Zoom Bombs

The conferencing platform has had a rough month (like all of us). Are we planning on doing any better as remote work becomes permanent?

Zoom, the videoconferencing platform on everyone’s lips this month, has had an roller coaster of a first quarter. As remote working became the norm for hundreds of millions, the company rapidly emerged as a favorite in the United States, where its simplicity and video quality made it stand out from competitors. Its daily usage swelled from 10 million in late 2019 to over 200 million at the end of last month. The rise was nothing more than meteoric, and Zoom’s revenues grew in tandem.

Image for post
“Phil, can you mute the oncoming traffic behind you?”

But enthusiasm waned as security flaws that were minor in a smaller company grew to outsized proportions in a larger one. “Zoombombing,” the act of finding and joining conferences without an invitation, became a substantial problem that garnered a great deal of unwanted attention. Zoom responded, but slowly, and its reputation took a hit that is already having real world ramifications: the New York Public School System announced last week that it would not allow its teachers to conduct lessons via Zoom, and plenty of businesses are now also looking elsewhere for their conferencing needs.

Perhaps that’s a reasonable response. But it’s just as likely that users will have other problems when they choose a new platform for their purposes. Skype is far from perfect, Microsoft Teams has a far smaller market penetration, FaceTime and WhatsApp only allow for a limited number of users at a given time, and other apps are either untested, not widely known, or easily compromised.

More than this, the promise of easy solutions to our new need for constant connectedness is just unrealistic. The development of remote working capability is something that many businesses have funded and examined for years, but to imagine that it would suddenly just happen is to ignore basic logistics. Not only are most of us unfamiliar with making collaborative, remote working a part of our normal functioning, we certainly aren’t used to doing it in the midst of a world-rattling pandemic and economic uncertainty. Context matters, and, here, the context is “everybody has a lot going on, okay?”

Image for post
“Also, a beer and a hot dog.”

What’s the solution, then? Certainly, telecommunication and conferencing companies need to put effort and resources into shoring up their services and offering more reliable security for users. But to be fair to Zoom, if users had required a password for their conferences, the likelihood of a Zoombombing drops dramatically.

Which is why businesses generally need to approach remote working and remote security with the same level of common sense problem solving that they do for work at the office, adapted to new circumstances. A few examples:

  • You wouldn’t re-use the same conference call bridge and login for every one of your confidential calls, and you certainly wouldn’t share confidential information unless you knew who everyone was on the call: apply that same reasoning to tools like Zoom.
  • You use secure WiFi at work for a reason — it protects sensitive data and avoids leakage of valuable business information. Bringing a secure laptop home from the office and then logging into a WiFi network that doesn’t have password protection is like buying a safe with an extremely complicated lock and then leaving the safe door open all the time.
  • At the office, your IT team makes sure that your software and systems are all running the most recently updated version with all patches installed (something they rarely get thanked for). Your home setup needs to be similarly up-to-date, even if it means the annoying forty minute wait to download, install, restart, and approve. Updates and patches are what keep you safe from the really harmful risks. Remember the massive WannaCry ransomware outbreak in 2017? The ransomware worked only on systems running an unpatched, out-of-date version of Windows.
Image for post
This gif doesn’t really add anything to my point, but I like that it looks like it’s from a Geocities site in 1998.

Obviously, no system is foolproof and no company can guarantee that their data or tools are impervious to committed bad actors. But the vast majority of online crime and commercial espionage cases depend on easy access — like videoconferences that don’t require passwords. If you follow the kind of basic data security practices/data hygiene outlined above, you can help yourself avoid becoming the low-hanging fruit.

It’s also worth remembering that the basics of data security/data hygiene make sense only as part of a longer-term strategy. Given the most recent guidance, it’s fair to assume that many of us will be working remotely for the forseeable future. As such, putting temporary measures in place isn’t going to lay the groundwork for future success. It’s temping, of course, to focus on right now and to just get by. But if you assume, as we do, that a fundamental shift in the way we approach working and the workplace is underway, it would be self-defeating to assume that a band-aid is going to be sufficient. Make plans that will work today, certainly, but not at the expense of long-term strategy.

Originally published at https://wardpllc.com on April 20, 2020.

Privacy lawyer, data nerd, fan of listing three things. Co-author of “Data Leverage.” Nothing posted is legal advice/don’t get legal advice from blogs.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store