Attacks on Cloud Services Grow Amid Telecommuting Boom

cloud

As more of America’s workers were asked to work from home due to the COVID-19 pandemic, cyber criminals jumped at the opportunity to take advantage, it seems.

Remote work means work being handled on the cloud as employees share files and need a convenient way to access them.

But cyber criminals are banking on workers letting down their guards when they work from home, so it’s no surprise that while cloud service usage among enterprises jumped 50% between January and April, external attacks on cloud accounts boomed 630% in the same period.

Also, hackers and other cyber scammers orchestrated systematic attacks on collaboration tools like Cisco WebEx, Zoom, Microsoft Teams and Slack, according to the “Cloud Adoption & Risk Report ― Work from Home Edition” report by McAfee.

The risk to enterprises cannot be overstated as criminals try to take advantage of the sudden shift to telecommuting by thousands and thousands of organizations as they try to cope with the COVID-19 pandemic and continue operating during stay-at-home orders.

Employees are your organization’s first line of defense. You can protect your company by encouraging personnel to be skeptical of e-mail from unfamiliar sources.

Training your staff

Before the COVID-19 crisis, PricewaterhouseCoopers simulated a phishing attack on mid- to large-size financial institutions, finding that:

  • 70% of phishing e-mails were delivered to their targets, and
  • 7% of recipients clicked on the malicious link.

The danger with phishing and ransomware attacks is that it only takes on click, one missing endpoint agent, one failed alert, one unsuspecting employee, and the criminals can take control of your network and your cloud files.

Many of these attacks come in the form of what’s now called “social engineering attacks.” PwC recommends coaching all of your employees to take the following precautions, particularly on their mobile devices:

  • Be skeptical of e-mails from unknown senders, or from familiar people (like your company’s CEO or your doctor) who do not usually communicate directly with you.
  • Don’t click on links or open attachments from those senders.
  • Don’t forward suspicious e-mails to co-workers.
  • Examine the sender’s e-mail address to ensure it’s from a true account. Hover over the link to expose the associated web addresses in the “to” and “from” fields; look for slight character changes that make e-mail addresses appear visually accurate — a .com domain where it should be .gov, for example.
  • Grammatical errors in the text of the e-mail are usually a sure sign of fraud.
  • Report suspicious e-mails to the IT or security department.
  • Install the corporate-approved anti-phishing filter on browsers and e-mails.
  • Use the corporate-approved anti-virus software to scan attachments.
  • Never donate to charities via links included in an e-mail; instead, go directly to the charity website to donate.

Cyber insurance

Cyber insurance is designed to protect your company by insuring you for network security issues, privacy, interruption to your business, media liability, and errors and omissions.

For phishing, ransomware and other cyber attacks, the network security and business interruption portion of the policy would mainly come into play.

Network security coverage — This includes first party costs. That is, expenses that you incur directly as a result of a cyber incident, including:

  • Legal expenses
  • IT forensics
  • Negotiation and payment of a ransomware demand
  • Data restoration
  • Breach notification to consumers
  • Setting up a call center
  • Public relations expertise
  • Credit and identity monitoring

Business interruption — When your network, or the network of a provider that you rely on to operate, goes down due to an incident, you can recover lost profits, fixed expenses and extra costs incurred during the time your business was impacted. This includes loss arising from:

  • Security failures, like a third party hack.
  • System failure, such as a failed software patch or human error.

Insurance Costs Related to COVID-19 Could Top $100 billion

insurance cost

COVID-19-related losses for property-casualty insurers are likely to top $100 billion, with workers’ compensation accounting for about a third of all payouts, according to a new report by Wells Fargo & Co.

The report estimates that workers’ compensation could see total COVID-19 claims payouts of up to $34 billion, but that factors like the severity of workers’ comp cases and the number of deaths will determine the final payouts. This may spur rate hikes in workers’ compensation after years of soft pricing in most of the country.

The majority of workers’ compensation claims are likely to be in the health care sector, and the rest among “essential workers” who have had to remain on the job

One report by the Division of Workers’ Compensation at the Florida Department of Financial Services found that health care workers and those working in protective services accounted for 83.3% of COVID-19 indemnity workers’ comp claims filed in Florida as of May 31.

