Concentric’s spending plenty of time on Zoom right now. We’re doing everything from formal, scheduled meetings to quick check-ins to Friday lunches on the platform - so when their recent security issues came to light we took a hard look at what was going on. We’re a security company after all. We can’t just let that grass grow under our feet.
Here’s what we decided. Just to caveat my thoughts here, we’re a small startup in Silicon Valley. The risk tradeoffs we make may not be right for you. In fact, we’re probably pretty unique - as a small startup, we can (and must, sometimes) tolerate some risk to stay agile. But as a company in the security space, we also need to follow best practices.
Zoom’s gotten plenty of attention. As a natural skeptic, I wasn’t prepared to accept either the worst case headlines (“Why Most Should Avoid An ‘Out Of Control’ Zoom Right Now”) or the inevitable assurances from Zoom that everything would be alright in just a release or two. The truth, I figured, would be somewhere in between.
This article from FastCompany was a nice, level-headed analysis of the issues that led to all the hullabaloo. Here’s our take - again, buyer beware, but this is what’s working for me and my company:
- Zoombombing - this happens when an uninvited participant (or an obnoxious invitee, I guess) behaves in a socially unacceptable manner. For us, the worst instance of zoombombing happened when Shankar’s son unexpectedly dropped in on a call. He’s a great kid - we’re going to invite him to more meetings. Our small team faces very little real threat from this trend.
- Exposed contact info - this seems to be an issue if you use neither a dedicated domain or a big, well-known email provider like Gmail. We use concentric.ai so I’m not too worried about data leaks via Zoom directory services.
- Recordings inadvertently made public - this is one of our biggest concerns. However, our team is both small and technically savvy so it’s something we can address. Others might not have it so easy.
- Revealing text chats - also related to making recordings of meetings, this is also something you should consider. We don’t typically record our meetings so we don’t have much to worry about. You might.
- End-to-end encryption evasion - The long analysis to this issue is extraordinarily well covered by The Citizen Lab. Zoom needs to fix this and adopt standards-based encryption, full stop. But after careful consideration for us we believe the risks are low, especially given we do not handle (much less store persistently or share via Zoom) any customer data on our premises whatsoever.
One of the most likely scenarios for data loss via Zoom is a user unwittingly making a recorded meeting publically available. Our Semantic Intelligence solution can help you mitigate this risk by identifying and assessing whether a Zoom file is overshared (and remediating the risk if it is).
If Zoom’s become a bigger part of your remote-work portfolio, we’re offering free access to our solution to help teams cope with the expanded attack surface these tools can create.