Fast and Easy Video Conferencing Comes With a Price
Back when I was a kid, my grandfather would never talk about money on the phone. Even face-to-face, if he had to say the word out loud, he would whisper it, as if speaking normally would somehow invite a visit from nefarious forces.
I can’t really blame him. He was a first generation American whose Jewish parents had barely survived the Czars in Russia. (See Fiddler on the Roof for a fictionalized reenactment.)
Of course, this was long before the Internet, let alone videoconferencing. But I guess you could say that telecommunications paranoia is something of a family “Tradition!”
Which is why I’m concerned about the recent ubiquity of Zoom usage among my client companies. It’s a convenient and useful tool, but it comes with its share of weaknesses.
A Deficient Culture of Security
Every software company on Earth has bugs and errors in its code. Even with the best of intentions, mistakes are made.
But Zoom’s weaknesses stem from its security culture. Or, more accurately, the fact that it doesn’t have one.
Unlike Microsoft or GoToMeeting, both of which offer competing video conferencing platforms as well as other security-based products, Zoom is quite cavalier about security.
And that’s a problem, because the type of mistakes it makes and the steps it takes — or doesn’t take — to address them, can leave your organization vulnerable.
Some recent examples…
In July of last year, it was discovered that Zoom had a vulnerability that, among other things, allowed a bad actor to remotely take over a computer’s camera. The cause was not a simple coding mistake; the vulnerability was built in. Downloading Zoom essentially installed a web server on your machine.
Last month, it was revealed that Zoom’s IOS (iPhone) app was inadvertently sharing user data with Facebook, without notifying the user. But wait, it gets worse. They were doing this even if the user did not have an account with Facebook.
Most recently, Zoom conference participants have been the victims of “Zoombombing,” a practice in which uninvited attendees guess or otherwise uncover Zoom’s simple 10-digit meeting code, thereby gaining immediate access. It’s fun when somebody Zoombombs your virtual happy hour; it’s dangerous when they sneak into your Board of Directors meeting.
Those are just three examples, there are many more. In all cases, these situations were the result of a company prioritizing convenience over security.
Recommendations
Does this mean we advise our clients to avoid Zoom? Not necessarily. The service is easy to use and even as its usage has exploded over the past month, it remains a solid option.
But it does mean that you need to take certain steps to enhance your security:
- Always require a password. As of the end of last week, Zoom has changed its default settings to require a password of meeting participants and enabled its “Waiting Room” functionality. However, both can be shut off. Don’t! These additional steps cut down on unwanted visitors.
- Don’t use the same meeting ID over and over. Zoom provides the option to create a customized meeting ID (e.g., zoom.us/meeting/123456789). That’s easy to remember, but the more times you share it, the more people that know it. Let Zoom generate a unique ID each time.
- Use a more secure system when necessary. For meetings in which the information is particularly sensitive, use a solution with more security maturity, such as GoToMeeting or MS Teams. These may not match Zoom’s ease of use or reliability, but they are better at protecting your privacy and information.
- Stay vigilant. When email first came into popular use, businesspeople had to be reminded of the fact that anything they sent was potentially in the public domain. Video is no different. Your camera captures your every word and move and creates a permanent record.
Final Thoughts
One of the reasons we are seeing so many Zoom mistakes is that until now, security concerns were not part of the company’s decision making. That’s already changing. Over the next 6–12 months, I think Zoom will continue to improve in this way.
Until then, take a page from Grampy (my grandfather) and start your own tradition of telecommunications wariness!
P.S. Click here for additional security suggestions from Zoom.
Next Steps
To receive great cybersecurity content for business leaders, sign up for our monthly newsletter: https://fractionalciso.com/newsletter/
This article was originally published on the Fractional CISO blog.
Technical Support, Messaging
4 年Used Zoom for the first time today, as a participant.....some observations: ? 1) Is it integrated into one's mailbox's Unified Communication (UC) server ? Is there a?click-to-call plugin integrated into one's Microsoft Outlook / Zoho / Google Mail ? 2) Whatever happened to the Waiting-Room "Usher" who would be able to accept the charges if any customer were to call collect through the AT & T, Sprint, Verizon, BT, Virgin, or bSkyb operator ? [besides re-directing the caller based on the con-call topic room he wants to join, & announce the participant's entry into the bridge video conference call, or let one know when the floor is thrown open to questions ? (mute removed)] 3) Are pre-recorded sessions for multicast playback is available ? Is it part of manual screen-sharing ? (The live recording functionality already exists in Zoom.) 4) Also, even a simple beep to let both the meeting organizer, & participant know that one has just joined, (that is a standard feature of almost all the other con-call software), would help "break the ice" during introductions. 5) Is it legacy-compatible, for audio con-call meetings - as some participants maybe using analog / pulse-rate / rotary phones & not be able to interact with digital IVRS ?
Founder and CEO of GSF Accelerator
4 年Zoom growth is like that of coronavirus. Easy to infect & spread, but very dangerous when it infects you. Singapore Government just banned it for education sector.
Enterprise VC-engineer-company builder. Early investor in @databricks, @tubi and 6 other unicorns - @cohesity, @eightfold, @turing, @anyscale, @alation, @amperity, | GP@Foundation Capital
4 年Zoom Video Communications is a great enterprise product. It's now being used in ways that Eric S. Yuan & team never imagined, and they are doing a remarkable job of responding to the demands of disparate users including many users who don't pay a dime. Folks need to balance their questions with appreciation of what they have accomplished in the last 3 months
Product Builder | Multiple Startup Acquisitions | Cybersecurity Expert
4 年I have seen multiple articles on Zoom security and privacy breaches this past week, and I am reminded of something my grandpa used to say: “There is no free lunch.” If you get something for free or much lower cost, there is probably a good chance they are either cutting corners somewhere or selling your data. We apparently learned nothing from Facebook. Running video conferencing servers like Zoom does is computationally expensive software, and has rooms full of AWS servers they have to pay for. So they are going to pay for all of that somehow. So don’t be surprised when they sell your data. And more importantly, if you have a security culture, you should be evaluating your third party vendors’ security posture before you start using them. Maybe ask them “why is this lunch free” before you start using it. :)
Cybersecurity Operations Manager at Fractional CISO | CISSP
4 年You called it! Rob Black, predicting the future since 2018