Warning: Zoom is playing catchup on security - here are the steps you can take to reduce risk

With half of the world's population in lockdown and 3.9 billion people staying at home, the acceleration of remote and work-from-home requirements means that companies are relying heavily on video, chat and conferencing tools. However, in a rush to capture the work-from-home crowd, Zoom's enterprise-suited product has been playing catchup on security.

What's the worst that can happen?

I had heard that people were randomly hacking into zoom meetings and disrupting the call but I had assumed it was mostly harmless. I'm writing this post because I don't want another human to have to go through this experience.

At almost 40 years of age, with a life full of travel, entrepreneurship and adventure, very few things rattle me but a recent 'Zoom bombing' encounter rocked me to my core.

Halfway through my panel presentation, someone called 'Lindsay's iPad' joined our meeting. The event was being streamed live on Facebook and its likely they got access that way. The uninvited guest took over the screen and began playing the most horrendous paedophile video content. The host was able to kick them out of the meeting after a few seconds but the imagery was already burned into the retinas of everyone on the call.

The rest of the meetup is a fuzzy haze to me, I logged off and went for a walk to try and clear my head and put it behind me. But it had unlocked a new reality. I had never been exposed to visual evidence of these kind of crimes. It also raised so many questions: Who was this person? What sick pleasure did they derive from such an act and what can we do to stop it?

You don't have to look hard to find the many security issues that Zoom is having. Another example is when thousands of Zoom accounts were put up for sale on the dark web after hackers took advantage of Zoom’s security issues. The need for secure and trusted technology is paramount, but what is the alternative while we wait for these scaling video startups to play catchup?

What steps can I take to protect myself?

I reached out to @Ross Marston, Founder and Chief Security Strategist at Business Intelligence Security and this is his advice for setting up your meetings and Zoom account securely.

• Don't allow public self registration of meetings (if at all avoidable)

It is difficult to police self enrolment. If you do allow it, make sure you record (permanently) registrant email addresses, and send follow up emails to ensure, you’re dealing with a real email address and not a 10 minute email address.

•  Alter the settings in your Zoom Application to reflect the following.

Disable these settings

1. Disable “Embed Password in Meeting Link for One-Click Join”
2. Set “Screen Sharing” to Host Only
3. Disable “Remote Control”
4. Disable “File Transfer”
5. Disable “Allow Participants to Rename Themselves”
6. Disable “Join Before Host”
7. Disable “Allow Removed Participants to Rejoin”

Enable these settings

1. Enable “Mute Participants Upon Entry”
2. Enable “Always Show Meeting Control Toolbar”
3. Enable “Identify Guest Participants in the Meeting/Webinar”
4. Enable “Waiting Room”
5. Enable “Require a Password When Scheduling New Meetings” - For instant, Scheduled and PMI

Finally, make sure that you install all updates as they are constantly releasing new versions with added security – version 5 is out now. Instructions for updating your Zoom can be found here.

If you're looking for security advice on choosing a web conferencing platform this article from the Australian Cyber Security Council is helpful: https://www.cyber.gov.au/publications/web-conferencing-security