Zoom – Is It Secure Enough For Financial Institutions?

In a world ravaged by Covid-19, businesses have had to adapt quickly. All sorts of day-to-day tasks are now being rethought and redesigned, as organisations around the world find new ways to work remotely, keep everyone safe and keep their data safe and secure. One of the biggest changes has been to start holding meetings remotely, and Zoom has been one of the main ‘go-to’ solutions. In fact, Zoom has reported unprecedented growth, going from 10 million daily users in December 2019 to over 300 million users a day in April 2020. One of the greatest strengths of Zoom as a platform is that it has experienced absolutely no downtime during this rapid growth phase – it has kept up with the expansion and evolved at a truly exceptional pace. Even so, there have been serious concerns over security, particularly for industries that deal with more sensitive data – including financial services. So the question is, should these sectors even be using Zoom, and if they are, what should they be thinking about?

The Industry Concerns

In the early days of Covid-19, it’s fair to say that Zoom saw its fair share of issues, particularly around security. It’s not surprising, since it wasn’t initially designed for such a large userbase. Even so, this has caused a huge number of financial institutions (and particularly banks) to shun Zoom as a platform. Many organisations have banned the tool entirely, and other professionals like investment bankers, already under the watchful eye of compliance departments, have been advised against using it.

The main concern across all financial industries is the fear of ‘zoombombing’. This is where an uninvited individual or group will break into your meeting and disrupt it. Sometimes they will simply make noise and cause a disturbance, while in other cases they will screen share inappropriate images or even record the meeting to post on YouTube. Or worse, they could infiltrate the meeting and go unnoticed, allowing them to sit there in silence and listen to sensitive information, collecting it to use elsewhere later on. This is a brand new form of cyber rime, and one that risks a lot of very sensitive, valuable information. And it’s mainly this last point that is concerning financial institutions. With the fact that there is a regulatory need to record market-sensitive calls, if a call involving a financial institution gets ‘zoombombed’ and shared, it creates a serious regulatory issue. One that no financial body wants to risk.

Features To Protect Your Meetings

While there may be some very valid concerns around financial institutions using Zoom as a way to connect with employees, partners and customers, the solution really comes down to due diligence. Thanks to new security measures by Zoom, these ‘zoombombings’ have been effectively shut down, and their platform has never been more secure. All you need to do is take the right precautions, including:

Use The Waiting Rooms: Zoom has a great feature called a waiting room, which pretty much does what it says on the tin, and should be your first step in securing your meetings. This function provides a virtual waiting room for your attendees, which they will be placed into when they first join the meeting. This allows the host to make sure they are who they say they are, and manually admit them into the meeting. So no one can just drop into your meetings again!

Don’t Use Personal Meeting ID’s For Public Meetings: Your personal meeting ID is the default meeting that launches when you start your ad-hoc meeting, and it doesn’t change unless you go and do it yourself. While that’s a good way for people to reach you, it’s also a security risk. Instead, make sure you set up a new meeting with a randomly generated Meeting ID for every new meeting. That way only your approved attendees will know how to join your meeting.

Turn On Passwords: Passwords on meetings is an absolute no-brainer, particularly for FIs who are handling sensitive information. Make sure every meeting has a nice, secure password, and change it every time.

Lock The Meeting: Once all of your attendees are present and accounted for, take a second to lock the meeting room from the security menu. This means that no additional attendees can join, unless you unlock the meeting again.

Control Your Data Routing: When you’re dealing with highly sensitive information on a global scale, where that data goes matters. Thankfully, Zoom have now given you the ability to control our data routine, which means you can choose which regions data centres it travels through. You can’t opt out of your default region, but you can out in or out of any other data center region they offer, which includes the United States, Canada, Europe, India, Australia, China, Latin America and Hong Kong.

A note for users in China – Zoom has some pretty clear guidelines on your data. Specifically, they state that:

  • ‘Free users will be locked to data centres within their default region where their account is provisioned. For the majority of our free users, this is the United States. Data of free users outside of China will never be routed through China.
  • For users based in China, if your account admin has not opted into the China data center by April 25, your account will not be able to connect to our mainland China data center for data transit.
  • As a reminder, meeting servers in China have always been geofenced with the goal of ensuring that meeting data of users outside of China, stays outside of China. On April 3, we removed all of our HTTPS tunnelling servers in China to prevent any inadvertent connection through China.’

How Is Zoom Responding?

Despite the mounting pressure of millions of new users in such a short time-frame, Zoom has responded remarkably well. Since the virus started, they have been communicating with customers on an almost daily basis, making sure they are kept up to date with all the changes. They have also been working closely with banks and other financial institutions to ensure the regulatory need for security is met. A Zoom spokesperson said:

‘Major financial institutions around the globe are continuing to use Zoom to keep their trading operations running and to continue their important work with their clients and colleagues on a daily basis–they are playing a crucial role in the continued functioning of the global economy, and we are proud to be helping these customers maintain business continuity in this challenging and unprecedented time’

On top of that, Zoom are constantly updating and improving security, on an almost daily basis. For example, just in the past month Zoom have:

  • Implemented support for AES 256-Bit GCM Encryption (which is an improved method of protecting meeting data and stronger resistance against tampering).
  • Added a ‘report a user to Zoom’ function, so you can report any suspicious behaviour.
  • Provided enhanced data center information, which means you can choose the data centre your call and all associated information is being routed through.
  • Made enhancements to the end/leave meeting flow, including assigning a new host.
  • Disabled the ability for participants to show their profile picture, and prevent them from changing it in a meeting within the meeting settings.
  • Reset the minimum password length to 6 characters, improving security.
  • Set expiration dates and the ability to disable sharing of cloud recording for meetings.

Not to mention that they are also planning the ability to disable PMI, and applying new security defaults to all accounts, including passwords on all past and future meetings and webinars (including for phone attendees), and a feature that disables joining from multiple devices.

So while Zoom might not be perfect, they are constantly assessing and developing new features to give users unparalleled control over their meetings and data. And they are providing much more transparency about it than any other platform out there right now. It’s certainly our platform of choice at the moment, and means we can still meet regularly as a team, and with clients no matter where in the world they are. And for financial institutions who may be worried about the security element, we recommend keeping an eye on the updates, making sure your meetings have secure passwords, updating your zoom client/app regularly, and activating the waiting room feature to protect your meetings.


Submit a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Contact Us

+44 (0) 1252 413551

Tilsmere House
30 Mill Lane
GU46 7TN

Get in touch