How Zoom Is Attempting to Fix Security 'Missteps'

eWEEK NEWS ANALYSIS: Thanks largely to the COVID-19 pandemic, Zoom's number of worldwide users has surpassed the 200 million mark, a spectacular rise after market analyst Apptopia reported it served a mere 12.9 million users on Jan. 1.

Download the authoritative guide: Big Data: Mining Data for Revenue

EricYaunZoom2

Not surprisingly, videoconferencing in the spring of 2020 is front and center for IT in the wake of the COVID-19 pandemic, when most people are sheltering safely at home to ride out the crisis.

Schoolteachers, personal support groups, church committees, business associates—even White House cabinet members—along with myriad other groups and individuals are taking advantage of relatively inexpensive and easy-to-use videoconferencing web applications. These include Zoom, Cisco Webex, Google Hangouts, Microsoft Teams, Skype, BlueJeans Network, GotoMeeting, Zoho, Adobe Connect, Slack and others that are rescuing the culture from non-connectedness.

All these services are tremendously busy. While Cisco CEO Chuck Robbins reported that Webex facilitated more than 5.5 billion meeting-minutes in the first 17 days of March, Zoom, the freely available web-based video collaboration app, is the one making the most news right now. This is mainly because of its cost (free for the basic version), quality (generally judged high by users) and pervasiveness in the online user community.

As of April 6, Zoom estimates its number of worldwide users to have surpassed the 200 million mark, a spectacular rise after market analyst Apptopia reported it served a mere 12.9 million users on Jan. 1.

'Zoom Bombing' Becoming More Commonplace

With great influence come great challenges. You’ve probably heard about the phenomenon called Zoom bombing, in which unwelcome intruders join private Zoom meetings and disrupt conversations, insert distractive or abusive comments, gather personal information from private discussions and cause other mayhem. Well, it’s happening a lot, and companies (such as Tesla) and public organizations (such as the New York City School District) have stepped away from using Zoom due to this security concern.

Because Zoom sessions have historically had only a nine-, 10- or 11-digit identification number and no password protection, it’s been relatively easy for hackers to punch in a random ID number, join a conference and insert unwelcome content, such as racist, sexist, homophobic or pornographic material, which they are doing regularly. Zoom now is taking strong action to combat this, but it’s been a major problem only for the last several weeks, when consumers started using the service more frequently.

It’s an unfortunate truth here in 2020—as has been the case for decades—that many nefarious people have way too much time on their hands and use the internet to disrupt institutions, faith groups, businesses, governments and human relationships. IT has been fighting an uphill security battle against these forces for the entire history of the internet, and Zoom's predicament is no different from many other companies' experiences.

The San Jose, Calif.-based company, which started up in 2011 and went public last year, simply was not designed for its now-huge user base. Like the internet itself, which was intended for people to use courteously and without malicious intent, Zoom has been a bedrock collaboration tool for enterprises. Now CEO Eric Yuan (pictured) and his team are making big-time changes.

'We Grew Too Fast and Had Some Missteps'

“Our service is beautiful, and we were serving our [enterprise] customers well, but during this COVID-19 crisis, we grew too fast and had some missteps,” Yuan said in an interview April 5 with CNN’s Brian Stelter. “We expanded our service but should have enforced passwords, waiting rooms and other security measures earlier. In the last two weeks, we took actions to fix those missteps. The new user cases are very different from our traditional enterprise customers, where they have IT for support.

“The security is coming into place now, and we need to focus on education for consumers. For example, we’re in the process of working with the New York City School District to understand how to use the security settings, to make sure Zoom bombing does not happen again.”

Yuan said that his company “has learned its lesson, and we will double down, triple down, on privacy and security. We want Zoom to be the privacy- and security-first company.”

What Zoom Is Now Doing to Improve Security

Here are the latest security measures Zoom has enacted:

Required passwords: Zoom has enabled passwords on all new participants in meetings and turned on Waiting Rooms by default as additional security enhancements to protect user privacy. After they click on the invite URL, enter a meeting ID and enter the meeting password, meeting participants then must enter a virtual waiting room until granted access by the host of the meeting. In this way, the host can see who’s trying to enter and grant, or not grant, access.

