You’ve plugged in your headset, chosen your virtual background, and made sure that everyone else at home knows you’re about to join a very important meeting and mustn’t be disturbed – yes, even if the cat looks like she needs a hug. This ritual, or one very similar, is something that most of us have become extremely familiar with during the past year, as the need to work from home has increased our reliance on video conferencing tools to meet with our teams.
Tools such as Microsoft Teams, Cisco Webex, Google Meet and Slack hugely increased in popularity in 2020 as professionals around the world needed to find new ways of working. But one platform managed to break the App Store’s download record in Q2 of last year, according to a report from mobile analytics company Sensor Tower. With almost 94 million iOS downloads between April and June, most of which came from India- and US-based users, Zoom pushed previous record-holder TikTok aside to claim its place as the most popular app in circulation.
Zoom’s popularity stems largely from its ease of use; unlike many other video conferencing tools, users don’t need to install any software or even create an account to join a meeting – you simply follow the Meeting ID link that the host has given you, copy in the Meeting Password, and away you go! On top of that, the tool’s Gallery view, which allows you to see up to 25 participants at once depending on your device’s screen width, in-built Record Meeting feature and capability to host up to 1,000 participants have gained Zoom favor amongst not only the consumer market, but businesses alike.
As with any solution, it’s crucial that we can trust our video conferencing tools to keep our data secure, and Zoom is no exception to this. So how secure is Zoom for the 300 million meeting participants around the world that rely on the app every day?
How Secure Is Zoom?
Zoom comes with a variety of security features designed to protect its users’ data and ensure its integrity remains intact. Most of these features were added in the last year as the tool came under heavy scrutiny and faced increased criticism that called into question Zoom’s security infrastructure.
One of the biggest security challenges faced by organizations using Zoom was the “Zoom bombing” attack trend that caused major disruptions to the platform and its users in the first half of 2020. Zoom bombing is a term coined by Techcrunch journalist Josh Constine to describe how internet trolls disrupt Zoom meetings with inappropriate or offensive content.
Zoom bombing was a particularly concerning issue for schools around the world using the platform to teach online classes throughout periods of national lockdown. Sometimes, the targets were random, with Zoom bombers coordinating their “raids” in Discord and Reddit forums, based on meeting information they’d found online. In other cases, students would actively ask for Zoom bombers to raid their online classes and spice up the lesson. Some bombers would disrupt meetings by sharing memes; others would make discriminator comments or share innapropriate or pornographic content.
The seriousness of the issue caused a lot of educational institutions and governing bodies, such as New York City’s Department of Education, to ban the use of Zoom amongst schools and instead move to other video conferencing platforms that were considered more secure, like Microsoft Teams. Zoom’s new security features go a long way to better securing both their users’ meetings, and the platform’s own reputation. But for some, the updates simply came too late.
Zoom’s 2020 Security Updates
The first update that Zoom made was in adding their “Security” feature set. Displayed in the place of Zoom’s old “Invite” icon, the Security icon allows meeting hosts to access all of Zoom’s security features from one place, making it much easier to keep tighter control of meetings as they’re running. These features give hosts extra control over certain meeting permissions. Hosts can now restrict participants’ ability to rename themselves or share their screens, as well as pause a meeting and remove participants who shouldn’t be on the call using the Suspend Participant Activities feature. This is particularly useful in combatting Zoom bombing attempts. When a host suspends their meeting, all other meeting activities such as screen sharing and recording also end.
In larger meetings, it could be difficult for a host to keep track of everyone present and find the source of a disruption whilst continuing to host the meeting. In this case, the Report By Participants feature can come in handy, as it enables meeting participants to report other users.
As well as using the reporting and blocking features to remove Zoom bombers, admins can try to prevent them from entering the call in the first place. There are a number of ways in which to do this. Firstly, the At-Risk Meeting Notifier feature scans posts on social media sites for Zoom meeting links, and contacts the account owner if their meeting link has been posted publicly online.
Secondly, the Waiting Roomrequires host to manually allow participants to enter a meeting. Although this feature existed previously, it’s now set as a default. Similarly, Meeting Passwords are now also turned on by default, requiring all participants to have a second key with which to enter a meeting. This means that, even if the Meeting ID is posted online, Zoom bombers won’t be able to gain access to the call.
Finally, Zoom no longer displays the Meeting ID on the meeting’s title toolbar. This change was made to address the trend of posting screenshots on social media of meetings. Though most of these would come from people enjoying a virtual pub quiz with their friends, rather than sharing their workplace conferences, if the host had used their Personal Room ID to set up a non-work meeting, anyone who saw that screenshot online would potentially have been able to access that host’s future meetings – particularly if they hadn’t set a Meeting Password.
One particularly blood-thirsty criticism of Zoom was that the platform advertised itself as using end-to-end (E2E) encryption for all of its calls. However, in the fine print, Zoom’s definition of E2E encryption wasn’t the same as the standard that most of us are familiar with. Usually, E2E encryption means that nobody, including the solution vendor itself, can intercept and access users’ communications and data as it moves between the sender and receiver. Zoom’s definition, however, refers to encryption between Zoom clients (apps) and Zoom servers, where the encryption keys are generated. This allows Zoom to access data in transit along the connection between client and server should they decide to or be compelled to by authorities.
