During the early stages of the COVID-19 pandemic, IT departments scrambled to deliver tools to end users that would enable them to communicate with others while working from home. This set off an explosion in the use of video conferencing platforms -- in particular, Zoom.
Because time was of the essence -- and because the video conferencing market overall was caught off guard in terms of demand for its communications services -- platform security wasn't as airtight as it might have been. It didn't take long for stories to surface detailing how easy it was for hackers to derail virtual meetings by inserting explicit and distressing images into users' video conferencing feeds. And, although Zoom -- as well as other providers -- took steps to beef up precautions, many still ask this question: How secure is Zoom video conferencing?
Let's explore this topic in a bit more detail.
Zoom-specific security concerns
In early 2020, when Zoom was struggling to keep up with massive customer growth, investigators discovered the encryption implemented within the platform contained flaws that allowed sensitive customer information to leak out. Zoom quickly addressed the issue, but the episode illustrated the fact that all software-based tools have security shortcomings that bad actors seek to identify and exploit.
To ensure that the latest security patches are installed, Zoom recently announced the ability to perform automatic updates to its client software. This is a great step forward in the never-ending battle to protect Zoom customers from data loss, theft and invasions of privacy.
End-user security concerns
Perhaps more important is the need to properly train users on how to safely conduct both one-on-one and group Zoom sessions. A phenomenon, Zoombombing, became a big concern as sessions not properly secured were accessed by troublemakers who took over the meetings -- and often shared unsavory content to unwitting participants. While these incidents could have easily been avoided, meeting users often were not aware of how to protect their meetings from these types of attacks.
In many cases, critical Zoom security features are not enabled by default. Thus, for meetings that require the utmost in security, the manual enablement of certain security functions can significantly reduce risk. Examples of how to make moot the discussion of how secure is Zoom video conferencing include the following:
- allowing only registered Zoom users to attend a meeting;
- requiring the host to manually admit attendees into a meeting room;
- requiring that attendees enter a unique password prior to gaining access to the meeting room virtual lobby;
- modifying screen-sharing capabilities so only the host can share content;
- turning off file sharing and chat capabilities, if not needed;
- locking a meeting once all attendees have joined so no others can join; and
- scheduling group meetings using separate and randomly generated meeting IDs, as opposed to a user's personal meeting ID, a static credential that can easily be leaked to the public.
Secure, but always in flux
These days, Zoom meetings are considered relatively safe to use. The company appears to have addressed the major security gaps within the platform and is focused on staying on top of the latest vulnerabilities. Therefore, the biggest risk to an organization -- as is typically the case -- is found in users who don't follow or understand how to better protect their meetings. To that end, businesses should consider a Zoom training course or create documentation that walks users through the steps needed to protect their meetings and lessen the likelihood of a security event.
Dig Deeper on Video conferencing and visual collaboration
Related Q&A from Andrew Froehlich
Zero trust and the principle of least privilege may appear to solve the same issue, but they have their differences. Read up on the two methodologies. Continue Reading
Zero-knowledge proofs can help companies implement a zero-trust framework. Learn about the two concepts and how they come together to better secure ... Continue Reading
Security administrators don't have to choose between zero-trust and defense-in-depth cybersecurity methodologies. Learn how the two frameworks ... Continue Reading