The Wells Fargo report forecasts that the claims are likely to put pressure on rates for number of lines of insurance. Besides workers’ compensation, it predicts that these other lines will see significant claims payouts:

Business interruption — The second-highest claims payouts, the report states, will be for business interruption losses related to the COVID-19 outbreak. Wells Fargo estimates that total claims payouts will be between $4 billion and $24 billion.

However, most business interruption coverage, which is typically tied to commercial property policies, does not cover losses from pandemics. That said, some stand-alone policies have had more liberal coverage wording that will require the insurers to pay the claims.

Event cancellation — The report estimates that event cancellation losses will account for nearly 30% of industry losses. This insurance protects event revenues and related expenses against the risks of cancellation, postponement, curtailment, relocation or abandonment of an event for unforeseen circumstances beyond the control of the event organizer.

Beyond the lost revenue, the costs of canceling a large event can run into the tens of millions of dollars, sometimes more. While the specific terms of event cancellation policies vary, many offer broad “all-risk” or “all-cause” coverage that is triggered by any unexpected cause that is not expressly excluded under the policy.

Other policies, however, are written such that only specific causes or risks (like terrorism or natural catastrophe) trigger coverage.

While some event cancellation policies include exclusions for infectious or communicable diseases (which would include COVID-19), many do not.

Other lines of insurance that could sustain losses due to the pandemic include:

  • Travel insurance — Issues that could come into play include emergency evacuation, repatriation and out-of-country medical benefits that cover costs for the treatment and transportation of sick or injured employees. Policies typically offer optional coverage for unexpected medical expenses.
  • Directors and officers liability — These claims could concern legal action for not taking timely measures regarding COVID-19 to protect the organization, as well as legal action for financial damage or even insolvency. 

The topside

The report also notes that there are some lines of insurance that could benefit from lower claims due to the COVID-19 pandemic. Chief among these is commercial auto, due to the substantial decrease in vehicle accidents as there have been fewer cars on the roads at a time of shelter-at-home orders.

What Business Insurance Policies Cover Rioting, Looting

looting

As protests around the country descended into rioting and civil unrest, many businesses that have been looted, or seen their shops damaged or completely destroyed, will obviously be turning to their insurance to file a claim.

While many companies were unsuccessful in filing business interruption claims for the COVID-19 crisis, claims for damage and theft from rioting and looting are more likely to be paid. A number of coverages will come into play depending on the damage and lost income a business suffers at the hands of rioters, vandals and looters.

Property damage

Standard commercial property policies cover damage to a business property caused by fire, explosion, riot or civil commotion, vandalism or malicious mischief. This would include coverage to the structure of the business, as well as any inventory, fixtures and other contents. Business owner’s policies also include this risk.

The business personal property coverage portion of the policy would cover damage and theft if rioters break into a real estate office, for example, and steal computers, burn furniture and destroy office equipment. That said, the damage would be subject to limits (specific or blanket), as well as any deductibles required by the policy.

Commercial vehicle damage

Automobiles are covered under the optional comprehensive portion of a commercial auto policy, which you should have for all your vehicles. This will pay for damage to the vehicle and its contents caused by fire, falling objects, vandalism or rioting.

Comprehensive coverage will cover the gamut and will pay you if a vehicle is:

  • Stolen,
  • Damaged, or
  • Destroyed (for example, burned).

One of the most common damages to vehicles during riots is broken windshields, which you can usually get covered with an optional glass coverage rider.

Business interruption coverage

Companies that are forced to close as a result of riot and looting damage may have coverage for business interruption under a business property policy.

The policy may also cover lost income because a business had to close after riots. It would often cover dependent properties or have contingent business extensions of coverage. Also, coverage can apply if a business suffers a loss of income because of curfews or if authorities bar access to a property.

Coverage is typically triggered if there is direct physical damage to the premises.

You should note that many policies require a 72-hour waiting period before a policyholder can begin making a claim. That’s because the first three days of business shutdown, access constraints or limited hours of operation because of a civil authority action are often excluded from coverage.

