Should your company ban Zoom?

As several businesses ditch the popular conferencing tool, Lisa Forte, partner at Red Goat Cyber Security, calls for calm 

Zoom, the free to use video conferencing app, has exploded in the last month. It quickly became a household name and more than doubled its share price. However, Zoom has come under fire recently from the security community. Accusations and concerns around privacy and security features have been raised. Zoom is not alone here though. In fact many of the webinar and conferencing applications have attracted widespread criticism. Zoom has proved to be one of the most popular platforms and was therefore placed under the security microscope.

In the last few weeks, Zoom has proven to be both popular and divisive, enjoying unprecedented growth in users but also fetching heavy criticism from researchers and the UK MOD for being unsuitable for commercial use. What is the reality?

What are the concerns?

One of the first concerns raised about Zoom was that the calls were actually not end-to-end encrypted. This issue was then followed by several major vulnerabilities being discovered that could allow attackers to take over your camera or microphone.

There were also privacy concerns around the app’s “attendee tracking” tool that allowed you to see if someone on the call had clicked away from the app. Zoom also had an interesting privacy statement up until recently that pretty much allowed them to do whatever they wanted with your data. They have now altered this but data sharing by the company still seems to remain.

By far the issue that got the most airtime of all was the practice now known as “Zoombombing”. This term describes a situation where uninvited guests can enter meetings and listen and view everything going on. People were reporting all sorts of unpleasant experiences and some of the perpetrators were organising “raids” online.

Should Zoom be avoided?

It is hard for me to sit here and argue that Zoom’s security was top notch. It was not. That said I don’t believe anything is 100 percent secure so we have to eradicate that concept from our minds.

Zoom was a victim of its own success in many ways. A large number of the new Zoom users were totally unaware of any of the security features they could enable. A lot of the Zoombombing attacks could have been prevented in the first place merely by having an awareness of these features.

Users have made errors that have facilitated the security issues that have gained so much attention. Some of these errors have been a lot more public than others. For instance when UK Prime Minister, Boris Johnson tweeted an image of a cabinet meeting being held on Zoom with the meeting ID in plain sight. True, the meeting had finished by the time he tweeted but the point stands that publicly sharing images of meetings is very much a human issue.

During the pandemic, myself and a few other security professionals set up the Cyber Volunteers 19 initiative that provides free advice and assistance to healthcare providers around Europe. During our work, we discovered that many healthcare providers were holding patient consultations over Zoom. They were also sharing test results and other crucial pieces of information. Some of the information being disclosed in these consultations is highly sensitive and so we recommended avoiding applications such as Zoom for these conversations.

Like all applications we use there are concerns with using Zoom. If you are sharing highly sensitive information then I agree with the UK MOD, Zoom is not appropriate for those discussions. But then neither would WhatsApp or GoToMeeting or any of these applications. At the other end of the scale using Zoom to call your mother or sister and discuss what you had for dinner is totally fine.

What can we do to mitigate the risks?

Zoom has been very proactive in addressing the security issues. They have implemented password-protected meetings and waiting rooms by default to help users control who enters the meetings. Make sure that your users and your friends and family know how to use the security features. Zoom has also had an encryption upgrade that is present in Zoom 5.0 and has stopped routing traffic through China. All of which are positive steps.

Make sure your users are aware that they should not take screenshots of the meeting with the meeting ID showing especially whilst the meeting is still going on. There are concerns that actually the consent of everyone in the meeting should be sought before images of the meetings are captured at all. You can configure the settings so that the video is off by default at the start of meetings. The same applies to muting participants.

Make sure you control screen sharing so that only the host or approved people can share their screens. Just because you all work at the same company doesn’t mean that everyone on that call should see everything the others are working on.

We should also make sure that if we are sharing Zoom links by email that staff are cautious with every link they get sent. SANS has highlighted the risk of attackers sending phishing emails using links that look like Zoom meetings. We are at a heightened risk of falling for this at the moment.

I don’t think we should stop using Zoom. It provides us with an easy and usable way of staying in touch and that is not just valuable from a productivity standpoint but also is a crucial element in safeguarding the mental health of our employees. The vast majority of the content we discuss and share on Zoom can be protected by fully utilising and understanding the security features. The more sensitive discussions should not be held over Zoom or really any webinar platform for that matter. The speed at which the world has been locked down has created lots of issues and for the most part Zoom has helped us stay connected.