Zoom - Should you be using it for business?

Aura Information Security have received a number of questions about Zoom video conferencing software for online meetings. With so many staff now working from home, these sorts of video conferencing tools have become essential to keep operating. But how do you know which one to trust?  

As with most publicly available (and free) tools, you need to do your homework before you think about using them. Who owns the tool, have there been security incidents with them in the past, what are they doing with your data, and can they guarantee your privacy?

While a number of governments, including our own, have turned to using Zoom as a tool for meetings (although mainly at a non-restricted level), there are some things you should look at before you start using it too:

• Last year there was an issue with iOS where Zoom could let hackers take over webcams on Mac computers.
• Further trust issues came to light when it emerged Zoom was sending user data to Facebook, prompting a US Government investigation. 
• Aura has undertaken some research work on Zoom, and we have discovered a flaw in how open meetings are run in the system. We have notified Zoom about this.

On the positive side, Zoom has acknowledged a number of these issues, and are working to correct these. In a recent message to customers, they have acknowledge where they have fallen short, and have put some measures in place to address these concerns.

So what should you be using? 

For bigger businesses, it’s always best to use company approved communication platforms – your IT department will be more aware of, and in a better position to respond to, any security risks that present themselves on a familiar platform. For smaller businesses, be sure to check the security record of any software you use, even if it’s a popular service. If possible, change the default settings for all meetings to prevent anonymous and uninvited people being able to join. This can be achieved through using meeting passwords, or in some cases a ‘lobby’ function – where only the organiser can admit participants.

Everyone should bear in mind that ‘free’ software still needs to make money, and often that involves marketing you as their product. No matter what service you use, make sure you’re using it as securely as possible. It may be a slight inconvenience but put a password on every meeting – it’s worth it.

Peter Bailey is the General Manager of Aura Information Security, Kordia's cyber security consultancy.