The 9ine Blog

9ine helps thousands of school leaders and IT teams protect their school community by publishing critical changes, updates and best practice blogs. 


SUBSCRIBE TO 9NEWS

Blog-schools-on-zoom

Security Best Practices for Schools Using Zoom

With the COVID-19 situation forcing global school closures, schools have hastily introduced new platforms to continue delivering lessons. When it comes to video conferencing, the most popular choice has been US based company, Zoom. With growing pressure from the privacy sector and recent headlines stating that users have experienced inappropriate content and video hijacks, many schools are questioning if  this is the best platform for a school to use.

Zoom has been subject to several high profile security issues in the past, including an exploit and security issue that could allow an attacker to take control of your webcam and microphone. More recently reports have surfaced of Zoom rooms being hijacked or ‘Zoom-bombed’ by intruders, using the room to voice racial slurs, post inappropriate imagery/video and insult both children and staff.

[UPDATE 05/05/20]  9ine recommends that all users now change their Zoom account password and enable two factor authentication. As always, ensure the new password is unique to Zoom. A recent security report claims to have discovered that more than 500,000 Zoom user account credentials are available for purchase on the Dark Web. This is not believed to be the result of a breach or cyber attack on Zoom, but more a technique known as ‘password stuffing’ in which hackers use stolen usernames and passwords from other platforms that have suffered data breaches and attack users who use the same credentials for their zoom accounts.

Zoom has been active in addressing each of these issues through a series of software updates, blog articles, online training resources and a CEO announcement to their community. To further support this, we have put together best practices and considerations when using Zoom for your virtual classrooms.

1. Schools should NOT be using the Basic (free) model to host virtual classrooms.

The free version of Zoom is unmanaged and will likely result in staff and students accessing Zoom with either their personal and/or school email addresses. Safety and security settings cannot be managed by the IT team and the school will be unable to acquire evidence or hold staff to account, offering  no protections for users from the school. Schools should, as a minimum, be using the Education license for Zoom use, providing centrally managed control of settings and users, organisation recording and an increased number of possible participants. If you wish to implement more regular recording of lessons / meetings then it’s better value to select the Enterprise plan, as this offers unlimited storage for recordings rather than the Education maximum add-on of 3TB.

2. ‘Waiting room’ and ‘Host only content sharing’ should be enabled.

School’s have experienced uninvited guests joining their Zoom rooms as a result of obtaining the room link or ID, this can be easily avoided by ensuring the ‘Waiting Room’ feature is enabled, the host then approves any new users who may wish to join the room. In addition to this, enabling the ‘host-only content sharing’ feature ensures that the host (Teacher) of the room can manage the content being shown and students cannot freely post images or videos to the shared screen. In a recent update, both of these features are enabled by default if using the Education license of Zoom.

3. Create rooms using a Random Meeting ID and be careful not to share your Personal Meeting ID in videos/screenshots on social media.

If pictures or recordings of Zoom meetings are shared on social media, it’s possible to obtain the Personal Meeting ID and potentially allow a hijacker to access the room. If ‘Waiting Room’ is not enabled, the hijacker will be able to enter the room and share their video feed instantly. This could result in inappropriate or malicious activity being forced on the users of that room. Using a Random Meeting ID ensures that the moment the room is closed, access via the link is no longer available. This and other useful best practices for securing your virtual classrooms are available on a Zoom website created specifically for educators.

4. Staff will require sufficient training to maximise the platform features.

With staff working from home and becoming more comfortable in their home-working environments, now is the time to ensure staff receive suitable training and support in the use of Zoom. Zoom provides education specific training materials, video tutorials and live training webinars to get your questions answered.

 


Download 9ine's Data Processor Assessment to assist you in the deployment of new software tools.

Request the assessment


5. Evidence your assessment of Zoom through the completion of a Data Processor Assessment.

As a Data Controller, you are responsible for making sure personal data is processed in accordance with data protection laws. You are required to make sure that all data processors you are using provide sufficient guarantees and have the appropriate technical and organisational measures in place. In response to recent pressure from the privacy sector, Zoom recently updated their Privacy Policy to provide more clarity of their personal data processing.

With some careful considerations and the right licensing for your organisation, Zoom can be an excellent platform for your virtual classroom needs. If you allow your organisation to rush into it without completing the proper checks and sign up for the wrong license, you run the risk of exposing the school to a range of technical, functional and safeguarding risks, resulting in an unsafe environment for your staff and students.

To assist schools during this challenging time 9ine has developed a comprehensive Data Processing Assessment tool available to all schools. For further reading, take a look at our recent blog, Assessing and Deploying New Software Platforms.


ABOUT THE AUTHOR:

Tom H_Soft Square Profile picture-05

Tom Hamersley, Associate Director at 9ine and Head of Client Engagement, is an experienced certified GDPR Practitioner, he is responsible for compliance programmes at a range of schools around the globe. Tom brings a wealth of knowledge with over 10 years of training experience.


New call-to-action