Zoom security: Getting the settings right

Here’s how you can greatly improve your Zoom privacy and security in a few simple steps

Zoom is attracting a lot of attention in the media due to the mass uptake of videoconferencing services during the near global lockdown due to COVID-19. They are adapting to sudden global overnight demand and success, something most companies can only dream of. Companies, like Zoom, offer free products and services to attract new users; making it free removes the barrier of that payment imposes and hopefully locks the user in to a service long term. Then at some stage the user may become a paying customer, either for additional functionality on the service they use or for other products offered by the company.

We all use free services – search and email being great examples; in reality, though, there is no such thing as free. Companies need to monetize usage to enable them to provide the service or product for free; this typically involves some form of advertising or the collection of data through use. A company providing free services typically has a business model and privacy policy that reflects the way they make money. Zoom’s sudden success caught them with their pants down … they had a business model and privacy policy to support a free, slick and frictionless service, and then they suddenly became the default go-to place for millions of organizations requiring videoconferencing in a rush.

I am not defending Zoom; they have had and continue to have numerous privacy- and security-related issues – I am just providing a perspective that they may need time to adapt their business model and privacy policy to reflect their sudden success. This can be witnessed in the recent product updates released to fix issues and the recent changes made to their privacy policy.

Some organizations are now reflecting on their hasty decision to use Zoom and are migrating away to other videoconferencing services that suit their needs more appropriately. According to TechCrunch, New York City banned schools from using Zoom, citing security concerns –  but a city spokesperson also did not rule out returning to Zoom. The reason organizations fled to Zoom as a de-facto standard is due to the simplicity or the user experience and that it offers a free solution. This enabled organizations to adopt the service quickly with no training and removed the need to raise purchase orders.

Not all organizations may be in a position to evaluate other options or commit to paying for a service, especially in the small business sector where companies are struggling just to survive, or education districts that are strapped for cash. If you have made the decision to use Zoom, below are my suggested recommended settings that are best used in tandem with our article from yesterday on how to password-protect your Zoom meetings.

Setting up a Zoom meeting

 

Always use the auto generation: every meeting will then have a different Meeting ID. If one Meeting ID becomes compromised, then it will only apply to a single meeting rather than every meeting you host.

 

This does not mean a password is required by the user to join: see our blog from yesterday. The requirement for a password should remain checked. For it to be effective, however, the embed password option must be disabled; see below.

 

Starting a meeting with video off avoids any embarrassing moments; users will need to explicitly switch on video sharing during the meeting.

 

The host will need to admit each participant to the conference room; full attendee control is in the host’s hands.

In the same spirit of video being switched off, forcing someone to unmute means they don’t join while speaking to someone else and being overheard.

There are additional settings that need to be considered; they are available within the web client rather than the Zoom application. After logging in on the left-hand side, click on the ‘Settings’ option that appears under ‘Personal’. Below are the settings that I recommend changing from their default option.

 

Switching this off removes the one-click option and stops the password being embedded in the meeting link. This means every attendee will need to enter the password to join the meeting. Set this in conjunction with the setting in the meeting creation options as above.

  

 

This stops any participant sharing their screen, the host can pass control of the meeting to another participant by making them the host so they can share their screen. This recommendation may not work in all environments; for example, in education it may not be desirable to pass host control to a student. Consider the consequences of allowing all participants to screen share and whether limiting to ‘host only’ is the best option.

 

Consider switching this off as viewing what’s in the background could be a visual check that ta participant is not inadvertently sharing sensitive content in a public place such as a coffee shop.

 

 

See the description given above in the ‘setting up a meeting’ section.

 

Apple iOS devices screen capture applications to display images in the task switcher; enabling this stops confidential data being captured and displayed in the task switcher.

Final thoughts

The above recommendations do not remove the need for the reader to check Zoom’s privacy policy to ensure it meets their requirements. Nor should they be seen as a recommendation to use the service or its applications. Individuals and organizations should make their own decisions on these matters. The suggested settings above are my own personal recommendations if I used Zoom as a videoconferencing tool. I hope they help.

ESET has been here for you for over 30 years. We want to assure you that we will be here in order to protect your online activities during these uncertain times, too.
Protect yourself from threats to your security online with an extended trial of our award-winning software.
Try our extended 90-day trial for free.

10 Apr 2020 – 01:00PM

Latest Posts