Zoom Security

How do I keep my meeting secure and avoid “Zoombombing”?

Overview

“Zoom bombing” refers to when an uninvited individual disrupts a Zoom meeting. When you share your meeting link on social media or other public forums, that makes your event public. ANYONE with the link can join your meeting without the right settings.

To help prevent this issue, meeting hosts should implement measures to protect themselves and their meetings. Below is a list of recommendations for keeping your Zoom at UD meeting secure.

Options to control meeting access

Option 1: If all meeting attendees are from UD
If all of your meeting attendees are from UD, turn on the authorized authentication setting to best protect your meeting. Participants will need to sign in to Zoom application using their UD credentials to access the meeting.

Option 2: If specific people (Example: Guest Speaker) are outside of UD
If you have a short list of individuals who need to join your meeting, you may use the authentication exception feature by adding their name and email address.  These individuals will receive an email message containing a unique link that allows them to bypass the UD authentication.

Option 3: If many meeting attendees are not from UD
If you have a large group of people attending, or do not know their personal email addresses, the Waiting Room or Passcode features are good options to prevent unwanted individuals from gaining access to your meeting. Do not post links and passcodes on social media or publicly accessible sites without additional security.

Option 4: If creating an outreach or public meeting
If you would like to create an open meeting for the public, using the Meeting Registration feature will restrict participants to those willing to give you their email addresses. Do not post links and passcodes on social media or publicly accessible sites without additional security.

Note: the documentation is divided up by how you are accessing Zoom (via app or web). You may see slightly different options based on UD’s global settings and the version of your application.

Back to top

Report an incident

Please report all Zoom bombings to both Zoom and UD.

Report to Zoom by clicking the green shield icon at the top right of the meeting window and choosing the red Report link.  Fill out the form and include a screen shot of the offense if possible.

Report to UD by emailing askit@udel.edu or submitting this form.  If emailing, please include your name, your class name and section number, time of incident (best approximation), and Zoom meeting ID.

Incident report form.

Remove an unwanted participant

In the event that your Zoom meeting has an unexpected or disruptive guest, as a meeting host you are able to remove them by clicking the Participants icon in the tool bar, clicking their name in the pop-up window, and choosing Remove. They will be blocked from re-entering the meeting.  If you have too many unwanted participants to manage, end your meeting. Do not publish recordings of classes with incidents.

How to remove a participant.

Best Practices to set up a meeting

Scheduling a meeting is the best time to ensure a safe meeting by following these preventive recommendations.

To get started, access your account from the Zoom application.

  1. Enable a security setting for your meeting
    • Authentication (recommended) – Allow only signed-in university users to join the meeting (students, faculty, staff). Only for meetings with all UD participants.
    • Waiting Room – Manage when each participant enters the meeting. Can be used for meetings with UD and non-UD participants.
    • Passcode – Set a passcode required for all participants to join the meeting. Can be used for meetings with UD and non-UD participants.
    • Registration – Require each participant to fill out a form with personal information prior to the start of the meeting. Recommended for public meetings with mostly non-UD participants.
  2. Share the meeting link (and passcode) with students as a Canvas Announcement, in your syllabus, or in the Canvas Navigation Bar.
  3. Ensure that only the host, co-host, or alternative host can start the Zoom meeting.
    1. How to set a co-host. A co-host can help administer a meeting, such as muting participants or starting/stopping the recording..
    2. How to set an alternative host. An alternative host can start the meeting if your are unable to.
    3. Learn more about host and co-host controls.
  4. Automatically mute attendee microphones and cameras as they join, available through advanced meeting controls when scheduling.
  5. Set a virtual background to protect your privacy. This option may not be available on all devices.
  6. Remind invitees to not post or share the meeting link.

Back to top

Best Practices during a meeting

  1. Click the Host Tools icon in the meeting tool bar to control participant access, including:
    • Lock meeting – prevents additional people from joining the meeting
    • Chat – turn off participants’ ability to text chat
    • Screen Share – turn off participants’ ability to screen share
    • Audio/video – turn off participants’ ability to share audio/video
  2. Manage screen annotation. Participant annotation has been disabled by default.  This can be managed, along with screen sharing, from the control bar within a meeting.
  3. Remove participants from a meeting who might be unwanted or disruptive by clicking the Participants icon in the tool bar, clicking their name in the pop-up window, and choosing Remove. Removed participants will not be allowed to rejoin the meeting.
  4. Consider posting a reminder about University policies.  Faculty may wish to share, at their next class meeting, that students who are found participating in or enabling Zoom bombings will be referred to Community Standards & Conflict Resolution. If a student is found responsible for violating policies, they will be sanctioned appropriately.
  5. Take screen captures if possible of unacceptable images and use them when reporting the incident.