There may also be a limit to the claim period. A standard limit is up to three weeks of losses.

Filing a claim

When filing a claim, read your policy in its entirety to determine how to best present it. It’s important to understand the policy’s limits and deductibles before spending time documenting losses that may not be covered.

If you are going to file a claim, document all damage. You should have receipts for all your inventory and fixtures. Here’s what you should do:

  • Take photos of all damage.
  • Contact your agent and file a claim immediately.
  • Clean up to protect your building, but do not make major repairs until you talk to the insurance company.
  • Keep receipts for any remediation work.

If you’re going to file a business interruption insurance claim, you will need:

  • Pre-riot financial statements and income tax returns.
  • Post-riot business records.
  • Copies of current utility bills, employee wage and benefit statements, and other records showing continuing operating expenses.
  • Receipts for building materials, a portable generator and other supplies needed for immediate repairs.
  • Paid invoices from contractors, security personnel, media outlets and other service providers.
  • Receipts for rental payments, if you move your business to a temporary location.

A final thought: Filing a business interruption claim is not easy, particularly when estimating losses. The process is highly complex and can be contentious. If the insurer disagrees with your loss estimates, they may have specialists audit your claim.

 

Adjustable Workstations Key to Reducing Injuries

construction workers

Musculoskeletal disorders from manual labor in factories, construction, printing and warehouse work are one of the most common types of workplace injuries and account for one-third of all workers’ compensation costs.

These injuries take a profound economic toll on both workers who suffer these injuries and on employers who pay more for their workers’ comp premiums. There are also indirect costs, such as training replacement personnel, retraining workers, lost productivity and reduced morale.

To reduce the chances of MSDs among your workers, make sure their workstations are ergonomically designed and optimized for safety and efficiency of use.

One of the best ways to reduce these types of injuries is to ensure that workers of different sizes and physical limitations can work in the same area without straining themselves and developing an MSD.

The height of the work area is a significant factor in these types of injuries. Usually the height is stationary, but one size does not fit all. Someone who is too short or too tall for a standing work area will have to strain to work in a position that is not optimal.

The adjustable workstation

While for some workstations a standard size cannot be avoided, in many cases it’s best to have workstations with adjustable heights. Height adjustability is useful not only for very tall or very short people, though.

For specific tasks, the ability to adjust the bench top to the application may help workers of all sizes execute tasks more ergonomically.

An adjustable workspace can accommodate the majority of workers in ways that reduce stresses and strains, whether they differ by height, reach capabilities, strength or flexibility. If you have an adjustable workspace, a tall and short worker can use the same work area by simply adjusting the height when they start their shift.

Avoiding neck strains

Besides a workspace that moves up and down, you should also make sure that the worker doesn’t have to strain to read documents or screens or type on a keyboard, such as when they are sitting on the surface of the workstation.

While this may seem like a small thing, a worker who has to look down at an extreme angle at papers or a screen on a table every day for years can develop neck disorders and injuries. They may not be as severe as a sprain or a strain, but they can still impair the individual’s ability to work ― and over time could require surgery and rehab.

Sometimes the solution is simple, such as using a height-adjustable arm to hold documents or a screen. You can also have an articulating keyboard tray that moves up and down so the worker can adjust it at an optimal height and not have to strain to type.

These solutions are inexpensive and will reduce the chances of employees straining to read documents or screens or type. Using these simple tools will also make your workers more efficient. Like height adjustability, these arms will work for people of various heights and sizes.

The takeaway

The key to ergonomics is to make the environment fit the worker, not vice versa. This can be accomplished in many ways, ranging from facility design to equipment specification to process design.

By homing in on the workstation, you can greatly reduce the chances of your workers developing an MSD.

More Older Workers’ Comp Claims Being Settled as COVID-19 Brings Uncertainty

One bit of good news coming from the COVID-19 pandemic is that the economic downturn has boosted efforts to close older workers’ comp claims that have been lingering as both sides cannot agree on a settlement.

Due to the financial pain brought on by the sudden downturn, injured workers who have been reluctant to settle their claims have been coming forward to close them, according to workers’ comp attorneys.