However, in October, Zoom rolled out one of their most highly-awaited updates yet and introduced Zoom E2EE. Without Zoom E2EE, Zoom’s cloud generates encryption leys and distributes them to each participant using their Zoom app as they join the meeting. With E2EE enabled by the host, the meeting host generates the keys and distributes them using public key cryptography. This means that Zoom’s servers never have visibility into the keys needed to decrypt meeting contents.
Zoom E2EE is available for both Zoom users with a paid subscription and a free subscription to the service. Hosts have to enable it themselves on a per-meeting basis, and should be aware that, with end-to-end encryption activated, the meeting won’t be able to support cloud recording, streaming, live transcription, Breakout Rooms, private chat, polling, meeting reactions and the ability for participants to join before the host.
Zoom also plan to roll out improved identity management and E2EE single sign-on integration later this year.
However, despite each of these features, Zoom has still fallen target to a number of high-profile cyberattacks in the last year, with users’ credentials and meeting secrets being exposed and sold online. So what can you do to protect your company from being compromised via such an attack?
Best Practices When Using Zoom For Your Business
Before we delve into the technical side of security, there are some straightforward best practices that you should always adhere to when using Zoom. The best part about these is that none of them will break the bank!
1. Register With Your Work Email
Let’s start at the very beginning (… it’s a very good place to start). It’s always a good idea to keep your personal and work accounts separate, and that includes your video conferencing apps. Don’t use your personal account to set up client calls, and don’t use your work account to host virtual pub quizzes.
2. Join From Your Web Browser
Try to join Zoom meetings through your web browser, rather than via the desktop or mobile app. The web version usually receives security updates more quickly than the app, and it operates within a sandbox in your browser. This limits the amount of damage that the tool can cause to your network should someone breach one of your meetings.
When you click the link to join a Zoom meeting, a new tab opens that prompts you to open the meeting in your app. Instead of clicking on this prompt, scroll to the fine print underneath, where there’s a link to join from your browser, instead.
3. Don’t Share Your Meeting Link Publicly
When you register for a Zoom account, you’re given a Personal Meeting ID. This ID will be attached to every meeting that you host, so it’s important that you only share it with people who you want to be able to contact you directly through Zoom.
Zoom offers an option to create public meeting with this ID. If you do that, anyone who sees the link online can join any meeting you host, so it’s best to avoid it. If that isn’t possible, limit where you share the link – i.e. avoid social media. Zoom bombers often scan social media platforms to find their targets. If you do need to host a public event and share the link to it on social media, use an event-specific ID rather than your Personal ID.
4. Enable The Waiting Room
The Waiting Room feature is enabled by default now, but it’s important that you keep it that way a it gives you more control as to who attends your meeting. The Waiting Room makes participants wait in a separate space to the event until the host grants them access.
The Waiting Room means that, even if someone got hold of your Meeting ID and Password, they couldn’t get into the meeting itself without your approval.
5. Enable Encryption
We’ve been through this one already, but just to remind you: With Zoom E2EE enabled, the only people who can decrypt the meeting data are the meeting participants. Without it enables, anyone with access to the Zoom server could potentially decrypt your meeting data.
You can enable Zoom E2EE from the settings tab when you sign into your account. Note that you’ll need to verify this decision by entering a one-time passcode sent to your mobile. You also need to remember to do this for every meeting.
6. Enable Zoom 2FA (Two-Factor Authentication)
Zoom 2FA allows users to use authenticator apps such as Google Authenticator, Microsoft Authenticator and Authy to add a layer of identity verification to their logins. Alternatively, users can arrange for Zoom to send them an OTP vis SMS or a phone call.
To enable 2FA, sign into Zoom and navigate to Security within the Advanced tab. From here you can enable 2FA for all of the users in your account, users with specific roles, and users belonging to specific groups.
Zoom Security Solutions
As well as following the best practices I’ve outlined above, there are two key security solutions that you can use to increase the security of your Zoom meetings. Here are our recommendations on the best security solutions to protect your company’s data when using Zoom:
Unified endpoint management solutions enable businesses to monitor and manage all of the devices connected to their network, including PCs and mobiles, as well as the applications that users have installed on those devices. The best UEM solutions provide admins with detailed analytics on how employees are using their devices, including what apps they’re using and why, to help the organization configure usage policies and identify any abnormal behavior on the network, such as unusual login attempts.
When it comes to securing your video conferencing tool, you need a UEM solution that includes an application isolation feature or “digital workplace”. Particularly useful for BYOD device fleets, this feature allows users to isolate their personal applications from those that they use for work, and use both groups of applications securely from the same device.
Zoom includes 2FA, but you can increase the security of this identity verification method by adding a further layer of authentication. Investing in a third-party solution not only does this, but it also prevents a bad actor from disabling 2FA for easier access a second time, should they compromise a user’s account. Multi-factor authentication is a security protocol that asks users to verify their identity via two or more methods before giving them access to an account. There are three main types of secondary authentication: something the user knows, like a password; something the user has, like an authenticator app; or something the user is. This method uses the user’s biometric data, such as a fingerprint.
With MFA in place, bad actors can’t gain access to a user’s Zoom account, even if they manage to steal that user’s password.
Digital conferencing has become the “new norm”, and it seems unlikely that that’s going to change anytime soon, so it’s important that your company embraces this virtual environment and uses it as safely as possible. That means making sure that all of your employees are following the best practices we’ve discussed in this article and, if you want to take it a step further, investing in a third-party security solution.
If you’d like to find out more about the security options available to you, check out our below guides, which recommend the best solutions currently on the market: