Zoom – our new best buddy, or an intruder among the ranks?

THIS ARTICLE IS AN OPINION PIECE ON ZOOM, WITH A SOME HELPFUL TIPS FOR NEW USERS ON HOW TO MITIGATE SECURITY AND DATA PRIVACY CONCERNS WHEN USING THE APPLICATION.

For many businesses, the COVID-19 pandemic has resulted in them suddenly finding themselves having to embrace the online world like never before. Amongst the various digital applications that now have millions of new users trying to navigate their way through these unknown territories for the very first time, there is one that has hit the headlines like no other – Zoom.

As if you didn’t know already – Zoom is a cloud-based, global network application which enables real-time digital communication between multiple end users via chat, voice and video functionality. The current COVID-19 pandemic has seen a massive increase in Zoom usage, with their user base seeing a whopping 20-fold increase from 10 million in December 2019, up to 200 million in March 2020. This increase has also been reflected in their share price, which reached a peak of almost $16o towards the end of March this year, from $68 at the turn of the year. And whilst the share price has started to sharply decline in the last, at the time of writing is still sits at just over $120, almost double its price going into this year.

On the subject of the very recent fall in share price – the massive surge in usage has placed Zoom under the spotlight of news outlets and consumer scrutiny like like never before. This has resulted in several reports questioning Zoom’s ability to cope with the increased volume of users from a technical capacity perspective, and its integrity surrounding data security and privacy for users. Zoom has tried to respond to such concerns, and founder Eric Yuan has been conciliatory in his response, apologising for the company having “fallen short of the community’s – and our own – privacy and security expectations” as Zoom tries to cope with the additional infrastructural demands caused by its ballooning user base. At the same time, Yuan has tried to assure users by also stating that Zoom has resources working “around the clock”  to address concerns, whilst listing a number of immediate and short-terms measures the company are implementing.

What does this all mean for rookie Zoom users, who might not have had any need to be technically savvy before COVID-19, but are now faced with managing the perceived dangers present in the world of online data security and privacy?

Prior to its exponential growth in recent weeks, Zoom was generally considered by most technology experts to be a reliable system, with the potential security issues associated with Zoom no more or less risky than with other similar video conferencing products. Yes, there have been concerns in the past – particularly around Zoom’s definition of end-to-end encryption and how this could be misleading for users (for a more detailed explanation of this issue check out this article from The Intercept) However, It should be stated that online security, privacy and data protection is a risk area for any product or service operating in the digital space. When a product such as Zoom suddenly gains a much bigger public profile, it also becomes a much bigger target for those who would seek to exploit its vulnerabilities, and the chances are that Zoom will experience further challenges of this nature in the future.

Those familiar with the online world will be aware that whilst online security and data breaches can be very effectively controlled or mitigated by partnering with reliable suppliers and using online security best-practices, they cannot be 100% eliminated. For those are new to this space, below are some steps businesses and individuals can take to ensure that the risks associated with using Zoom in the workplace (or as a private client of a business) can be effectively mitigated. Apologies in advance is some of these steps are stating the obvious to some readers, however my recent experience in speaking to companies embracing digital technology for the first time leads me to believe that it is prudent to include them:

• First and foremost – the most up-to-date version of Zoom should be used at all times. This is extremely important as older versions of Zoom (or any application, for that matter) will not incorporate all the updated security features. The Zoom support site (https://support.zoom.us/hc/en-us) provides information on when and how updates can be applied to the application.
• All meeting attendees should ensure that they are accessing the meeting from a private location (e.g. home or private office) where they will not be in contact with anyone for the duration of the meeting. Note that there is a difference between a “quiet” location, which may still be public, and a “private” location.
• Make sure you are using a private, secure internet connection – these differ from location to location, however most national or international internet service providers are acceptable. For users who are using Zoom in a professional capacity from a work environment, they should be using an encrypted, secure network.
• Users should ensure they access meetings via a private device. They should not access meetings via shared devices or devices that can be accessed / are owned by 3^rd parties. If you are using phones / computers / tablets owned by your employer, only use them for Zoom activities that are sanctioned by your employer.
• For professional / service-delivery users who are using Zoom to discuss sensitive or confidential information, there should use a dedicated device(s) for all Zoom communications with client end users. The device should be secured via password protection or other internal security measures. A list of nominated users for the dedicated devices should be documented and stored, and no other users should have access to or use the device(s) other than those on the nominated list, for any purpose.
• For multi-user Zoom accounts, each nominated user should have a single, exclusive access account within the multi-user package, which is the only access they should use. Sharing of single account access between nominated users is not recommended.
• The account name of each single account access within a multi-user account should be recognisably connected to the actual name of each nominated user, and be included in the master list of nominated users.
• Each single account access also has as Personal Meeting ID, or a PMI. It is common practice with Zoom users to share their PMI when circulating a new meeting, however anyone with access to a single user’s PMI will be able to check if there is a meeting occurring at any time. For this reason, it is recommended that new meetings are created each time and that the new meeting details are shared with participants, rather than the PMI.
• When setting up a Zoom meeting, ensure that the meeting ID is only shared with those who are to be invited to the meeting.
• Using the Zoom “Require Meeting Password” functionality when scheduling a meeting is recommended.
• Enabling the “Waiting Room” functionality (in “Advanced Options”) ensures that no-one can enter the meeting before the host. The host is notified when anyone joins the meeting and can admit those waiting by using the “Manage Participant” functionality. The “Manage Participant” functionality can also be used to expel a participant for any reason.
• It is possible to disable screen-sharing in the “Advanced Sharing Options” if required – select the “Only Host” and “One Participant Can Share at a Time” options.
• The “Watermark” functionality can be used if a host or participant does not want the domain portion of their email address to be displayed. This functionality can be access this can be accessed in “Account Settings”, then in the “Meeting” tab and select the “Add Watermark’ option.
• Once all invited attendees have joined the meeting, lock the meeting by going to the “Manage Participants section, clicking on “More” and selecting the “Lock Meeting” option.
• If you are a host and are planning to record the meeting, other end users should be informed in advance and should give their consent to do so, via email or other documented communication. Meeting attendees will be able to see if a host is recording the meeting (via the “Recording” indicator on-screen) and therefore it is essential that written for recording consent is obtained in advance.
• After the meeting, ensure that pictures or links from your meetings are not posted anywhere.

To a greater or lesser degree – there will always be gaps that can be picked in the online security profile of any digital platform, and there will always be those who are only too willing to exploit those gaps.  The key advice here is that while nothing is ever perfect, the majority of potential issues in online data security and privacy can – and should – be mitigated of by sensible, diligent and well-informed user management. Its like the old adage “before you look at others, look in the mirror”.

This article represents my opinion only.

Steven Rice is the CEO and Founder of Big Wheel Marketing.