The injured workers are often settling their claims for less than they were demanding before. One lawyer told Business Insurance magazine that he was seeing claimants come in with offers that were on average 10% lower than previously.

This is an important development for employers who have legacy workers’ compensation claims that have stayed open as the injured worker remains on permanent disability and may also still be receiving ongoing or sporadic medical treatment. Employers want to close these claims because the longer they stay open, the more they end up costing the insurer, and hence it drives up the employer’s workers’ comp costs.

One of the most unpredictable parts of older claims is unexpected adverse claims cost development, particularly if the injured worker develops new medical complications that are an outgrowth of or related to the original injury claim.

When that happens, the workers’ comp carrier will also have to pick up the tab for that treatment, further driving up the cost of the claim and affecting the employer’s workers’ comp experience.

Work with your insurer

In a white paper, global insurance giant Marsh recommends that employers try to work with their insurers to proactively settle these older claims to save money in the near and long term, and to reduce the prospects of the claim deteriorating further given the “uncertainty about the post-COVID-19 economic environment.”

Marsh said that businesses should take a strategic approach to closing these old claims by working with their insurer’s claims adjuster and using analytics and claims inventory management tools to identify complex claims and focus on settling them first.

Another smart move is to stay in close contact with injured employees to help them navigate the workers’ comp system. And if they are at home on the mend, the employer should make a point to regularly reach out to them to see how they are healing up and if they have questions about their claim and the process for returning work.

This is one of the best ways to reduce the chances of an injured worker becoming disgruntled and hiring a lawyer to litigate their claim, which will usually drive up the cost of the claim in addition to the time they are away on workers’ comp disability.

Insurers are also feeling the effects of the COVID-19-related economic downturn, which gives them an incentive to try to settle old claims so they don’t have that uncertainty of how much they will eventually end up paying for the claim.

The downturn has also forced some insurers to consider laying off claims representatives as they deal with the prospect of lower premium volumes.

Injured workers may also have an incentive to get their claims closed by receiving a lump-sum payment now, which they may need due to the poor economic environment.

The takeaway

If you have any legacy workers’ comp claims that are still being paid, you may want to consider reaching out to your insurer to see if there is a possibility of getting the injured worker to renegotiate a settlement so you can get the claim closed. The longer it stays open and because of the uncertainty brought on by the pandemic, it would behoove any employer to take this step.

Testing Workers for COVID-19 Raises Privacy, Discrimination Issues

COVID-19 testing

Employers whose businesses continue to operate are obviously concerned about the coronavirus spreading through their worksites, so many have started testing their workers.

Recent U.S. Equal Employment Opportunity Commission guidance authorized employers to conduct COVID-19 testing and check temperatures of employees. But doing so could expose a business to a number of employee legal actions from invasion of privacy to discrimination and wage and hour charges, say employment law attorneys.

While the EEOC guidance refers to existing Americans with Disabilities Act regulations requiring that any mandatory medical test of employees be “job related and consistent with business necessity,” it left many questions unanswered.

So, if you decide to start testing workers, you will have to navigate a number of issues, such as:

  • Which tests are appropriate?
  • What are the standards for protecting workers’ privacy?
  • Should employees be paid for the time they wait in line to be tested?
  • Should you get written consent?
  • How will you ensure that the policy is applied consistently?

Employment law experts say there is often a surge in employee lawsuits when new rules or guidance are being issued, and more so with such a sensitive issue as one’s health during a pandemic.

The kinds of claims that employers may see as a result of employee testing include:

  • Invasion of privacy
  • Failure to protect employees’ personal health information
  • Discrimination
  • Retaliation
  • Wage and hour actions if waiting for testing takes time.

What you can do

Typically, employers would not be allowed to test a worker’s temperature for a specific disease, but these are unusual times and the threat of infection is too great.

Most lawyers are interpreting the EEOC guidance as meaning that employers may take steps to determine whether employees entering the workplace have COVID-19 because an individual with the coronavirus will pose a direct threat to the health of others. Therefore, an employer may choose to administer COVID-19 testing to employees before they enter the workplace to determine if they have the virus.

