Using Zoom safely

Zoom is a great tool for keeping in touch during lockdowns. There has been a lot of talk about its safety and privacy which is understandable considering its user base has gone from 10 to 200 million in a short space of time! By the way it is a perfect scalability example but thats another story, I want to talk about my favourite subject - safety! Despite the best efforts of hackers and cyber miscreants, Zoom is perfectly safe for business and personal use - as long as you follow a few sensible rules.

There were privacy concerns around sign-up details being shared with Facebook - not intentionally according to Zoom. This oversight has now been fixed. The other privacy concern involves Zoom-bombing - where uninvited attendees at meetings sought to create some havoc whether on screen or through the chat feature. Its worth mentioning that it has not been suggested Zoom use can open you up to malware or computer viruses - any more than using any other licensed application. Zoom's free license allows unlimited length one-to-one meetings but there is a 40 minute time limit for 3 or more participants. To use Zoom safely my tips fall into two categories, the first applies to the safe use of any computer application, second are Zoom specific settings, many of which are the default.

General cyber safety tips

1. When you sign up to Zoom choose a complex password that is not the same as any of your other passwords, in other words dont re-use a password. A complex password contains upper and lower case letters, numbers and symbols and should be at least 8 characters long (if you use a password manager have it assign the password for you). This prevents anyone from hi-jacking your account by guessing the password or trying one of your old ones that may have been stolen (and probably published) a while back.
2. Don't share your login details with anyone else, even if you trust them, because you will then have lost control of your account. If others ask to use your account then either set up the meeting for them, or ask them to set up their own account.
3. Apply any updates as soon as they are notified to you. All known security exposures have now been fixed and the updates will ensure you remain protected. Hackers look to exploit known exposures by assuming users are slow to apply updates.
4. Don't publish links to Zoom meetings without applying some controls over who can join the meeting. Think about what would happen if you posted a party invitation publicly on facebook - you would need to be prepared for unwanted attendees and would probably put security on the door. Online meetings are no different, either restrict invitations to those you know or put security in place to keep unsavoury characters at bay.

Zoom specific security

Zoom settings are easy to use. I am not going to tell you how to set each one, Zoom help is there for that. Before you schedule your meeting, go to Personal - Settings on the left hand side of your screen where you will find all the controls I refer to below. Choose the ones most appropriate for your meeting. If you don't, Zoom has set defaults which make your meetings only somewhat secure.

1. Zoom now requires a password to access any meeting, however as the password is embedded in the link it means anyone with the link can access your meeting, bear in mind it could have been forwarded. Note: There are controls available on the paid version to limit access to those to whom you sent the link in the first place.
2. The Waiting Room. When attendees log in using your link they go into the 'waiting room' where they cannot interact with anyone else. As the host you allow people from the waiting room into the meeting under your control. You will be notified when anyone is waiting. Of course, don't let in anyone you don't recognise. I use this even for family meetings.
3. For larger and more open meetings you can retain control over attendees access to video, audio (mute upon entry), screen-sharing and chat to everyone, meaning you can allow access to these modes only when you are satisfied the attendee is authentic. Settings allows you to prevent these from being used by any attendee until you, the host, allow it. The most upsetting zoom-bombing has resulted from screen-shares of pornography from unwanted attendees, and sending of obscene chats to all others at the meeting.

All of these controls are available both as settings in advance and during the meeting. You can see that as a host there is a lot to think about, especially if you are hosting a large meeting. For meetings with more than 10 attendees consider assigning another person as host who can focus on privacy and security and ensure authentic attendees can participate, leaving you to run the meeting agenda.

Stay safe and in touch!

Peter Elliot is a Cyber Security and Data Protection partner at Empiric Partners.