Zoom Settings and Advice for Cyber Security

Body

As a host of a meeting, there will be a few steps to take to familiarize yourself with the changes and ensure that our attendees can join upcoming meetings seamlessly. 

https://zoom.us/docs/en-us/zoom-v5-admin.html?zcid=1231

5.0 will include:

  • GCM encryption 
  • Active waiting room feature by default
  • Meeting passwords by default

Zoom has worked hard to implement changes over the last few weeks to tighten up the issues. Here are the changes made so far.

Changes to Zoom Default Settings:

  • Screen Share – By default, only the Host can share content
  • Chat Auto-Save – By default, chat auto save is now off
  • Guest Identification – All guests will show in the participants list with an orange background behind their names
  • Blur snapshot – By default, the iOS task switcher is blurred when shared
  • Cloud Recording - Due to FIPPA regulations, Cloud Recording has been turned off without an option to be enabled
  • Audio Notifications of Recorded Meeting – Participants connected to the computer audio or by telephone will hear a notification each time the recording is started, paused, resumed from being paused, or stopped
  • Phone Number Masking – Phone numbers of users will be masked in the participant list, for example: 888****666

 

 

*Below is a list of security settings and options to better your Zoom calls security and control.

In-Meeting Settings

  • Security options in toolbar: Meeting hosts have a Security icon in the toolbar for quick access to essential in-meeting security controls. See it in action!
  • Lock the meeting: When a host locks a Zoom Meeting that’s already started, no new participants can join, even if they have the meeting ID and password (if you have required one).
  • Remove participants: From that Participants menu, you can mouse over a participant’s name, and several options will appear, including “Remove”. Click Remove to kick someone out of the meeting. When you do remove someone, they can’t rejoin the meeting. But you can toggle your settings to allow removed participants to rejoin in case you boot the wrong person. Hosts can also mute and turn off the video of participants to block unwanted, distracting, or inappropriate noise/gestures from other participants.
  • Put participant on hold: You can put an attendee on hold and their video and audio connections will be disabled momentarily.
  • Disable video: Hosts can turn someone’s video off. This will allow hosts to block unwanted, distracting, or inappropriate gestures on video.
  • Mute participants: Hosts can mute/unmute individual participants or all of them at once. Hosts can block unwanted, distracting, or inappropriate noise from other participants. You can also enable “Mute Upon Entry” in your settings, which is a good option for large meetings.
  • Turn off file transfer: In-meeting file transfer allows people to share files through the in-meeting chat.
  • Turn off annotation: You can disable the annotation feature in your Zoom settings to prevent people from writing all over the screens.
  • Disable private chat: Zoom has in-meeting chat for everyone or participants can message each other privately. Restrict participants’ ability to chat amongst one another while your event is going on and cut back on distractions.
  • Control screen sharing: The meeting host can turn off screen sharing for participants.
  • Control recording: The ability to record to the cloud or locally is something an account admin can control. If they have recording access, the host can decide to enable/disable a participant or all participants to record.
  • Do not allow participants to rename their ID: The host can disable the ability for participants to rename their onscreen identity.
  • Turn on waiting rooms: The meeting host can turn on waiting rooms from within the meeting. The Waiting Room is an important feature for securing a Zoom Meeting. Just like it sounds, the Waiting Room is a virtual staging area that stops your guests from joining until you’re ready for them to join your meeting. 
  • Allow only signed-in users to join: If someone tries to join your meeting and isn’t logged into Zoom with the email they were invited through, they will receive a message that says, “This meeting is for authorized attendees only.” This is useful if you want to allow only signed-in users to attend your meeting and only those from a certain domain — other students at your school or colleagues, for example.
  • Avoid using your Personal Meeting ID (PMI): Your PMI is basically one continuous meeting, and you don’t want outsiders crashing your personal virtual space after your designated meeting is over. 
  • Report a user: Hosts can report users to Zoom’s Trust & Safety team, who will review any potential misuse of the platform and take appropriate action. Find this option within the Security icon or under the green shield icon in the top left corner of your meeting, where you can attach screenshots and other documentation as needed.
  • End-to-End Encryption (E2EE): Account owners and admins can enable end-to-end encryption for meetings, providing additional protection when needed. Enabling end-to-end encryption for meetings requires all meeting participants to join from the Zoom desktop client, mobile app, or Zoom Rooms.
  •  

