Zoom “zooms” up its lax security

COVID has taken the physical world virtual. As stay-at-home orders abounded, and quite frankly, should still be observed, along with wearing masks, social distancing and washing of hands, colleagues, family, friends, clubs and other groups hit the virtual world to do business, stay connected and attempt to have some sort of calmness amid pure chaos. At the same time, threat actors and cybercriminals were at the ready, armed with a playbook of schemes to run interference. 

The platform of choice quickly became Zoom, offering free and cost-effective paid options, positioning Zoom to not only become more of a household and corporate name, but as a huge target for cybercriminals looking to gather information and data to use in phishing, vishing and mishing attempts, ransomware attacks and other virtual crimes. And, at first, due to Zoom’s lax security, intrusive videobombers were successful and a barrage of privacy breach lawsuits followed to which the CEO vowed to fix security issues in 90 days, starting April 1st. 

Well, it’s July 1st, exactly 90 days out, so is it time for Zoom to take a bow or “zoom” away into extinction? 

Based on Zoom’s CEO’s blog, I’d say, Zoom is here to stay. Here’s the progress Zoom has made toward a safer, more secure platform:

1. Enactment of a 90-day freeze on all features not related to privacy, safety or security and released over 100 features, such as meeting defaults including passwords, waiting room and limited screen sharing.

2.  Worked with a group of third-party experts to review and enhance the company’s products, practices and policies. 

3.  Prepared a transparency report detailing information related to requests for data, records or content. 

4.  Developed a Central Bug Repository and related workflow processes. 

5.  Launched a CISO council to facilitate ongoing dialogue about security and privacy best practices.

6.  Engaged in a series of simultaneous white box penetration test to identify and address issues. 

7.  Hosted 13 webinars every Wednesday since April 1st featuring company executives and consultants who took live attendee questions.

Just as the security industry has and is learning how to pivot, companies like Zoom are also having to pivot in order to stay safe and relevant during COVID and beyond. Being a part of the security industry and in my opinion, we understand this pivoting process and how it creates trust, integrity and fosters strong relationships; therefore, maybe we can all give Zoom a second chance.

Here’s some security tips to consider when using Zoom:

1.  Always join Zoom meetings through a web browser, not desktop software since the web browser version gets security enhancements faster. 

2.  When hosting a Zoom meeting, ask participants to sign in with a password, making Zoom-bombing less likely. 

3.  Don’t use social media to share conference links! Trolls find this information there and can easily figure out how to bomb your meeting. 

4.  Enable the waiting room feature so that participants wait until the host approves each one, giving control over who joins the meeting. 

5.  Limit screen-sharing ability only to the participants who need to share their screens. 

6.  STOP. THINK. ACT. THEN SPEAK. Consider what and how you say things during a Zoom meeting and what perception it will convey to others. Remember, people can actually SEE your facial expressions, but not necessarily your body language, which can interfere with how messages are received. Also, close all other windows on your computer screen to prevent others from seeing what else you’re up to, especially if you happen to be looking for another job or buying a surprise gift for someone!