Tags:Remote WorkingZoomTips

News
28/04/2020
5 min read

Springboard's guide to Zoom: How to stay secure

Zoom has been a fundamental tool for Springboard Trust and many other organisations in this shift to remote work. However, as with any application, it is not entirely risk-free.  

The Government Chief Information Security Officer (GCISO) from Te Tira Tiaki and National Cyber Security Centre recently released some best practice guidance for using the video conferencing app – we have summarised some of the key points below, and you can read the full guide here.  

Please note that these guidelines are targeted at public servants or "nationally significant" organisations, and for use during COVID-19 alert levels three and four. As such, we have left out some of the guidance pertaining to mentioning classified information and working for a government agency specifically.  

Eight tips from the April 2020 Zoom security guidelines

1. Use your usual tools for internal meetings 

If your organisation usually uses a specific app like Microsoft Teams or Google Hangouts for your internal video calls, then it is fine to continue doing so under lockdown. However, it is worth getting up to speed with how Zoom works as, due to its widespread use, many people will be involved in a Zoom call during lockdown.  

2. Zoom is not risk-free  

The GCISO notes that in the last 18 to 24 months, Zoom has had security issues. This includes recent cases of ‘Zoom bombing’, where unwanted users enter your meeting.  

Security journalist Brian Krebs exposed some frailties in non-password protected meetings, while Zoom CEO Eric Yuan has admitted mistakes during the app’s rapid expansion due to COVID-19.  

All of which is to say that Zoom is not without risks. However, the company has taken strong steps to improving this security, including default password-protected meetings and expansive best-practice guides for using Zoom – more on that can be found here

These steps, in addition with the below advice from the NZ Government, can help you navigate Zoom use safely. 

 3. Use the laptop app first (then browser, then browser on phone – avoid mobile app) 

The government’s preferred priority of ways you use Zoom is: the desktop application first, then the in-browser functionality on either laptop or mobile, then last the mobile app.  

While the GCISO had not been able to do a rigorous review of the mobile app as of April, due to concerns around user tracking and “a permissive privacy policy”, it recommends government staff avoid using the mobile app for now. If you have to use Zoom from your phone, host or join from your browser (ie Google Chrome). 

4. Use multi-factor authentication (MFA) – especially if you have a high profile

The risk of phishing – someone using fake credentials to get information from an individual – is nothing new. But in this remote working environment, it is especially important for senior leaders and those with a public profile to protect themselves with multi-factor authentication.  

5. If you have to use the mobile app, don’t use it for hosting

The GCISO prefers that people use the mobile app, if they must, primarily for joining internal calls or parties. That means using the app to host a meeting, or join a meeting hosted by a third party, is not ideal.  

6. Make your settings secure

In our previous entries on Zoom, we ran through the settings you can toggle as you set up a meeting. The GCISO has also given recommendations on which to use and which to avoid. This includes:  

  • Don’t use a meeting link – generate a random ID 

  • Limit people who can enter to those signed into their own Zoom account  

  • Use the waiting room tool and don’t let people join before the host  

  • Setting a password for your meeting and sending it to participants securely 

Much of this is now turned on by default in Zoom – in particular, meeting passwords.  

7. Record your meetings locally

By doing this (saving your recording to the computer instead of the cloud), you limit the exposure of the contents of your meeting – it is always good practice to have an offline backup of any material you want to hold onto.  

8. Be a sensible Zoom user

The majority of these measures are to prevent unwanted guests from entering your call. Passwords, waiting rooms, secure communications channels all create strong boundaries around your call, meaning you can conduct your meeting with minimal risk of intrusion.  

On top of these measures, you can also practice sensible behaviour as the call begins. Checking who is there, ensuring people are who they say they are, and only accepting attachments and remote control requests from people you trust.  

This all may seem quite stringent – but keep in mind that it is also GCSB information designed for NZ public servants. That said, the basic principles of online security are always worth discussing when we operate in a digital environment. Like the old saying goes, better safe than sorry!  

For more information on staying safe in Zoom, head to the National Cyber Security Centre. For more general Zoom or remote meeting enquiries, the Springboard Trust team is right here to help.  

Our Strategic Partners