Zoom has been a fundamental tool for Springboard Trust and many other organisations in this shift to remote work. However, as with any application, it is not entirely risk-free.
The Government Chief Information Security Officer (GCISO) from Te Tira Tiaki and National Cyber Security Centre recently released some best practice guidance for using the video conferencing app – we have summarised some of the key points below, and you can read the full guide here.
Please note that these guidelines are targeted at public servants or "nationally significant" organisations, and for use during COVID-19 alert levels three and four. As such, we have left out some of the guidance pertaining to mentioning classified information and working for a government agency specifically.
Eight tips from the April 2020 Zoom security guidelines
1. Use your usual tools for internal meetings
If your organisation usually uses a specific app like Microsoft Teams or Google Hangouts for your internal video calls, then it is fine to continue doing so under lockdown. However, it is worth getting up to speed with how Zoom works as, due to its widespread use, many people will be involved in a Zoom call during lockdown.
2. Zoom is not risk-free
The GCISO notes that in the last 18 to 24 months, Zoom has had security issues. This includes recent cases of ‘Zoom bombing’, where unwanted users enter your meeting.
All of which is to say that Zoom is not without risks. However, the company has taken strong steps to improving this security, including default password-protected meetings and expansive best-practice guides for using Zoom – more on that can be found here.
These steps, in addition with the below advice from the NZ Government, can help you navigate Zoom use safely.
3. Use the laptop app first (then browser, then browser on phone – avoid mobile app)
The government’s preferred priority of ways you use Zoom is: the desktop application first, then the in-browser functionality on either laptop or mobile, then last the mobile app.
4. Use multi-factor authentication (MFA) – especially if you have a high profile
The risk of phishing – someone using fake credentials to get information from an individual – is nothing new. But in this remote working environment, it is especially important for senior leaders and those with a public profile to protect themselves with multi-factor authentication.
5. If you have to use the mobile app, don’t use it for hosting
The GCISO prefers that people use the mobile app, if they must, primarily for joining internal calls or parties. That means using the app to host a meeting, or join a meeting hosted by a third party, is not ideal.
6. Make your settings secure
Don’t use a meeting link – generate a random ID
Limit people who can enter to those signed into their own Zoom account
Use the waiting room tool and don’t let people join before the host
Setting a password for your meeting and sending it to participants securely
Much of this is now turned on by default in Zoom – in particular, meeting passwords.
7. Record your meetings locally
By doing this (saving your recording to the computer instead of the cloud), you limit the exposure of the contents of your meeting – it is always good practice to have an offline backup of any material you want to hold onto.
8. Be a sensible Zoom user
The majority of these measures are to prevent unwanted guests from entering your call. Passwords, waiting rooms, secure communications channels all create strong boundaries around your call, meaning you can conduct your meeting with minimal risk of intrusion.
On top of these measures, you can also practice sensible behaviour as the call begins. Checking who is there, ensuring people are who they say they are, and only accepting attachments and remote control requests from people you trust.
This all may seem quite stringent – but keep in mind that it is also GCSB information designed for NZ public servants. That said, the basic principles of online security are always worth discussing when we operate in a digital environment. Like the old saying goes, better safe than sorry!