Best Practices for Securing Your Zoom Meetings

Zoom: Perception vs. Reality

Negative Press:

We have undoubtedly all heard the many reports questioning the security readiness of Zoom as of late. Are there impactful vulnerabilities, and is Zoom safe? We have even seen negative fallout due to some of the reported concerns. For example, the New York City school system has banned the use of Zoom as a direct result of the perceived security flaws within the Zoom platform. The problem is, much of what we are hearing is more about perception than reality, and the challenge is to sift through the facts versus fiction.

Current Situation + Complication:

First, let’s understand the radical increase in Zoom adoption and usage as a direct result of the COVID-19 crisis. Since the outbreak, Zoom has experienced more than a 300% increase in daily use over an exceptionally small period of time. Practically overnight, Zoom went from 10 million users—comprised primarily of enterprise customers using the service for internal meetings—to over 200 million users utilizing the service in a consumer/non-enterprise fashion. Many of the new users have adopted and deployed the free version of the service. With this rapid growth and variable use cases, the primary source of vulnerability is not an inherent security flaw within the platform, but more so a user education issue around the proper and secure ways to leverage the Zoom solution.

Zoom had originally designed its service to be extremely user friendly and simplistic to use. They aimed to provide quick and easy access for participants to join meetings effortlessly. To accomplish this, many of the restrictive, more secure capabilities (that Zoom does in fact have as part of their service) are disabled by default. Again, from their perspective, Zoom’s target customers are enterprises. Generally, at an enterprise level, the customer’s IT team would have the responsibility to enable the features they want or need for their own security compliance.

The explosive growth due to COVID-19 took a targeted solution with a much smaller and focused customer base and expanded it to the masses. Many of these users lack the traditional IT resources responsible for enabling the security features prior to production rollout. Further, the immediate need for a business continuity solution thwarted the usual onboarding and training put in place before a go-live, proof of concept time, testing, and so on. Many companies were not afforded the time for the upfront preparedness and due diligence and instead just handed off the solution to its users for immediate use.

The issues experienced and viewed as security vulnerabilities would have, under normal circumstances, been mitigated before they could become problematic. For example, Zoom hosts can enable password protection and meeting restriction settings, such as disallowing content sharing, can be applied. By simply enabling the available features, many of the so-called security incidents could have been avoided—“Zoom Bombing” being a prime example.

Best Practices – How to Secure your Zoom Meeting

Zoom has helped a multitude of businesses and organizations adopt a collaboration solution that enhances productivity through high-quality, reliable, and easy-to-use communications tools. With the global pandemic causing a large number of business shutdowns, the need for a remote workforce enablement option became critical, and Zoom delivered. The nearly overnight, exponential growth— coupled with the immediate need and limited (if any) time to vet the proper ways to use Zoom securely and effectively—resulted in some issues. However, many of these issues can easily be avoided by adhering to best practices to ensure a secure meeting environment.

These best practices will provide information about how you can secure your Zoom meetings. The information is broken out into two distinct sections:

• Pre-Meeting focuses on all the steps you can take to secure your meeting before they even begin.
  
  
• In-Meeting highlights all the controls that a Zoom Meeting host has and can utilize on-demand or as needed during an ongoing Zoom Meeting.

Pre-Meeting Settings

Pre-Meeting settings can be applied at the platform level from an administrative perspective through the Zoom Admin Portal. When applied this way, these settings are enforced and enabled by default to anyone using the solution. They can also be enabled at the host/scheduler level if not globally set. These settings take a proactive approach to ensuring an effective and secure meeting experience.

In-Meeting Settings

Once your Zoom Meeting has started, as a host you will have access to a number of helpful features that put you in total control of that meeting. These settings allow you to take a reactive approach and address interruptions—be it intentional or unintentional, immediately.

Both forms of settings are inherently available in the Zoom platform and are powerful means to provide security.

Pre-Meeting Settings + Best Practices

• Password protect your meeting: When selected upon meeting creation, this setting will require a meeting password to allow entry into the meeting. This is a very basic and simplistic way to add security and prevent unintended users from joining your meeting. Password complexity can also be increased to make the passwords highly secure. You can add character minimums, alphanumeric requirements, and special character requirements.
  
  
• Meeting ID: Do not use your personal meeting ID for the meeting. Instead, use a per-meeting ID that is exclusive and unique to each meeting. This will ensure your personal meeting ID does not become compromised and will make trying to join other meetings with an older, or static, ID impossible. Personal Meeting I’s (PMIs) do not change unless you change them and are therefore re-used for various meetings. New meetings that do not use your personal meeting ID will randomly generate a one-time meeting ID that is only good for that meeting and cannot be used to access another meeting.
  
  
• Waiting Room: This is one of the best ways to secure your meetings. This setting provides a virtual waiting room for your attendees and allows the host to admit individual participants into their meeting at their discretion. This prevents users from coming directly into a meeting without admittance, giving the host total control of who is able to join. The host will be able to see a list of everyone who has joined the waiting room.
  
  
• Disable Join Before Host: If Waiting Rooms are not used for preferential reasons, you should disable the “join-before-host” setting. This will prevent attendees from joining/entering a meeting prior to the host’s arrival.
  
  
• Only Authenticated Users Can Join: This setting is more restrictive, but also very secure. This setting requires the participants to authenticate prior to joining the meetings. Hosts can choose the preferred authentication methods when scheduling a meeting. You can require attendees to register with their email address and full name, you can restrict the meeting access to only those who are logged into Zoom, and you can even restrict access to users on a specified domain (e.g., only users with an email address from your company). This allows the host to know exactly who will be attending the meeting.
  
  
• Mute Participants Upon Entry: This setting will automatically mute all participants when they join the meeting. The host can then control whether participants can unmute themselves or not. This is an excellent way to avoid unwanted disruptions.
  
  
• File Transfers: File transfer through the in-meeting chat can be disabled.

In-Meeting Settings + Best Practices

• Lock the Meeting: Once all your attendees have arrived, you can easily lock your meeting from the security menu, preventing any additional attendees from joining.
  
  
• Chat: Chat can be disabled, preventing participants from chatting privately or to all.
  
  
• Screen Sharing: Screen sharing can be disabled for all participants, leaving only the host with the capability to do so.
  
  
• Annotation: Like screen sharing, annotation can also be disabled for all participants.
  
  
• Mute/Unmute Participants: A meeting host has the ability to mute participants and then unmute them as needed. The host can also enforce the mute by preventing participants from having the ability to unmute themselves.
  
  
• Stop Participants Video: Similar to muting a participant’s audio, a meeting host can also disable a participant from displaying their video during a meeting.
  
  
• Remove Participants: The meeting host has the ability to remove any participant from their meeting at will. To further secure this feature, the host can choose to not allow participants to rejoin a meeting once they’ve been removed.
  
  
• Meeting/Participant Management Co-Host: All the features we’ve covered so far are only accessible to meeting hosts, ensuring that hosts are the only ones with total control over a meeting. In large meetings, hosting and managing can become a difficult task for a single host. To combat this, a meeting host can promote another user to co-host status, which gives that person many of the same management capabilities to help the host manage and maintain the integrity of the meeting.
  
  
• Participants Rename Capabilities: The meeting host can disable the ability for participants to rename themselves in a meeting.

Follow-up for More Details

If you have specific concerns, ConvergeOne’s subject matter experts can help. We can shed light on the best practices that can help your meetings remain safe and secure. We can aid in dispelling mistruths and negative perceptions by educating you on the solution and providing factual information. We are available and happy to help!