Use Zoom? Here Are 7 Essential Steps You Can Take To Secure It.
Video conferencing app Zoom has become the platform of choice during the COVID-19 crisis. It’s certainly no surprise–with most people working from home, businesses and individuals are seeking a chat service that simply works.
But even Zoom itself is the first to admit that its rapid growth in user numbers has left many people using the platform without the security and privacy they need. For context, Zoom was hosting 10 million daily users as of December last year–according to a recent company blog–and now, that number has surged to 200 million.
Zoom’s gained this level of popularity because it’s highly functional. I’ll be the first to admit I’ve been using it–albeit not by choice–to take part in virtual exercise classes during COVID-19.
But despite Zoom’s recent steps to address its security and privacy, issues still remain. The firm’s privacy policy details extensive data collection and “Zoom bombing” is possible if your meeting or chat isn’t properly secured. Some security risks are less obvious–for example, under certain circumstances, multiple people in your meeting might be able to read your private messages.
Zoom is already being investigated by the U.S. attorney general, and a lawsuit has been launched against the firm after it emerged data was being sent to Facebook, according to Vice News.
It seems nearly impossible to trust Zoom, but sometimes, you do have to use it for your work meeting, or chat with friends. Just to caveat this, I still wouldn’t recommend the app for highly sensitive chats and will cover some alternatives in an upcoming article.
For now, here are some steps you can take to secure the voice conferencing service as much as possible.
Keep up to date
Like any user-facing service, Zoom suffers from security vulnerabilities, but it’s so far proven that it can fix them quickly. Take for example, the issues that could allow an attacker to take over an Apple Mac’s microphone or camera, and a Windows problem that could let a hacker steal logins. Zoom fixed these problems on April 1.
Therefore, one of the important steps you can take is to make sure you keep any installed version of the Zoom mobile or desktop app up to date, says security researcher Sean Wright.
This ensures those issues are fixed, and your risk of compromise is lower.
Use passwords to protect your meeting–and never share your meeting ID
Zoom bombing, which sees uninvited guests crashing your meeting or chat, relies on meetings not being password protected. People often post the Zoom meeting number online, and without any protection, bombers can simply enter and do their worst.
“Never share the link or meeting ID on public platforms and try not to use the personal meeting ID–instead allow Zoom to generate a random ID for each meeting,” says Jake Moore, cybersecurity specialist at ESET.
Wright advises enabling the options “Require a password when scheduling new meetings”; and “Require a password for instant meetings.”
At the same time, he says, disable the option “Embed password in meeting link for one-click join” and enable “Require password for participants joining by phone.”
Meanwhile, Wright says, in the Admin > Advanced section: Enable “Hide billing information from administrators; and consider changing the length of the Host Key to 10 numbers to make it harder to guess.
Share the password securely
When using Zoom, securely sharing the password can be a challenge. “In any case don’t put the password on the public internet,” John Opdenakker, a cybersecurity industry professional advises–this renders the whole idea of having a password useless.
He also advises other basic security best practices including not sharing data such as ID or passwords, or pictures of your Zoom meetings publicly.
For businesses, says Mark Ostrowski, cybersecurity expert at Check Point, the best idea is to connect to Zoom via single sign on if your company provides this type of authentication.
Wright advises Zoom users to enable “Sign in with two-factor authentication” and enable this for “All users in your account.”
Use waiting rooms
Another way to stop Zoom bombers from entering your chat or meeting is the use of waiting rooms. This allows the host to screen everyone entering the meeting to ensure no one uninvited can get in.
“Use the waiting room functionality as a host and double up with a meeting password for designated guests,” says Moore. In addition, he says: “To avoid an even more embarrassing Zoom bombing experience, set the screen sharing to ‘host only’ and disable file transfer.”
Manage participants
It’s also a good idea for hosts to manage the meeting participants. In order to do that, you should ensure you are the only host. You can also control the camera and mute options, Ostrowski advises.
Hosts can ensure participants can’t share their screen without approval, says Opdenakker.
In addition, says Moore: “If anyone invited has been troubling you, make sure you have set it up to disable ‘allow removed participants to rejoin’ the meeting.”
Take control of your privacy
As I have said before, services are free for a reason. If you are using the free version, there is certain data you might have to give up.
“Assume what happens in Zoom does not stay in Zoom,” says Ostrowski. “Control your own privacy as you do with all online tools.”
Beware of phishing
Another security risk for Zoom users is phishing, seeing attackers lead people to a malicious site to download malware or enter details.
You should always be careful when clicking on any meeting invite links. “In a hurry it may be tempting to just click on a link in the latest email, but it is always worth the wait to check,” says Moore.
“If users are ever suspicious, they should just copy the ID from the link provided and enter it in the official application to join.”