Advice to CISOs: Let’s Quit Beating Up on Zoom

I use Zoom video conferencing and will continue to use it despite the negative press reporting.

Here's the situation. Zoom was a niche application a few short months ago, and it was never designed for today’s 200 million concurrent users. There were some amateurish flaws in the code, but there wasn't enough scrutiny to make a difference. Then we saw a huge spike in popularity, and suddenly everyone with an axe to grind targeted a tool that's essentially keeping people sane, supporting education, and enabling small-business owners to stay afloat. I use a Zoom business account for my internal and client meetings, and free Zoom to keep in touch with my family in the U.S. During our extended coronavirus isolation, my wife is doing way too many Zoom-driven yoga and Pilates courses in our living room.

What happens when a startup hits more than US$30 billion in market cap almost overnight? Class-action lawsuits. We've seen this time and time again from professional litigants who are looking for an easy payout. It happened to Twitter, Facebook, and Google. Alcoholics Anonymous may be outraged, but the current situation means that the group continues to use Zoom every hour of every day. Sensitive support groups have said that Zoom violated their privacy. It's clear that they should not have been using Zoom for highly confidential meetings, and they should have taken the time to read the terms and conditions for use of the free version of the tool.

Think of this: A relative gives you a free car so you can get to work and see friends. The car needs work (brakes, cooling system, steering), but the car is good enough to get you from point A to point B. You'll most likely use it. There's no need to sue your relative when you take it to the racetrack and try to do something the car should not do.

Zoom has done a lot in the last few days. It has fixed several of the coding flaws and limited some of the features that may be dangerous to privacy. Zoom has corrected a misleading claim regarding encryption, as it likely did not have anyone on staff that truly understood what "end to end" really means. It has also formed a council of chief information security officers and will be adopting secure coding standards. Zoom has been getting high marks in my circle of security colleagues for transparency. 

There are alternatives to Zoom. You can use Skype, Skype for Business, Microsoft Teams, Webex, or similar tools. Each has its strengths and limitations, and may result in having to pay for a subscription. In my opinion, none are as user friendly as Zoom.

So if you want to use Zoom and have concerns, set a password on your meetings (though not very user friendly), set up a waiting room and co-host to screen everyone coming into the session, set the “allow removed participant to rejoin” setting to off, and set screen sharing to only one or two users. Other advanced settings include not allowing participants to join with video (against Zoombombing) or playing a sound when someone joins to help you notice unwanted visitors. Do not record the session unless it's critical, and make sure everyone on the call verbally acknowledges that the session will be recorded. Store the recording on your local drive only and not in the cloud. Do not share screenshots of Zoom meetings, as your Zoom code will be in the upper left section of the screen (this affected the U.K. prime minister last week). If you do all of these things, you've reduced risk exponentially. But as a security pro, I don't see the need to do these things for most routine meetings—particularly those online yoga sessions. 

How can we help?

If you have a question specific to your industry, talk with an Aite Group analyst.  Call us today to learn about the benefits of becoming a client.

Talk to an Analyst

Receive email updates relevant to you.  Subscribe to entire practices or to selected topics within
practices.

Get Email Updates