to continue using Zoom?
Every organization operates differently and has varying needs. And some organizations may decide that the benefits of Zoom outweigh the risks at this time. In these instances, you should take every precaution to increase the security of the service.
Consider the following areas.
- Be careful what you share. When feasible, keep discussions generic. Don’t use screen share features to relay a sensitive document, such as information about your constituents or board packets. Provide these documents through a secure means before the meeting.
- Use the password feature for the Zoom meeting room. Require a password for users to enter the meeting room. Make this a strong, complex password. Once every anticipated attendee has entered the meeting room, lock it to prevent others from joining.
- Limit features you don’t need. If participants don’t need to talk, mute them! If the chat feature is unnecessary, disable it. Does everyone need to share their screen? If not, restrict it to the presenter.
- Be aware of the risk of Zoom attacks and phishing scams. Bad actors know Zoom is being used so now is the time to be vigilant. Be wary of suspicious activity and report it immediately. Don’t click on any links sent in Zoom messages, as they could contain malware. In addition, be wary of fake meeting invites that could install malware. If the meeting doesn’t seem legitimate, contact the person who sent it to confirm it’s valid.
- Patch everything and run anti-malware software. In work-from-home environments, this is especially critical as employees who are not tech-savvy may be using unsecured networks, devices, and applications. While Zoom has been releasing updates and patches to its systems as it is alerted to various vulnerabilities, you have to patch the application to receive the benefit of the update.
- Be aware that Zoom data could be shared. Zoom acknowledged that large sets of user data were being shared by default with Facebook. While Zoom has fixed this issue, it was an issue nonetheless – an issue that shouldn’t have occurred.
- Consider the risks posed by employees reusing work passwords for Zoom. Are the login credentials employees are using to get into Zoom the same login credentials they use for your network or your email system? Employees are notorious for reusing passwords across applications. Encourage and remind your employees to use passwords that are completely unique from any other work application they use.
- Continue monitoring Zoom correspondence for security improvements and patches. Weaknesses are being reported to Zoom, and Zoom maintains that it is taking steps to resolve them. For example, The Citizen Lab reported a vulnerability within the “waiting room” feature in Zoom, and Zoom fixed the issue in less than a week. You should stay aware to ensure you can implement these enhancements as feasible.
What other options are available?
If your organization decides not to use Zoom, there are alternatives. Look for a solution that offers strong end-to-end encryption, enhanced access control features (password and lockout settings, multi-factor authentication, meeting room controls), and activity reporting.
Remain on guard.
Cybercriminals often take advantage of emergencies, natural disasters, and times of crisis. With more of our work and personal lives now online, it’s more important than ever to be aware of the cyber risks your organization faces, take steps to reduce that risk, and be alert to suspicious activity.
This article on Keeping Data Secure for Remote Workers offers additional steps you can take to create a more secure remote working environment.
We are here to help. Please contact us at [email protected] with any questions.
Allison Davis Ward
Allison Davis Ward is a Partner at CapinTech. Throughout her time as an information systems auditor and senior manager, Allison has provided information security assessment and consulting services primarily for nonprofit organizations, financial institutions, and health facilities. In addition to these services, she has provided clients with consulting services in risk assessment and policy development engagements.