Back to top

Best Practices for specific use cases

Classes

Create your class directly through Canvas and turn on the Authenticated Users security setting.

Canvas/Zoom Integration Guide

UD Authentication Guide

Dissertation Defenses

Only share your Zoom meeting link with people you know.  Never publicly share an open Zoom meeting on social media or elsewhere.  If you are inviting guests, be sure to use the passcode or the waiting room security option.

Zoom Passcodes

Zoom Waiting Rooms

Research

All faculty and staff are welcome to use their UD Zoom accounts to hold meetings with colleagues outside of UD.  Be aware that only members of the UD community can be made an alternative host in your meetings, but you can elevate someone to co-host once the meeting begins.  As with all Zoom meetings we recommend using the passcode or waiting room security options, and to avoid posting an open meeting link on any kind of social media or webpage.

Zoom Passcodes

Zoom Waiting Rooms

HIPAA – Clinic usage

While all Zoom meetings are now HIPAA compliant, recordings to the cloud still do not meet HIPAA protocols. Therefore, it is CRITICAL if you work with patients and/or HIPAA data that you are HIPAA compliant in your use of Zoom.  Please join the HIPAA Zoom group as soon as possible.  The link to the form and additional information can be found on our webpage below.

UD HIPAA Instructions

Back to top

Sharing Zoom meetings on social media

Zoom has become increasingly prevalent and is a potential target for intruders who search social media for unprotected meetings and access points to restricted content.

If you want to keep a meeting public, create a registration for the meeting but restrict it to attendees who give you their name and email address. Another alternative is to request a webinar from UMS.

Whenever possible, share your Zoom meeting link only with people you know. If you share your meeting link on social media or other public platforms, anyone who sees the link will be able to join your meeting (unless you set a password for your meeting and share that privately with attendees).

Important: Never publicly share an open Zoom meeting on social media or elsewhere. This is a security risk for the university and opens the door for unwanted guests to join your meeting (Zoombombing), including online trolls who can share or post inappropriate or offensive material.

If you have posted an open Zoom meeting link on social media, take the following actions immediately:

  1. Remove or report the public post.
  2. Delete the existing Zoom meeting and create a new one.
  3. Enable security features on the new meeting such as passcode, registration, waiting room, and authentication.
  4. Send the new meeting link only to people you know.

If you have any questions, please contact us at zoom-support@udel.edu.

Back to top

Addressing a Zoombombing Incident or Other Concern

  • Share  a message apologizing to participants and offer services. Here is a sample:

    Unfortunately, we experienced an incident of Zoom bombing that disrupted our (event/class/etc). We condemn the language, images, and posts used during this incident. They are not in line with the mission and values of the University of Delaware. We apologize that you had to experience this through your connection to our (organization/class/etc). We will be reporting this to University of Delaware Information Technologies. They will share information with Community Standards & Conflict Resolution, the Office of Equity and Inclusion, and UD Police as appropriate. We will also be exploring ways to make sure our events are as secure as possible.

     

    We know some of the content was upsetting and jarring. For students, resources are available from the Center for Counseling and Student Development if you need support or would like to process the incident. If you would have other concerns, you can email Student Advocacy & Support at studentsupport@udel.edu to connect with a staff member.

     

    Once again, we are sorry this happened and please reach out if you need support.

  • Reporting to IT
    • When reporting to UD IT, please include the zoom meeting ID, the date and the time of the event.
    • Security staff may reach out to you to gather other information.
    • Security staff will review the logs of the event, as well as any recordings or transcripts and document incidents of concerning conduct.
    • Security staff will share information concerning the behavior with the University of Delaware Police, the Office of Equity and Inclusion and Community Standards & Conflict Resolution. Those offices may reach out to meeting hosts and participants as needed.
  • Reporting to UD Police, Office of Equity and Inclusion, and Community Standards & Conflict Resolution.
    • As noted above, UD IT will share information with the University of Delaware Police and Community Standards & Conflict Resolution as appropriate. Anyone is welcome to report these incidents directly to the University of Delaware Police by sending an email to ciu-udpd@udel.edu. Information can be reported to Community Standards & Conflict Resolution by sending an email to communitystandards@udel.edu.  Please include as much information as possible.
    • As noted above, UD IT will share information with the Office of Equity and Inclusion if the content is a potential violation of the Non-Discrimination, Sexual Misconduct, & Title IX Policy. Anyone is welcome to directly report these to the Office of Equity and Inclusion by completing the form on their website.
  • Support resources and information.
    • The Center for Counseling and Student Development is available if students need support related to an incident and would like to speak with a counselor. During office hours students may call 302-831-2141.
    • All students enrolled at the University of Delaware can access 24/7 mental health care or victim support through the TimelyCare app.

Back to top