Partnered Solutions’ Chief Security Officer and Chief Operating Officer weigh in on the big questions surrounding the security of the video conferencing tool, Zoom.
What makes Zoom such a popular choice over other programs like WebEx, Go To Meeting, or Blue Jeans?
The main features of Zoom are ease of use and inter-operability with phones, tablets, and computers. Since there is also a browser plugin, it’s easy to get an invitation and have the application installed and joining a meeting within a few minutes. It makes other programs seem clunky and inelegant.
Then, there’s the practical point of view: Zoom got ahead of the other companies because they offered their service for free—which also made them an attractive target for pranksters and hackers.
What are the vulnerabilities of Zoom?
The problems with Zoom are directly tied to the benefits. It’s easy to jump into a meeting without having to make an account if you’re a participant. You don’t even need to verify your email address, which means it is open to anyone who may wish to troll your meeting. Until recently, room passwords weren’t mandatory, and it wasn’t even that difficult to guess a random 9-digit number to find an active Zoom meeting.
Moreover, there are other structural issues for Zoom in terms of vulnerability, and they have some skeletons in their closet. Zoom isn’t end-to-end encrypted, and it works around macOS restrictions to allow the app to function–which also leave macOS users particularly vulnerable to hacks. Zoom is currently in the middle of a class-action lawsuit for selling user information to Facebook.
What are some everyday best practices when using Zoom, to avoid being “Zoom-bombed”?
Step one: Don’t publish your zoom meeting code publicly and have a password on your Zoom meeting. Consider using different passwords if you have recurring meetings, just like you’d change your computer password on occasion.
Step two: Make sure you have the most recent version of the app or the browser extension installed, so that you’re sure to have the latest security improvements as they’re rolled out.
Step three: Unless you really trust the people in your meeting, it’s not a good idea to click on links in the chat. Moreover, it’s always a good idea to make sure your other account passwords are more than 12 letters long, so that if there is a malicious link, hackers don’t have immediate access to your information.
Beyond that, there are a host of tools at your disposal. Use the lobby feature to actively allow participants into your room, and set the permissions to prevent other attendees from sharing their screens. Be aware of how you can mute all participants, and don’t be afraid to use it.
If people are going to use Zoom to share sensitive information, how should they do it?
It’s always better to err on the side of caution, so it’s probably best not to use Zoom to discuss sensitive information.
If people need to share sensitive information, what options are there other than using Zoom?
You should seek out tools that are HIPAA-compliant, of which there are many. There is also a HIPAA-compliant edition of Zoom, but given how many known security issues there are, you may be better served with another vendor.
Outside of that, if you need to pass any along, use a service designed for it, like encrypted email service. Your identity and security are worth it to take the extra steps necessary to protect yourself.