With so many of us currently transitioning to a remote world while we ride out the pandemic, we are relying on video conferencing tools like never before. Tools like Microsoft Teams, GoToMeeting, BlueJeans, Skype, and, of course, Zoom.
Zoom has been in the news a lot since the pandemic started as they have struggled with security issues. They had initially been scrambling to patch things as the new attention shined a light on the platform’s security. Thankfully, Zoom has recently been making great strides and have added several features to increase security for it’s users. In this post, we’ll be sharing some simple tricks you can do to make your Zoom experience much safer.
At Future Ada, we use Zoom and have been taking measures to ensure the privacy and security of our own organization, our users, and our participants. The recommendations listed here stem from our own testing and what we follow ourselves. While we’re not going to touch on every specific setting, the guidelines below should help set a secure baseline for your online meetings.
➡ ️All the settings listed below can be found by logging into your Zoom account from a Web browser.
Many settings can be confusing as they appear to be duplicated in a couple locations. One for the overall administration of your account and again under your personal user settings. You’ll want to check both locations to be sure they are set appropriately. These settings can be found in the following locations:
- Personal > Settings
- Admin > Account Management > Account Settings
💡 Note: Settings found under Admin have a “lock” ( 🔒 ) option next to them which should be set for any setting you want to be universal for all your users and all your meetings.
Advanced settings to check can be found under:
- Admin > Advanced > Security
- Admin > Advanced > Integration
There are recommendations here that may be scattered throughout each of these areas so you will want to check them all to know what’s available and get them set appropriately. Check them regularly as well to take advantage of new settings that become available as Zoom rolls out updates.
Use of strong, complex passwords increases the security of your account and your meetings. Anywhere you find an option to enable a password, do so. You’ll want to enforce complex passwords wherever possible as well. While this adds security, it also can be harder to remember and you’ll want to make it easy on yourself to be sure your passwords are strong and also not reused. Using a password manager can help you keep track of your passwords for each account, generate secure passwords, and help ensure you don’t use the same old password over and over. 1Password is a great option for password management, but it is not a free option. LastPass is a great free alternative for password management.
Password requirement guidelines for Zoom accounts, meetings (and really, any account you have):
- Have a minimum password length of 12 (or highest allowed length available)
- Have at least 1 letter (a, b, c…)
- Have at least 1 number (1, 2, 3…)
- Have at least 1 special character (!, @, #…)
- Include both Upper case and Lower case characters
- Cannot contain consecutive characters (e.g. “1111”, “1234”, “abcd”, or “qwert”)
Enable enhanced weak password detection where available and strong password policy management options.
- Require new users to change their password upon initial sign-in
- Set password expiration after a specified number of days (120 days or less)
- Don’t have users reuse any previous passwords
- Limit the number of times a user can change their password in a 24 hour window to 3 or less
General guidelines for what you allow your participants to do in your meetings will depend on who your participants are. Public meeting with participants being folks you don’t know? Lock down your permissions more. Is your meeting just with folks in your own organization where you know everyone? Grant more permissions to your participants and take advantage of some of the more fun features of Zoom meetings. Many settings can be overwritten when you schedule the meeting, however, allowing you to lock down things by default but be able to open it up if you have a meeting with trusted participants.
Recommended locked down default settings:
- Disable transferring of files to avoid anything malicious or inappropriate being sent to you or another participant
- Disable participants ability to use annotation so no one accidentally or purposefully draws on your presentation
- Disable participants ability to use the whiteboard
- Disable participants ability to remote control so no other participant can be given control over a screen being shared
- Disable participants ability to provide nonverbal feedback via icons
- Disable the ability for removed participants to rejoin the meeting
- Disable far end camera control to prevent another participant or user from taking control of your camera
Other things you can consider disabling include the chat feature or just private chats. This can help you control the narrative of your meeting and prevent unexpected interruptions. Chat can be disabled and enabled from within the meeting by the host or co-host as well for this purpose.
Virtual backgrounds are super popular right now and they can be a lot of fun. However, if you have a lot of participants you don’t know or trust this may be a setting you want to consider disabling to prevent an inappropriate image from being used as someone’s background.
For meetings that are open to the public, consider disabling video for folks on the start of a meeting (this can be turned on after things get started). Setting screensharing to be host-only is a good option for public meetings as well so no one else shares their screen with something unexpected or inappropriate.
Turning off “Join Before Host” and enabling “Waiting Room” are good options for public meetings as well to control when and who gets to join. Having all participants sit in a “Waiting Room” gives you, as the host, control to get setup and ready before allowing anyone to join. You then get to manually allow individuals in the “Waiting Room” to join when you are ready.
If you are allowing participants to join your meeting via telephone channels, it’s a good idea to protect their privacy by selecting to mask their phone number in the participant list. This may not be necessary if all participants are known and trusted.
Zoom provides the option for local recording of a meeting by an individual participant or the host (to be saved to a specified location on your computer) or to have the host save the recording to the cloud. Depending on your meeting and if you want participants to have (easy) control over recording your content, you may want to consider disabling the local recording option.
You can take control of recordings and access to them by limiting recording options to only be by the host and saved to the cloud. Lock the recordings down to only authenticated users and require a password to gain access or download copies.
If you, as the host, decide to record your meeting, it’s a good practice to enable the settings for a disclaimer to your participants so they know and have the option to consent to it or leave the meeting.
General Meeting Security
Wherever possible, enable encryption and OAuth 2.0 setting options for added data and authentication security.
Be mindful of the data centers being used with your account. Zoom offers a number of countries / regions for you to pick from. We recommend not using China or Hong Kong SAR.
General Account Security
At the account level, it’s a good idea to always enable two-factor or multi-factor authentication for yourself and for all users on your organization’s account.
Multi-factor authentication is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).
Two-factor authentication (also known as 2FA) is a type, or subset, of multi-factor authentication. It is a method of confirming users’ claimed identities by using a combination of two different factors: 1) something they know, 2) something they have, or 3) something they are.
Additionally, setting a time-out period for users logged in to Zoom but have not been active. The lower the inactivity timeout can help prevent an unauthorized person from using their account if the user forgot to log out or walked away from their computer.
Integrating with other services is really handy but you want to be really mindful about which ones you are allowing vs not. Review the integration options available to you and disable any that you are not using or don’t need.
Zoom is updating and enhancing their security and privacy options pretty frequently right now. Be sure to check these other resources for the latest security options:
- Zoom Privacy & Security Documentation
- Check if there are updates in your Zoom client
- Download the latest Zoom version
Curious about these settings or want to learn more about online privacy and security? Future Ada offers regular free workshops to cover these topics and as well as free one-on-one appointments with our privacy and technical professionals.