Skip To Main Content
Virtual waiting rooms: Identifying safety and security challenges
Mark Orchison CIS Affiliated Consultant

 

By Mark Orchison, Managing Director, 9ine

 

 

Are you confident Zoom is configured correctly and provides a safe and suitable remote learning experience for your staff and students?

With the COVID-19 situation and global school closures, schools have been forced to quickly introduce new platforms to continue delivering lessons and keep students engaged. When it comes to video conferencing, the most popular choice has been the US-based company Zoom. With growing pressure from the privacy sector and recent headlines stating that users have experienced inappropriate content and video hijacks, is this the best platform for your school?

Zoom has been subject to several high profile security issues in the past, including an exploit and security issue that could allow an attacker to take control of your webcam and microphone. Recently, reports have surfaced of Zoom rooms being hijacked or ‘Zoom-bombed’ by intruders, using the room to voice racial slurs, post inappropriate imagery/video and insult both children and staff.

Zoom has been active in addressing each of these issues through a series of software updates, blog articles, online training resources and a CEO announcement to their community. To further support this, we have put together a series of best practices and things to consider when using Zoom for your virtual classrooms.

Something to look out for: We are undertaking an information-gathering exercise right now on this the topic and will publish a follow-up article to this one when results are in.

 

Schools should NOT be using the Basic (free) model to host virtual classrooms

The free version of Zoom is unmanaged and will likely result in staff and students accessing Zoom with either their personal and/or school email addresses. Safety and security settings cannot be managed by the IT Team and the school will be unable to acquire evidence or hold staff to account, offering no protection for users from the school. Schools should as a minimum be using the Education license for Zoom use, providing centrally managed control of settings and users, organisation of recordings, and an increased number of possible participants. If you wish to implement more regular recording of lessons/meetings then it’s better value to select the Enterprise plan, as this offers unlimited storage for recordings rather than the Education maximum add-on of 3TB.

 

Online video lesson

‘Waiting Room’ and ‘Host-only content sharing’ should be enabled

Schools have experienced uninvited guests joining their Zoom rooms as a result of obtaining the room link or ID, this can be easily avoided by ensuring the ‘Waiting Room’ feature is enabled, the host then approves any new users who may wish to join the room. In addition to this, enabling the ‘Host-only content sharing’ feature ensures that the host (teacher) of the room can manage the content being shown and students cannot freely post images or videos to the shared screen. In a recent update, both of these features are enabled by default if using the Education license of Zoom.

 

Create rooms using a Random Meeting ID and be careful not to share your Personal Meeting ID in videos/screenshots on social media

If a teacher creates a virtual classroom for their students and shares a picture to celebrate their progress on social media, it may be possible to see the Personal Meeting ID and allow a hijacker to access the room, if ‘Waiting Room’ they will be able to enter the room, talk and share their video feed instantly. This could result in inappropriate or malicious activity being forced on the users of that room. Using a Random Meeting ID ensures that the moment that room is closed, the ID is no longer used, with any new rooms using new Random Meeting IDs. This and other useful best practices for securing your virtual classrooms are available on a Zoom website created specifically for educators.

 

Staff will require sufficient training to maximise the potential of the features available

With staff working from home and comfortable in their home-working environments, now is a better time than any to ensure staff receive suitable training and support in the use of Zoom. Zoom provides education-specific training materials, video tutorials and live training webinars to get your questions answered.

 

Evidence your assessment of Zoom through the completion of our Data Processor Assessment

As a Data Controller, you are responsible for making sure personal data is processed in accordance with data protection laws. You are required to make sure that all data processors you are using provide sufficient guarantees and have the appropriate technical and organisational measures in place. In response to recent pressure from the privacy sector, Zoom recently updated their Privacy Policy to provide more clarity of their personal data processing.

To assist schools during this challenging time 9ine has developed a comprehensive Data Processing Assessment tool available to all schools, without obligation and free of charge. 

Download 9ine's Data Processor Assessment to assist you in the deployment of new software tools.

 

Summary

With some careful considerations and the right licensing for your organization, Zoom can be an excellent platform for your virtual classroom needs. If you allow your organization to rush into it without completing the proper checks and sign up for the wrong license, you run the risk of exposing the school to a range of technical, functional and safeguarding risks, resulting in an unsafe environment for your staff and students.