Zoom in a crisis: the security settings managers need to check
In March 2020 Zoom went from a niche tool to company infrastructure overnight. A practical checklist for managers who are not security specialists.
In the last two weeks of March, Zoom went from something developers used occasionally to the primary communication platform of entire organisations. Alongside that, the reports started arriving: uninvited guests joining public meetings, sensitive calls being recorded and shared, account credentials appearing on paste sites.
None of this requires technical sophistication to address. Most of it is a settings problem.
Why the defaults are not safe
Zoom's default configuration was designed for ease of onboarding, not for a company moving its operations onto the platform under time pressure. Several defaults that made sense for a small team trying the product make little sense for a company running board meetings and client calls on it.
The most reported issue - "Zoom bombing," uninvited people joining meetings - is almost always preventable with two settings. The others are about data and access.
The settings to change now
These apply at the account admin level. If your IT team has not done this, someone should do it today.
Waiting room - turn it on. Every participant waits in a lobby until the host admits them. This alone stops most uninvited joins.
Password requirement - enable passwords for all meetings, not just scheduled ones. Zoom generates them automatically. Share via a secure channel, not in a public post.
Screen sharing - change the default from "all participants" to "host only." The host can grant sharing rights during the call. This prevents participants from sharing their screen without consent.
Recording storage - if you use cloud recording, check who has access to recordings in your account settings. By default, recordings may be accessible to all users in the organisation. Restrict to the host and explicitly invited people.
Meeting ID - avoid using your Personal Meeting ID (PMI) for sensitive calls. Your PMI is essentially a permanent room number. Use generated IDs for calls that need to stay private.
End-to-end encryption - as of spring 2020, Zoom's encryption has been a subject of scrutiny. For calls involving sensitive topics, consider whether Zoom is the right tool. For most operational calls, the above settings are sufficient.
Who should own this
In a company of any size, these settings should be owned by someone. If there is no IT administrator, it is the person who manages the corporate Zoom account. This is a ten-minute task. It is not acceptable for it to remain undone because nobody knows whose job it is.
A word on the broader situation
Zoom is not uniquely dangerous. The risk pattern here is: tool deployed rapidly under crisis pressure, without the configuration review that would normally accompany a strategic tool deployment. The same checklist logic applies to every tool your organisation adopted in a rush this month. Security settings reviewed in normal circumstances and not reviewed in an emergency are the gap attackers are watching for.