During social distancing caused by COVID-19, many people have turned to Zoom for home, work and education. However, several recent security issues have emerged with this video conferencing platform, so we wanted to share some tips on how to use Zoom in ways that will help mitigate security risks, as well as mention some other video conferencing options.
The first thing you should know is that you have choices in video conferencing. With Office 365’s Microsoft Teams or Google Suite’s Google Meet you have access to many of the video conferencing features Zoom provides.
Zoom has become the leader in the video conferencing space, and, as a startup, has been quick to develop user-friendly features. It has also been nimble in its response to the crisis, and the company has seen daily user numbers grow from 10 million in December to 200 million in March. However, their management has made some decisions that have not turned out to be ideal as they scale, including several that allegedly sacrifice security for convenience. One consequence has been a high rate of hackers disrupting meetings, now known as “zoombombing.”
According to ZDnet, “Hijacked meetings have become one of the most concerning issues for Zoom users and are among the main reasons organizations like the New York City Department of Education have banned its use by teachers for online classrooms.” They are now using Microsoft Teams.
This, in part, is the cause for the recent security concerns and a new class-action suit against the company.
Among the features called into question are the following:
- All you need is a link to join a meeting, not a password, allowing unwanted guests
- Zoom claims end-to-end encryption, but that’s not always true
- Zoom installs on Mac without explicit interaction from the users
- A Windows bug allowed access to credentials (now fixed)
- They had an “attention tracking” feature for hosts, no longer a default
Zoom CEO, Eric Yuan, issued a statement about these issues earlier this month:
“These new, mostly consumer use cases have helped us uncover unforeseen issues with our platform. Dedicated journalists and security researchers have also helped to identify pre-existing ones. We appreciate the scrutiny and questions we have been getting — about how the service works, about our infrastructure and capacity, and about our privacy and security policies. These are the questions that will make Zoom better, both as a company and for all its users.
We take them extremely seriously. We are looking into each and every one of them and addressing them as expeditiously as we can. We are committed to learning from them and doing better in the future.”
Microsoft Teams on the other hand, is like many other Microsoft products. They are slow to develop features that people consider user-friendly. However, there are advantages to this approach because they often include additional security features.
In a recent statement, Jared Spataro, corporate vice president for Microsoft 365, said, “Now more than ever, people need to know that their virtual conversations are private and secure. At Microsoft, privacy and security are never an afterthought.”
Google Meet mitigates the risk of zoomboming by using automation to guess a video-conference meeting ID. Zoom’s meeting ID is a 9-, 10- or 11-digit number, while Google Meet uses a 25-character string for meeting IDs. It also restricts the ability of external participants to join a meeting 15 minutes before the meeting starts and participants cannot join meetings unless they are on the calendar invite or have been invited by in-domain participants, otherwise, they must request to join the meeting.
Teams licensing is included with most mailbox licensing from Office 365 (although an additional license is required if you want to host a meeting with a dial-in number). Teams is integrated with Outlook and the rest of Office 365. Our advice would be to ask a few people in your organization to test Teams’ or Meet’s video features so that you have some understanding of your options.
If you continue to use Zoom, consider the following settings when setting up a new Zoom meeting:
- Require a meeting password. This will prevent anyone with only the meeting ID from joining the meeting without the password.
- Enable waiting room. This allows the host to admit attendees one by one so that the host can control who joins the meeting. They also have the option to admit all attendees at once.
- Only authenticated users can join. This allows the host to restrict who can join the meeting. This requires the participant to sign up for a Zoom account, however, it can be a free account.
- Require registration. Each attendee will need to register with their email, name, and answer any customize questions you choose. This option is useful when you do not know all the participants who will be attending the meeting.
If you have any questions about what’s included in your Microsoft of Google Suite subscription, please contact us. For more information on video conferencing, please see our recent article, “Sinu COVID-19 Update: Tips for Chat and Video-Conferencing Tools.”