Do You Love Zoom? Consider Some Precautions

Date April 3, 2020
Authors Matthew Schiavone, CPA, CISSP, CISA

The COVID-19 crisis is forcing many of us to adopt new technologies to maintain our daily personal and professional lives. While video meeting technology, specifically Zoom, is not new to the marketplace, it’s being more broadly employed. But in an effort to accommodate your needs, are you sacrificing security and privacy? In short, yes. But if this is the technology you’ve come to know and love, there are steps you can take to manage your use more effectively.

1. Patch your software: The Zoom software was found to contain a vulnerability that allows remote attackers to steal Windows login credentials and, possibly, execute commands on users’ systems. For individuals, this can mean a compromised identity, financial data, or other personal effects. In a business environment, this can open the door for attackers to compromise other users or systems in a myriad of ways, like by unauthorized disclosure of customer data and through ransomware attacks. Zoom has released an updated version of its software to address this security issue; we recommend you adopt the new version.

2. Add a password: Zoom will automatically require passwords when configuring meetings. However, hosts have the option to disable the requirement. If you are hosting, DO NOT disable. If you are a participant, don’t join a meeting without being prompted to input a password.

3. Be careful where you post the link: Even though you’ve enabled a password to the meeting, the password may be embedded in the invite link. Once a person has the link, they can gain access to your meeting. Be sure to share the link only with participants and do NOT post it on public forums.

4. Lock the meeting: You’ve created a meeting with a password, you’ve kept the link private, and all parties are present and accounted for. Now lock the meeting. Simply refer to the Zoom toolbar, click “Manage Participants,” select “More,” then “Lock Meeting.”

5. Avoid posting pictures: It can be tempting to share screenshots from your Zoom meeting. Perhaps you want to share your office’s virtual happy hour in a display of office comradery. Or maybe you’ve put the college gang back together. It’s best to just keep these moments private as sharing pictures could disclose meeting IDs and information that can be used to hack future meetings. Steps 1 through 4 will help mitigate this risk, but why take the chance?

We continue to learn more about vulnerabilities surrounding Zoom. In fact, despite Zoom’s claims, reports confirmed Zoom does not use end-to-end encryption to protect calling data. Zoom instead uses the same technology, Transport Layer Security (TLS), webservers use to secure websites. TLS does provide some level of encryption and will keep people from spying on your Wi-Fi, but it is not end-to-end encryption and your data is still exposed. As well, while Zoom claims that it does not access, mine, or sell user data, the company was caught sharing users’ device information with Facebook.

Despite the red-flags, Zoom remains a popular video meeting choice. It’s free and easy, but mostly, it’s trendy. Still, you might consider other options like Microsoft’s Teams and Skype, Apple’s Facetime with Signal for added privacy, and Google’s Hangouts.

Stay safe and secure.

For more information, contact the Risk Management Advisory at HBK CPAs & Consultants email me at mschiavone@hbkcpa.com.

Speak to one of our professionals about your organizational needs

"*" indicates required fields

hbkcpa.com needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.