As Zoom has become the dual work and social platform of choice, Zoombombing has been all over the news as online classes and promotional beauty brand events have been affected. Companies large and small have been targets of Zoombombing in recent weeks, including Glow Recipe and Chipotle.
Zoom has received increased scrutiny for security issues as a result of the flood of harassers invading meetings to either play pranks or post hateful or pornographic content. As a result, the company introduced new measures requiring passwords and entry through its “waiting room” feature by default. Previously, cyber security company Check Point Security discovered a Zoom flaw in January, in which it was possible for hackers to enter meetings not protected by passwords, but now Zoom has addressed this problem.
“This is one of those cases where I think a lot of the responsibility falls on the person that is using Zoom, because there’s a lot of things that they can do to try to make the chances of being bombed smaller,” said Maya Levine, a security engineer at Check Point Security.
Beyond’s Zoom public guidelines on Zoombombing, companies should take the following into consideration when hosting promotional Zoom events.
Be aware of where you share
One of the reasons Zoombombing has become so prevalent is the ease in which perpetrators can find publicly promoted Zoom meetings. This means it’s not just mega corporations like Chipotle that will be targeted, but any brand deciding to host a public-facing event on Zoom.
“If you’re posting on any kind of public space like Facebook or Instagram, all a bad actor needs to do is just search for Zoom.us on Facebook, for example, and any public Facebook group that has posted a link [will come up,]” said Levine. As a result, any public-facing event by a brand, no matter how niche, is going to end up on Zoombombing target lists. As such, these events should not have interactive features enabled.
And it should go without saying, but for private events and personal meeting IDs, “never, ever post your meeting ID on a public place,” said Levine.
A Glow Recipe representative said the beauty brand will take crowd control measures for future events, after having one of its happy hours Zoombombed.
Choose the right format
Because any public event posted to social media is ripe for targeting by would-be Zoombombers, brands need to choose the webinar function to have control.
“Webinars are more suited for these public events,” said Levine, as attendees are view-only and only hosts are allowed to share video and audio. “I definitely would recommend any public broadcast with 50 or more attendees to use the webinar feature instead of the meeting feature.”
Manage the guest list
For brands that do want to host a more interactive event like a happy hour, guest lists and privacy are key. Attendees can sign up via online registration ahead of time, as was the case with beauty brand Indie Lee’s event, which required users to register for a Zoom masterclass via EventBrite. Future events’ guest lists should be closely monitored by brand employees, and hosts should approve only RSVPed guests using the waiting room function that will be on by default.
Stay in control
In the webinar setting for public-facing events, users still “have the ability to interact with Q&A and chat and by answering polling questions,” said Levine. Because of this, brands also need to be monitoring the chat section and kicking out anyone who posts inappropriate content.
With regard to the screen-sharing problems that have become a part of Zoombombing for events on the meeting setting, hosts can turn off screen sharing either before or during the meeting, ensuring that would-be harassers cannot hijack the meeting. Zoom made this point clear on its recent blog post about how to prevent Zoombombing: “The first rule of Zoom Club: Don’t give up control of your screen.”