Virtual waiting room turned on by default: Starting April 5, the virtual waiting room feature will be automatically turned on by default. The Waiting Room is just like it sounds: It’s a virtual staging area that prevents people from joining a meeting until the host is ready.

Meeting Passwords Enabled 'On' for Regular Meetings

Starting April 5, previously scheduled meetings (including those scheduled via a host’s Personal Meeting ID) will have passwords enabled. If attendees are joining via a meeting link, there will be no change to their joining experience. For attendees joining meetings by manually entering a meeting ID, they will need to enter a password to access the meeting. 

For attendees joining manually, Zoom highly recommends re-sharing the updated meeting invitation before your workweek begins. Here’s how users can do that:

  • Log in to your account, visit your Meetings tab, select your upcoming meeting by name and copy the new meeting invitation to share with your attendees.
  • For step-by-step instructions, please watch this 2-minute video or read this FAQ.
  • For regularly scheduled meetings, the meeting password can be found in the invitation. For instant meetings, the password will be displayed in the Zoom client. The password can also be found in the meeting join URL.

How Hosts Admit Participants Into a Meeting

As the host, once you’ve joined, you’ll begin to see the number of participants in your waiting room within the Manage Participants icon. Select Manage Participants to view the full list of participants; then, you’ll have the option to admit individually by selecting the blue Admit button or all at once with the Admit All option on the top right-hand side of your screen. For step-by-step instructions, please watch this 2-minute video.

Check out these resources to learn How to Manage Your Waiting Room and Secure Your Meetings with Virtual Waiting Rooms.

For more information on how to utilize passwords and Waiting Rooms to secure your meetings, please visit Zoom’s Knowledge Center, attend a daily live demo or read the blog.

----------------------------------------------------

Sidebar: Startup Offers Three-Month Trial for Corporate Risk Service

Enterprise Zoom users now have a new free-trial option when it comes to controlling corporate risk and compliance.

Santa Barbara, Calif,-based startup Theta Lake, a collaboration risk and compliance provider that helps risk teams scale their regulatory compliance and cybersecurity risk detections across video, voice and chat channels, said April 7 that it is offering three free months of its AI-based Compliance Suite to Zoom customers. 

Theta Lake has a seamless integration with Zoom. It mitigates key regulatory and liability challenges by providing organizations with automatic detection of acceptable use and compliance risks across all the ways employees can engage during a session, including voice, video and chat content, as well as all shared or shown files and visual content.

Theta Lake’s Compliance Suite provides deep supervision and risk detection features for Zoom, allowing organizations to align their safety, risk and compliance requirements while empowering their workforce to collaborate remotely. Theta Lake can help  organizations meet financial services requirements for retention and supervision of communications under SEC, FINRA, CFTC and MiFID II rules, or strict mandates for the protection of acceptable use standards and personally identifiable information pursuant to HIPAA, FERPA, GDPR or other state regulatory requirements.

Capabilities include:

  • Ability to identify PII and sensitive information to comply with privacy and cybersecurity requirements including HIPAA, FERPA, GDPR, NYDFS and CCPA coverage;
  • Full visual coverage that identifies brand logos, inappropriate content, whiteboards, weapons and more;
  • Customizable detections that facilitate detection of organization-specific risk and liabilities across collaboration interactions;
  • Real-time Compliance Advisor that provides end-user alerts and risk mitigation education;
  • Automated risk detection of regulatory compliance risks in written, shared, shown and spoken business communications inside of Zoom across over 30 detections for specific MiFID II, SEC Reg BI, FINRA, CFTC, FFIEC, Insurance Suitability and FCA’s PRIIPs KID requirements;
  • AI-enabled workflow that routes the right content to the right compliance teams for efficient and consistent supervision;
  • 17a-4-compliant electronic archive that captures, retains and manages all Zoom content.

Availability: The Theta Lake Compliance Suite is available on the Zoom App Marketplace. For more information, visit https://thetalake.com.

Chris Preimesberger

Chris J. Preimesberger

Chris J. Preimesberger is Editor-in-Chief of eWEEK and responsible for all the publication's coverage. In his 15 years and more than 4,000 articles at eWEEK, he has distinguished himself in reporting...