To cover your bases, you should plan your testing in detail, including:

  • How you will be conducting tests (providing at-home test swab kits, testing upon arrival, or offsite).
  • Designate a person who is authorized to conduct tests.
  • Document how you will be administering tests.
  • Plan for how you will account for false positives or false negatives.
  • Decide how often should you be testing.
  • Budget for the testing.
  • What will you do if a worker tests positive or has a fever (if you are just checking temperatures)?
  • Don’t have exceptions to the policy or, if you do, keep them to a minimum. The more exceptions to a policy, the more likely you are to be sued.
  • The policy should comply with guidance from the Centers for Disease Control and Prevention, such as using non-contact thermometers and ensuring social distancing during the process.

Insurance

The risk of being sued when administering testing is real and you should do everything you can to make sure it’s carried out fairly and consistently. But even if you do everything by the book, you can still be sued.

During bad economic times when people are losing their jobs, employee lawsuits tend to rise and, even if you are eventually found to have acted within the confines of the law, you still have to pay the legal fees.

One type of policy that could step in to protect you is employment practices liability insurance. EPLI will cover awards and legal costs in employee-initiated lawsuits. Each policy is different though, so it’s best to consult with us first.

If you are testing or are considering testing your staff, you may want to consider it.

Workers Get Workers’ Comp Presumption for COVID-19

covid-19 workers

California Gov. Gavin Newsom has issued an executive order requiring that workers who either test positive for COVID-19 or are diagnosed by a physician as having coronavirus are eligible for workers’ compensation benefits.

The order means that it will automatically be presumed that the employee contracted the virus on the job if they test positive or receive a diagnosis within 14 days of their last shift.

Additionally, the employee must have been working at a worksite and not from home to qualify, and the diagnosis must be confirmed by testing within 30 days of the original diagnosis.

The order covers any worker that reports to a worksite, including “essential workers,” which include those in health care, emergency services, trucking, construction, food, warehousing, delivery, and more.

Workers’ comp benefits include partial wage replacement for any missed time from work, as well as covering all related medical costs and death benefits for their family should the unthinkable happen.

If the employer believes an employee didn’t contract the virus at work, they will have the burden of proving the individual contracted the virus elsewhere, which would be a difficult endeavor.

The rule is temporary and will cover cases dating back to March 19. It will sunset on July 6 (60 days after the announcement was made on May 6).

No adverse X-Mod effects

While the order will make it easier for essential workers to file workers’ comp claims, employers do not have to worry about the effects on their workers’ compensation claims experience.

That’s because the Workers’ Compensation Insurance Rating Bureau has proposed its own rules that would exempt any COVID-19 claims from an employer’s claims history, so that it would not affect their experience modifier (X-Mod).

That means if an employer has any workers who file COVID-19 claims, their premiums would not rise due to those claims.

The proposal will be reviewed by the Department of Insurance in May and it’s likely, according to industry observers, that it will be approved. It too will sunset 30 days after shelter-at-home orders are lifted.

The Rating Bureau estimates that the cost of COVID-19 workers’ compensation claims in California could range from $2.2 billion to $33.6 billion annually. A mid-range estimate of $11.2 billion would equate to more than 60% of all California workers’ comp annual claims before the pandemic.

State Fund to Accept All COVID-19 Claims by Essential Workers

essential worker

State Compensation Insurance Fund has announced that it will accept any workers’ comp claims for a diagnosed case of COVID-19 filed by essential workers.

Workers deemed “essential” who contract COVID-19 would be presumed to have caught the virus at work, and hence would be eligible for all normal workers’ comp benefits under the law.

Only workers for employers who are insured by State Fund will benefit from the decision by the insurer. But that could change.

Gov. Gavin Newsom is considering issuing an executive order that would require a presumption that any case of infection by an essential worker is work-related and eligible for workers’ compensation benefits. That would include partial wage replacement for any missed time from work, as well as covering all related medical costs and death benefits for their family should the unthinkable happen.

