Zoom’s Continuous Security Commitment
From organizations including the Taiwan government and Google banning the use of Zoom to the Zoom-bombing phenomenon and recordings exposed onlineZoom-bombing phenomenon and recordings exposed online, the teleconferencing company has seen a recent surge in publicly identified security issues.
Amid the COVID-19 crisisAmid the COVID-19 crisis, the demand for remote collaboration tools such as Zoom has skyrocketed. Unsurprising, this trend has cyber criminalsUnsurprising, this trend has cyber criminals and cybersecurity researchers alike scouring the Zoom app for security vulnerabilities on Windows and Macsecurity vulnerabilities on Windows and Mac, some of which have made headlines, even those that have yet to be publicly exploited.
In spite of this, businesses cannot afford to compromise how they operate and collaborate. And tools such as Zoom play a central role in facilitating seamless remote collaboration in this Work-From-Home erafacilitating seamless remote collaboration in this Work-From-Home era. At Horangi, for instance, we are avid Zoom users and will continue to use Zoom securely and responsibly for the betterment of our organization.
We recognize how Zoom has promptly responded to the influx of security concerns and are confident that the company regards user securitysecurity as one of its highest priorities, insofar as to commit to security fixes for the next 90 days.
How Horangi Uses Zoom
Horangi practices a video-on philosophy in all our Zoom meetings, regardless of where the employee is connecting from. Having shared usage statistics in the recent remote work arrangements, we have only seen the use of Zoom increase over the weeks.
We at Horangi approach the use of Zoom the same way we approach any cybersecurity problem — holisticallythe same way we approach any cybersecurity problem — holistically. A large number of cyber attacks and data breaches can be attributed to human mistakes that could have been easily avoided with the right behavior and protocols. It is no different with the use of software such as Zoom.
What then are some of these best practices that we as employees can do to protect our organization? We explore these practices below in different risk categories.
Basic Zoom Hygiene
First we start with the basic settings and standard practices that you should apply to all meetings, regardless of type.
Always keep your software up to date. Zoom is continuously fixing vulnerabilities for all operating systems. Updating your software is the surest way to be on top of all these fixes.
- Require authentication to Zoom using Single Sign-On (SSO) or Multi-Factor Authentication (MFA), which helps mitigate the risk of a data breach even if credentials are exposed.
- Understand Zoom security settings and features, set up relevant defaults for your organizations, and educate users about additional security options.
- Use real profile photos and names as basic online etiquette. This alone makes it easy to identify that all meeting participants are legitimate.
- Beware of phishing linksBeware of phishing links disguised as Zoom meeting links. Always verify the source and only get links from the proper channels.
- When you record meetings in Zoom and generate a shared link, make sure that you check the setting — Only authenticated users can view: Signed-in users in my account.
To drive higher adoption of these practices, we recommend that your organization prepares an internal guide and shares that with your employees.
Ad-Hoc, Small Group Meetings
These are the most common of meetings, consisting of regular one-to-one catch-ups and small group discussions.
Always generate a new meeting ID rather than your personal ID, since previous IDs could have been inadvertently shared in public. Another way is to regularly update your personal meeting ID and set up a password.
- Use passwords to secure your meetings. This prevents trolls from using brute force techniques to randomly join meetings.
- If you integrate with other software like Slack, be sure to pay attention to how meetings are scheduled on third party apps. At this moment, for instance, Slack does not set a password for Zoom meetings scheduled from the Slack platform.
Public Events
Public events apply to virtual events like webinars, online trainings, online classes or lectures.
- Enable waiting rooms as the host, so you can admit only registered participants.
- Ensure only the host can share screens and media. This is to ensure the meeting is not hijacked by trolls or attackers looking to share obscene or irrelevant content.
- Ensure all participants understand online meeting etiquette and that participants exhibiting unacceptable behaviour will be banned.
Highly Confidential Meetings
This category refers to sensitive meetings such as Quarterly Business Reviews, board meetings and even matters of national security. When discussing critical issues like these, we advise that you use technology with the utmost care. For any software you choose to use for remote collaboration, be sure to conduct a formal vendor assessment.
- Never share your meeting links in public channels.
- Practice maximum security and avoid recording your meetings. But if you have to, ensure that these recordings are marked for internal use only.
Practice Risk-Based Cybersecurity
At Horangi, we steer clear of the notion that cybersecurity is meant to harden or tighten processes. Instead, we consistently preach and practice cybersecurity as an enabler of innovationconsistently preach and practice cybersecurity as an enabler of innovation, as long as every organization has its cyber risks adequately assessedevery organization has its cyber risks adequately assessed and has a strong plan for how to conduct operations securely and efficientlystrong plan for how to conduct operations securely and efficiently.
I hope that you take these best practices to hearttake these best practices to heart and apply them according to the risk profile of your meeting. Used properly, teleconferencing tools like Zoom will continue to drive powerful collaboration between teams working remotely.