Is Zoom Safe & Secure?
Date: 17 June 2021
“Is Zoom safe? Is Zoom going to compromise our cybersecurity?" These are some of the questions asked by our clients and prospects about the video conferencing service. In this blog, we give you a clearer answer for the question on the video conferencing solution’s safety and security.
A quick look at some of the concerns related to the video conference solution that we cover in this blog :
- So, is Zoom Secure?
- It's all about Risk.
- Wait! Zoom is a Chinese Company!
- What do the US and UK Governments say about it?
- How to use Zoom for testing Cyber Incident Response?
- Are there more secure audio and video alternatives?
Zoom has become so ubiquitous that even nursery kids are now using "Zoom me" as a verb to communicate. My five, yes, 5-year old nephew does his English tuition over the Zoom app and is fully comfortable with annotating, switching off the camera when he is being naughty and even muting the microphone during ‘Zoom meetings’ when he wants the teacher to think there is an internet connectivity problem.
So, is Zoom secure or not?
Let's get straight to the point. For most organisations who have a decent degree of security measures in place, yes, Zoom is secure. But wait! Before you move on to another blog on our site, there is much more to the answer than a simple yes. Let me explain.
What sector are you in and what are you discussing?
The first question you should ask is what do you do? Are you in the arms manufacturing business for a special government unit? Are you discussing National Security Topics or extremely sensitive data that, if intercepted, could actually impact the country's security?
You get the point. If your topic of discussion is extremely sensitive and you don't want any interception then you should NOT be using Zoom. As a matter of fact, you should not be using any web conferencing solutions available. We may write another blog for suitable alternatives.
Don't forget, most modern 'smart' devices are listening to your every word and in the case of Samsung, for example, they were absolutely open about it. Samsung's T&C said "if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through the use of Voice Recognition." More info here.
Take a risk-based approach
Continuing from the above section, the simple answer to any question, not just "Is Zoom secure?" is to take a risk-based approach. Here are some questions you should ask before you use any software:
- What sector is your organisation operating in?
- Does it trade in/create/store state secrets, intellectual property?
- Is your organisation covered by any specific national security confidentiality requirements?
- Is interception of your discussions, phone calls and meetings going to compromise your business or affect national security?
- What does your specific government say about the software provider, in this case Zoom?
Wait! Zoom is a Chinese Company!
No, Zoom is a US-based company. Founded and headquartered in San Jose, California, it’s publicly traded on the NASDAQ. In fact, the company’s CEO and Founder clarified in his blog last year that Zoom has absolutely no connections with the Chinese government. He also added that he's been an American citizen since 2007, living in the US since 1997.
The Queen and UK Prime Minister use Zoom, so it must be safe against cyber attacks, correct?
Yes, they do and I can assure you (well, let's hope I am right) that someone somewhere must have done a contextual risk assessment based on what was going to be discussed, the sensitivity of the topics and more, before allowing them to join a Zoom meeting room.
What do the US and UK Governments say about Zoom?
There is a special Zoom app for the US Government created by Zoom called ZoomGov. In summary, the data stays in the US only. There is something similar by Microsoft for Microsoft Teams. It's got to do with US FedRAMP and certain acceptable baselines. Ensure you do your research.
There is a ton of guidance on Zoom but here are some links by the US and UK governments. They are either PDFs or websites.
- There is more information here from the US Government CISA.
- The UK's NCSC has a one page Infographic here.
How to Use Zoom to Test Your Cyber Incident Response Plans?
At Cyber Management Alliance, we regularly conduct Cyber Crisis Tabletop Exercises for clients including banks, councils, sporting organisations, pharmaceuticals and more.
Before the Covid-19 pandemic, we conducted most tabletop exercises at the customer site or in special offsite locations. Since the beginning of March 2020, we switched all cyber tabletop sessions to remote and started using Zoom. At that time it was the only one that offered breakout room functionality, a feature we rely on for successful tabletop and incipient response testing exercises.
For the record, we have also used MS Teams and Google Meet for conducting crisis tabletop exercises without too many issues.
Murphy’s Law & Cyber-Attacks
(The Law that states ‘Major Incidents only happen on Weekends or Holidays’ :)
Murphy’s law dictates that most cyber-attacks are only detected and hence wreak havoc on Friday evenings in the West or Thursday evenings in the Middle East. Consequently, most, if not all staff, are out of office, at home or travelling. Pandemic or not, testing of Incident Response Plans through a virtual conference room only makes sense.
It’s best to practise responding to a crisis through a platform that lends itself well to a chaotic situation like a security incident and one that you will probably be using when you are under attack.
In our opinion, Zoom is pretty seamless, it rarely has technical glitches if everyone has a decent internet connection, you can share screens, put people in waiting rooms or breakout rooms, making it ideal for managing a cyber crisis, especially in the current business environment.
Better Alternatives to Zoom?
Yes, there are too many to list here. Here are some others that we use regularly.
- Microsoft Teams: Thank the Almighty that Lync and Skype are out of the picture. Microsoft Teams is actually quite a good business communication platform and it’s getting better. It never had some of the popular functions of Zoom such as Zoom Rooms and Breakout Rooms but now the latter is being introduced gradually.
- Google Meet: An increasingly robust video conferencing solution, Google Meet has quickly become very popular as an alternative to Zoom. However, it lacks the breakout room functionality which I love to bits.
- There are some others like Blue Jeans for video conferencing, live streaming and connected rooms. Join Me is considered good for screen share and team collaboration.
WARNING! None of the above (and that includes Zoom) is a 100% secure solution against data breaches. Like all software applications there will be known vulnerabilities and there will be Zero day exploits for each.
Please read the UK and US government guidance on how to ensure you better secure your video conferencing connections including, you guessed it, using common sense.
To enhance your cyber crisis management and cyber resilience capabilities, check out our NCSC-Certified Cyber Incident Planning and Response course. You can also consider our Breach Readiness Assessment to evaluate if your business is prepared to deal with a cyber-attack.