State Fund had earlier created the Essential Worker Support Fund to partially cover any workers it insures, but the new action replaces that fund so that workers who file COVID-19 claims are entitled to all the same benefits (indemnity for lost wages and medical costs related to treating the virus, including hospitalization if needed).

“We currently estimate these added benefits will require approximately … $115 million,” State Fund said in its announcement, adding, “We will still provide temporary disability benefits to any covered essential worker who must self-quarantine if they are not covered by another source.”

State Fund’s new rule only applies to cases that were filed by essential workers who have been on the job since Newsom issued the shelter-at-home order on May 19. The rule will be pulled once the order is lifted.

Essential employees include those who work in food, warehousing, delivery, agriculture, health care, energy, emergency services, and more.

Good news for workers, employers

The move by State Fund and the possible executive order are good news for workers as well as employers. Any essential worker that currently contracts COVID-19 would otherwise have a steep hill to climb in trying to prove that they caught it at work unless they are health care workers or first responders.

Not only that, but the case can get tied up if the employer challenges the claim and it goes to the Workers’ Compensation Appeals Board for adjudication.

It would be good news for employers too, as the Workers’ Compensation Insurance Rating Bureau has proposed its own rules that would exempt any COVID-19 claims from an employer’s claims history so that it would not affect their experience modifier (X-Mod).

That means if an employer has any employees who file COVID-19 claims, their premiums would not rise due to those claims.

The Rating Bureau estimates that the cost of COVID-19 claims in California could range from $2.2 billion to $33.6 billion annually. A mid-range estimate of $11.2 billion would equate to more than 60% of all California workers’ comp annual claims before the pandemic.

Protecting Your Workers During the Pandemic

covid-19 workers

If you are one of the companies that has been deemed an essential employer and are remaining open during stay-at-home orders, you should be doing all you can to protect your workers against contracting COVID-19.

While some workers are really on the front lines of fighting the disease, like health care workers and emergency services personnel, there are many other people working in factories, grocery stores, warehouse and transportation, among other industries, that are also at risk to varying degrees.

The response to this has been varied. Some employers have taken steps to protect their workers. For example, some grocery stores have supplied cashiers with masks, face shields or plexiglass barriers between them and customers.

But not all employers are taking those steps and that’s ignited worker protests through a swath of industries:

  • After a mechanic tested positive for COVID-19, half the employees at his workplace stayed home to press the employer to clean the entire worksite before they would return.
  • Workers staged a walkout at a truck manufacturing facility because the company was not supplying them with hot water for washing their hands.
  • Bus drivers went on strike, saying the city they work for wasn’t doing enough to protect them.
  • 200 employees walked out of one warehouse after a worker tested positive for COVID-19.

Employers need to be careful, as failing to provide adequate protections against coronavirus to their workers could result in lawsuits and subsequent penalties if OSHA decides to strictly enforce its General Duty Clause.

What you can do

Facilities will vary in their own risks, but the following are some general areas that all employers should consider to reduce the risk or spread of infection in their workplaces, regardless of whether they are a large high-traffic facility like a food warehouse or a small hardware or specialty grocery store:

Providing personal protective equipment — This can range from gloves and masks to face shields.

Protective barriers or partitions — These could be partitions made of plexiglass so workers can communicate and make eye contact.

Air circulation — If you have fans or air conditioning units blowing, take steps to minimize air from fans blowing from one worker directly at another.

Spacing — Require employees to work at least 6 feet apart.

Hygiene — Place handwashing stations with hot water and soap or hand sanitizers with at least 60% alcohol in multiple locations, in order to encourage good hand hygiene. Also urge workers to avoid touching their faces.

Customer handling — Use rope-and-stanchion systems to keep customers from queueing or congregating near work areas. Mark spots on the floor spaced 6 feet apart to ensure social distancing.

Consider restricting the number of customers allowed inside the facility at any point in time. Also, consider options for increasing in-store pickup or delivery to minimize the number of customers shopping in store facilities.

Cleaning — Disinfect frequently touched surfaces in workspaces as well as doorknobs, buttons and controls. If you have customers entering your facilities, disinfect all public-facing areas, such as points of sale and service counters.

