One organization’s journey to create secure Zoom events

As social distancing guidelines necessitated a way to gather virtually rather than in-person, EdNC set its sights on Zoom. We’d used the platform before for team meetings, but hoped to also use it for a series of events that would bring together educators, students, parents, and others to discuss education amid COVID-19.

Zoom includes features that foster a more collaborative environment – things like participant chat forums, screen sharing, virtual backgrounds, and breakout rooms. But many of those same aspects of Zoom also pose security risks.

During our second virtual event, we were “Zoombombed.” Words and symbols of hate speech infiltrated a call that was designed to be a safe space for dozens of educators, students, and others. We were horrified. And we knew we had a lot of work to do if we wanted to hold a virtual event again.

Our work to understand exactly what needed to happen to create secure, safe Zoom events began immediately. First, we spent hours working with a consultant to determine what questions we even needed to be asking about Zoom and its many security features. Here’s the initial list we came up with.

  • What kind of account do we have? What kind of account should we have?
  • What security settings need to be set in the account versus in the meeting settings?
  • Should the date and time of future events be publicly available?
  • Should we use the random meeting ID feature in Zoom?
  • When should the password to the Zoom meeting be sent to participants?
  • Should registration be required via Zoom or another portal, like Eventbrite?
  • Should all participants be muted on entry?
  • Should screen sharing be enabled?
  • Should annotation of screens be enabled?
  • Should virtual backgrounds be enabled?
  • Should breakout rooms be used?
  • Is it important to have the most updated version of Zoom software?
  • Should private chat and public chat be enabled?
  • What is the difference between a host and co-host?
  • Should the event be recorded to the local computer or in the cloud?
  • How should waiting rooms be used for large groups?
  • Should you enable the waiting room after the meeting has started or lock the meeting entirely?

Then, we turned to ZeroFOX, a cybersecurity company focused on public attack surface protection. An initial call with the ZeroFox team answered our big questions, but it also made it clear that we needed more strategic guidance in exactly how to calibrate our Zoom settings for optimal security.

We followed up with two more hours of in-depth Zoom security training with a ZeroFOX team member, where we walked through each of Zoom’s security features, one-by-one, to ensure we understood what they were and that they were set up correctly. We discussed the difference between Zoom meetings and Zoom webinars, ultimately deciding that webinars would offer a safer way for us to proceed with virtual events.

Finally, we had additional team members work with ZeroFOX for another hour of training ahead of our virtual event to ensure we knew what to do if the event was compromised.

Ahead of the event, we held a few final practice webinars with the team and assigned security “roles.” Splitting up responsibility for security was key to our strategy – we had different team member responsible for monitoring submitted questions, monitoring the participant list, and monitoring the content of the event itself.

Our next two Zoom webinars went off without a hitch, but we are still learning and growing our knowledge around how to create secure virtual spaces. Thank you for your grace as we continue to learn.


For more on ZeroFox, click here for information about a free trial of their Zoom and Slack security platform, review their best practices for security Zoom events, or watch the video below.

Mebane Rash is the CEO and editor-in-chief of EducationNC and the N.C. Center for Public Policy Research.

Analisa Sorrells is the Chief of Staff and Associate Director of Policy for EducationNC.

Coronavirus The Editor's Notes