 

 

Ensuring Privacy

  • Authentication: Zoom offers a range of authentication methods such as SAML, Google Sign-in, and/or Password based which can be individually enabled/disabled for an account.
  • 2-Factor Authentication: Admins can enable 2FA for your users, requiring them to set up and use 2FA to access the Zoom web portal.
  • Enable single sign-on (SSO): Single sign-on allows you to log in using your company credential and is most effective when it is the only form of login. After enabling SSO, it is best practice to disable all other forms of login (e.g., email, social, etc.). This can be accomplished by using a combination of associated domains and editing the security settings of your account. 
  • Video Preview: Before you join a meeting, you can preview your video and select a virtual background, or decide to join without video.
  • Attendee consent for recording: Account admins or meeting hosts can require that all recordings of meetings are accompanied by a pop-up notice to attendees that a recording is taking place, and there is a visual indicator when recording is on.
  • Removed Attention Tracking: Zoom recently removed the option for training professionals to track if attendees were multi-tasking during a meeting.
  • Meeting participants’ basic technical information: (Such as the user’s IP address, OS details, and device details) is collected for troubleshooting and admin reporting.
  • Zoom only stores basic information: Under user account profile information including: Email address, user password - salted, hashed, first and last name. Company name, phone number, and a profile picture are all optional to provide.
  • Zoom has have no intentions to sell your information to advertisers.
  • Zoom does not monitor your meetings or its contents.
  • Zoom complies with all applicable privacy laws, rules, and regulations in the jurisdictions in which it operates, including the GDPR and the CCPA.
  • Remove unwanted or disruptive participants: You can remove someone from your meeting by using the Security Icon or Participants menu. On the Participants menu, you can mouse over a participant’s name and several options will appear, including Remove. Click Remove to kick someone out of the meeting. When you do remove someone, they can’t rejoin the meeting. But you can toggle your settings to allow removed participants to rejoin in case you boot the wrong person. Hosts can also mute and turn off the video of participants to block unwanted, distracting, or inappropriate noise/gestures from other participants.
  • Report a user: Hosts can report users to Zoom’s Trust & Safety team, who will review any potential misuse of the platform and take appropriate action. Find this option within the Security Icon or under the green shield icon in the top left corner of your meeting, where you can attach screenshots and other documentation as needed.
  • End-to-End Encryption (E2EE): Account owners and admins can enable end-to-end encryption for meetings, providing additional protection when needed. Enabling end-to-end encryption for meetings requires all meeting participants to join from the Zoom desktop client, mobile app, or Zoom Rooms.

 See Zoom's privacy policy here.

General Best Practices

  • Automatic Updates: Automatic updates help users easily receive important security fixes and helpful features, improving their overall experience with the Zoom platform. Our automatic updates feature periodically checks Zoom servers to determine whether a new update is available and is enabled by default for most individual users. If you utilize mass deployment packages for Windows (MSI) and macOS (PKG), this user-level feature is disabled by default.
  • Designate a Security Contact: Account owners can assign users (individual or group aliases) within their organization who are not assigned admins or owners to also receive email communications from Zoom’s Security teams. This field can be used to add internal security team members that would like to receive communications about security updates. 
  • Use the right Zoom solution for your need: If you’re planning to use Zoom to host a virtual event with people you may not know, make sure to leverage Zoom Video Webinars or Zoom Events — products designed specifically for digital events. 
  • Avoid using your Personal Meeting ID (PMI): Your PMI is basically one continuous meeting, and you don’t want outsiders crashing your personal virtual space after your designated meeting is over. 

Details

Details

Article ID: 432
Created
Tue 4/14/20 2:30 PM
Modified
Tue 1/18/22 7:27 AM