Employee issues — Add additional clock in/out stations. If possible, these should be spaced apart to reduce crowding in these areas.

Staggering schedules — Stagger workers’ arrival and departure times to avoid congregations of employees in parking areas, locker rooms and near time clocks. Stagger lunches as well, to avoid overcrowding in general areas where employees may often eat. If you have an area frequently used for lunches, make sure you enforce 6-feet spacing in that location too.

Keeping virus at bay — Actively encourage sick employees to stay home. Check temperatures of workers upon arrival — and consider checking customers’ temperatures too. If anybody is running a fever, they should not be allowed into the facility and should be asked to go home and call their doctor.

Want to know more?

OSHA has a fantastic COVID-19 resource page that outlines safety procedures that employers in a number of industries can implement to reduce the chance of transmission between workers, as well as between workers and customers. You can find it here.

How to Protect Your Business Teleconference Meetings

teleconference

Since face-to-face meetings are out of the question when most non-essential workers are under stay-at-home orders, many companies have opted for the teleconferencing app Zoom.

With the recent revelation that Zoom’s teleconferencing system is not always the most secure, it is still one of the least expensive and user-friendly options for holding meetings during the coronavirus outbreak.

Zoom has seen its user numbers exploded during the pandemic, but that has left it exposed to a number of different types of attacks and other problems like videos being exposed on the web. There are many alternatives to Zoom, but if you want to continue using the service, you should understand the security implications and what you can do to protect yourself, other participants and your company.

The risks

Because of complaints, Zoom in mid-April said it was working to fix a number of bugs and security holes in its system.

While some issues have plagued the system for a few years, others were recently discovered as usage surged in the first three months of 2020. Here’s a list:

Stolen passwords — One of the more recent vulnerabilities that was discovered was one that allowed hackers to steal Windows passwords.

Eavesdropping — Two other newly discovered holes could let hackers remotely install malware on affected Macs and eavesdrop on meetings.

Phishing attacks — Hackers are creating fake Zoom links and websites to lure people to log in. In so doing they can steal financial details, spread malware and steal Zoom ID numbers and passwords, which allows them to infiltrate meetings.

‘Zoombombing’ — This occurs when uninvited guests gain entry to private meetings. This typically happens for large events after log-in details were announced on social media, but it is happening in smaller meetings as well. Typically, these infiltrators will disrupt the meeting with profanities and insults or by streaming porn for the other participants to see.

Hackers are using the same techniques to eavesdrop on or disrupt business meetings.

Meeting recordings exposed — This can only happen if the meeting organizer records the meeting. A Washington Post investigation found thousands of private Zoom videos that had been posted on the web. The exposed video calls included private business discussions, casual conversations with friends, therapy sessions, and nudity. Many of these videos seem to have been made public by mistake.

Meetings are typically not recorded. The default setting on Zoom does not record meetings. But meeting hosts can save the videos on Zoom’s servers or their own computers without participants’ consent.

Tips to keep your Zoom meetings private

  • Don’t post your Zoom meeting IDs publicly. Send them privately by e-mails or using a messaging app.
  • Create a new ID for every meeting. Don’t recycle old ones from prior meetings.
  • Adjust the Zoom settings to require participants to enter a password to access the meeting.
  • Enable Zoom’s “Waiting Room” feature. This lets you keep participants in a digital queue until you approve them to join the session. Beginning April 4, Zoom enabled the feature by default, requiring additional password settings for free users. Zoom has a guide to the feature on its website.
  • If you are worried about abuse, you can turn off a number of features, such as private chats, annotation and file transfers.
  • Keep the Zoom desktop app up to date, so that any patches Zoom makes to security vulnerabilities are added to your device.
  • If you are concerned about hackers accessing your data and you don’t need to screen share, you may want to use Zoom only on mobile devices such as a smartphone or tablet. These seem to be less susceptible to hacking.
  • Build awareness of Zoom phishing scams into user training programs. Users should only download the Zoom client from a trusted site and check for anything suspicious in the meeting URL when joining a meeting.
  • Ensure all home workers have anti-malware protection, including phishing detection installed from a reputable vendor.