We’re not so sure.
It’s hardly been a month since Zoom seemingly dropped out of the sky. In just 90 days, their daily active users jumped from 10 million to over 200 million, but security experts are skeptical about Zoom and there’s a fair reason why. We felt it was important to share why we don’t think Zoom is safe in a business setting.
It looks like Zoom is listening to some of the common concerns around the platform. During the week of 4/27, they’re rolling out Zoom 5.0, which includes some fresh security features, including locking meetings, kicking participants out of a call, and screensharing restriction settings.
They’re also now enabling passwords by default for most customers, and companies can define the password complexity required for users on their team. The “waiting room” feature is also now on by default, so that hosts may hold Zoom callers in a virtual queue before being allowed into a meeting. There are still certain security standards that we aren’t satisfied with, but they’ve promised additional improvements to come in the future. You can get an overview of the new features here.
It’s worth calling out why Zoom became so popular in the first place: it’s very easy to use. However, we think it’s extremely important that you consider security first. If you’re not sure it’s the right fit, then consult your IT team and get their perspective on it. It’s good to see Zoom filling gaps in their security, but remember the popular tool isn’t always the best one for your team.
Our concerns with Zoom as a service
In just the last year, Zoom was accused of leaking thousands of email addresses, secretly installing software on customer devices, and they’re currently under investigation for illegally sharing personal data with Facebook. Not to mention over half a million stolen Zoom passwords were recently found up for sale on the dark web, from attackers selling them at less than 1 cent per account.
Zoom was also shown to have lied about end-to-end encryption on their service, when in fact they use a different type of encryption which allows them to view the content of your calls.
Some of us were also unhappy with the features “baked in” with the service, such as attention tracking, which allows the meeting host to see when participants click away from their Zoom window, though that feature was recently removed.
We strongly advise against using Zoom in business
…But if you have to use it, it’s time to change your password.
After the recent attacks, it’s extremely critical that your Zoom password isn’t being reused on any of your other accounts. Attackers have found a cheap, efficient way to find your information, and it will be easy to take your password and test them in other common places, like email or banking websites.
For personal use, Zoom seems to pose less of a threat (but still might be mishandling your data). It seems that the “safest” way to be using Zoom as a social app, is by joining meetings anonymously, rather than creating an account.
If you struggle to set strong passwords, this blog post has some good tips for you. And if you or your colleagues aren’t great at keeping track of passwords, we recommend working with a password management tool like LastPass. We use LastPass on our internal team, and it features things like:
- Secure password generation
- 2-factor authentication
- Local encryption (read: “even the LastPass service can’t see your precious login details”)
LastPass is free for personal use, and we can vouch for how well it has worked for our team.
Instead of Zoom, you should be using…
There are many reliable, more secure alternatives to Zoom, and it’s likely that you already have access to them. Google Hangouts, Microsoft Teams, Skype, and GoToMeeting are all secure, popular platforms that offer features almost identical to Zoom, including:
- Screen Sharing
- Calendar Integration
- In-conference chat
If you need help finding the right tool for your team, drop us a line. We’d be more than happy to help advise on the best one to fit your need.