“Is Zoom safe? Is Zoom going to compromise our cybersecurity?" These are some of the questions asked by our clients and prospects about the video conferencing service. In this blog, we give you a clearer answer for the question on the video conferencing solution’s safety and security.
A quick look at some of the concerns related to the video conference solution that we cover in this blog :
Zoom has become so ubiquitous that even nursery kids are now using "Zoom me" as a verb to communicate. My five, yes, 5-year old nephew does his English tuition over the Zoom app and is fully comfortable with annotating, switching off the camera when he is being naughty and even muting the microphone during ‘Zoom meetings’ when he wants the teacher to think there is an internet connectivity problem.
So, is Zoom secure or not?
Let's get straight to the point. For most organisations who have a decent degree of security measures in place, yes, Zoom is secure. But wait! Before you move on to another blog on our site, there is much more to the answer than a simple yes. Let me explain.
The first question you should ask is what do you do? Are you in the arms manufacturing business for a special government unit? Are you discussing National Security Topics or extremely sensitive data that, if intercepted, could actually impact the country's security?
You get the point. If your topic of discussion is extremely sensitive and you don't want any interception then you should NOT be using Zoom. As a matter of fact, you should not be using any web conferencing solutions available. We may write another blog for suitable alternatives.
Don't forget, most modern 'smart' devices are listening to your every word and in the case of Samsung, for example, they were absolutely open about it. Samsung's T&C said "if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through the use of Voice Recognition."
Let's not forget about Amazon's Echo, Google's Smart speakers and every other “smart device” in your home.
Continuing from the above section, the simple answer to any question, not just "Is Zoom secure?" is to take a risk-based approach. Here are some questions you should ask before you use any software:
No, Zoom is a US-based company. Founded and headquartered in San Jose, California, it’s publicly traded on the NASDAQ. In fact, the company’s CEO and Founder clarified in his blog last year that Zoom has absolutely no connections with the Chinese government. He also added that he's been an American citizen since 2007, living in the US since 1997.
The Queen and UK Prime Minister use Zoom, so it must be safe against cyber attacks, correct?
Yes, they do and I can assure you (well, let's hope I am right) that someone somewhere must have done a contextual risk assessment based on what was going to be discussed, the sensitivity of the topics and more, before allowing them to join a Zoom meeting room.
There is a special Zoom app for the US Government created by Zoom called ZoomGov. In summary, the data stays in the US only. There is something similar by Microsoft for Microsoft Teams. It's got to do with US FedRAMP and certain acceptable baselines. Ensure you do your research.
There is a ton of guidance on Zoom but here are some links by the US and UK governments. They are either PDFs or websites.
At Cyber Management Alliance, we regularly conduct Cyber Crisis Tabletop Exercises for clients including banks, councils, sporting organisations, pharmaceuticals and more.
Before the Covid-19 pandemic, we conducted most tabletop exercises at the customer site or in special offsite locations. Since the beginning of March 2020, we switched all cyber tabletop sessions to remote and started using Zoom. At that time it was the only one that offered breakout room functionality, a feature we rely on for successful tabletop and incipient response testing exercises.
For the record, we have also used MS Teams and Google Meet for conducting crisis tabletop exercises without too many issues.
(The Law that states ‘Major Incidents only happen on Weekends or Holidays’ :)
Murphy’s law dictates that most cyber-attacks are only detected and hence wreak havoc on Friday evenings in the West or Thursday evenings in the Middle East. Consequently, most, if not all staff, are out of office, at home or travelling. Pandemic or not, testing of Incident Response Plans through a virtual conference room only makes sense.
It’s best to practise responding to a crisis through a platform that lends itself well to a chaotic situation like a security incident and one that you will probably be using when you are under attack.
In our opinion, Zoom is pretty seamless, it rarely has technical glitches if everyone has a decent internet connection, you can share screens, put people in waiting rooms or breakout rooms, making it ideal for managing a cyber crisis, especially in the current business environment.
Better Alternatives to Zoom?
Yes, there are too many to list here. Here are some others that we use regularly.
WARNING! None of the above (and that includes Zoom) is a 100% secure solution against data breaches. Like all software applications there will be known vulnerabilities and there will be Zero day exploits for each.
Please read the UK and US government guidance on how to ensure you better secure your video conferencing connections including, you guessed it, using common sense.
To enhance your cyber crisis management and cyber resilience capabilities, check out our NCSC-Certified Cyber Incident Planning and Response course. You can also consider our Breach Readiness Assessment to evaluate if your business is prepared to deal with a cyber-attack.