Security versus convenience

Enhancing Zoom’s security while keeping the service as frictionless and accessible as it has been could be a particularly challenging balance for the company to strike. Joining a Zoom meeting can be as simple as clicking a link from your email or calendar invite. But adding layers of security often means implementing more steps for the user.

“There’s always a trade-off between ease-of-use and usability,” said Rob Davis, CEO of cybersecurity firm CRITICALSTART.

Two-factor authentication, for example, adds more security but also means the user needs to take that extra step of typing in the code sent to his or her phone. Enforcing tighter controls around how participants join a meeting could also make the process of adding colleagues or friends at the last-minute slightly longer.

Stronger end-to-end encryption could also make it harder to maintain high call quality, one of the characteristics that makes Zoom so appealing, according to Satya Gupta, chief technology officer at web application security company Virsec.

“I suspect that this is going to be a serious problem for Zoom to be able to solve because, you know, when you encrypt and decrypt, it introduces lag and latency into a call,” Gupta said.

For its part, Zoom has been quick to react to the myriad of issues that have emerged. It outlined a 90-day plan to make Zoom a security- and privacy-first product. As part of that plan, it’s committed to freezing the development of new features to focus on increasing security, publishing a transparency report with information about data requests, and bringing in outside experts to evaluate its security practices among other measures.

The company recently tapped Alex Stamos, Facebook’s former security chief, as an external consultant to help it ramp up its security. It has also made security settings easier for users to access, and now requires additional password settings for users on basic, free accounts and accounts with a single licensed user.

Still, Zoom could be more transparent about the measures it’s taking, which makes it easier for other security professionals to assess the company’s approach to security, Davis said.

“That allows other people to more easily ascertain, ‘Have you taken the right steps?’ Davis said.

Zoom has said it will consult external security experts and form a council of chief information security officers from across the industry to discuss best practices when it comes to security.

But the experts seem to agree that trading some conveniences for security is worth it. And juggling the two, especially within 90 days, will be a challenge.

“It’s a hard balancing act that has to be performed,” said Maor. “It’s not an easy task.”