Vast numbers of employees across the United States and the world are now working from home due to the outbreak of novel coronavirus (COVID-19). This new reality of remote working and video-teleconferencing (VTC) for the masses brings its own set of risks and rewards. As you navigate this new arena, we want you and your organization to be prepared.
Recently, we wrote an article comparing Microsoft Teams with Zoom Video for use by businesses. We focused on many of the standard features that organizations are looking for when it comes to selecting a video-teleconferencing platform. One area we did not focus on was security. New issues are coming to light with Zoom that may make organizations take a hard look at which platform best suits their needs.
Zoom-bombing
Zoom-bombing is a term coined to refer to those who join Zoom meetings uninvited. It has become so prevalent that the Federal Bureau of Investigation has issued a warning for this nefarious practice. The FBI has received numerous reports of meetings being disrupted by obscene and hate images and threatening language.
These incidents, directly from the FBI, include:
- A Massachusetts-based high school reports that, while a teacher was conducting an online class using Zoom, an unidentified individual dialed into the classroom. This individual yelled profanity and then shouted the teacher’s home address in the middle of an instruction.
- A report from a second Massachusetts-based school states that an unidentified individual accessed a Zoom meeting. In this incident, the individual was visible on the video camera and displayed swastika tattoos.
Some of Zoom’s features that center on making meetings easy to join and participate in have caused these problems. A Zoom update released in January 2020 made requiring passwords a default setting for meetings, so the FBI is urging everyone to install the latest version.
There are other implications for unwanted attendees that are not outlined by the FBI. These include the possibility of unwanted guests trying to join under the radar, listening to meetings for sensitive information, and grabbing items on screens that are being shared. For meetings with a large set of attendees and sensitive discussion topics, passwords are a must.
Issues of privacy
There are other issues related to privacy and security that have come up in regards to Zoom. Last year, a severe security vulnerability was discovered on Mac computers. Zoom installed a local web server that allowed the software to circumvent Safari 12 security measures. Also, this webserver remained on the user’s device, even when Zoom was uninstalled. It was not adequately secured, potentially opening the floodgates for anyone to gain control of the user’s video camera.
Apple rectified the issue with a software update, and Zoom subsequently removed the web service. However, this web service was not mentioned in Zoom’s privacy policy.
Recently (as in, over the past few days), Zoom has strengthened its privacy policy in response to criticism. However, several current problems give us pause when using Zoom at a business-level. Let’s examine some of these.
- Attention tracking
- Zoom has a feature called “attendee attention tracking.” When enabled, this feature alerts hosts if an attendee does not have the Zoom Desktop Client or Mobile App in focus for more than 30 seconds while a screen is shared. The ability to do this without alerting those who are using the application is a privacy concern.
- Screen sharing settings
- Out of the box, those who join a meeting can share their screen and video feed without prior approval by the host.
- Windows user password hacking
- Forbes has commented on the latest issue being seen, which is related to Windows passwords potentially being stolen through a security vulnerability. The recommendation? Use Microsoft Teams for business use. We’d have to agree.
Microsoft has a strong commitment to privacy that is trusted by organizations and governments across the world. Here is a snippet of their privacy policy, as it related to Teams.
“As a customer of Office 365, you own and control your data. Microsoft does not use your data for anything other than providing you with the service that you have subscribed to. As a service provider, we do not scan your email, documents, or teams for advertising or for purposes that are not service-related. Microsoft doesn’t have access to uploaded content. Like OneDrive for Business and SharePoint Online, customer data stays within the tenant. You can check out more about our trust and security related information at the Microsoft Trust Center. Teams follows the same guidance and principles as the Microsoft Trust Center.”
What can you do to protect yourself?
While any system can be exploited without the proper security measures, Microsoft Teams has enterprise-level security out of the box. This includes a lobby that is enabled by default, requiring the presenter/host to admit attendees into the meeting.
Permission by the host must be granted for any of these attendees to share their screen. Furthermore, Microsoft Teams includes multi-factor authentication, adding another level of security for hacking.
With Microsoft Teams, you can be confident that your data is protected and that features are set by default to protect your organization.
