Zoom security issues are in the news

Over the last couple of weeks, there have been a significant number of posts, articles, commentaries and opinions about security issues with Zoom.

No-one, Zoom included, could have predicted the meteoric rise in the adoption of their product over the last few months.  It’s not the only video conferencing platform by a long way, but it is almost certainly the one that has gained the most traction in the least amount of time.

With great power (or success)….

With success, comes scrutiny.  Security teams around the world, many having spent the last couple of weeks in panic mode as organisations rush to enable a new way of working without perhaps the usual level of due diligence around security, are looking carefully at what has been rolled out.  Journalists and commentators, eager for a story, might look at what is the “new big thing”, play close attention to things that are happening around it, and find headlines or attention.

I haven’t researched the reported security issues with zoom in great detail, but there have been quite a few reported.  From what I have seen, they include issues with the security of the code, concerns around installation practices, privacy issues around where data is sent, some default settings, and others.  These are all valid concerns, but these also seem to be supplemented by some other issues which, whilst attributed to the company, in reality say more around the practices of how someone might use the product than the security of the product itself.

For a fuller rundown of the issues, you can check out this CNET article.

Knee-jerk response?

Off the back what’s been reported, a couple of things have happened. 

Firstly, Zoom have released a statement around the issues, and have committed to a significant focus on improving the security of the product, and are putting that into practice – I’ve seen, I think, 3 updates this week which include security improvements.   

Secondly, a number of organisations have prohibited the use of Zoom.  Some undoubtedly have researched thoroughly and come to a considered conclusion that this is a necessary step.  I would suspect, however that others are simply following a trend by doing so, without much of an understanding of why, or whether their new platform is any better.

I’ve seen widely differing opinions from my peers in security around the Zoom issues, Zoom’s response, and what companies should do.  So, if you’re a company that is using Zoom, what decision should you make about whether to continue to use it, or move to Microsoft Teams, WebEx, GoToMeeting or A.N.Other platform of choice instead ? 

Call yourself a Security Professional?

You may think as a Security Professional, I’d be in the camp of “There are security issues, so of course you should stop using it, at least until they are all fixed”. 

You would be wrong. 

Equally, I wouldn’t say that you shouldn’t. 

Now, that might sound like a cop out – like I’m sitting on the fence.  Well here’s some thoughts, and a few considerations either way.

Arguments for and against

Firstly, understand that 100% security is a myth.  No product or service offers that.  Zoom has security issues.  So do other platforms.  Zoom has more than some others, and less than some others.  Possibly, more have been discovered simply because of its popularity.  Of course, that wouldn’t make the issues any less relevant, but unless you have researched, how do you know that it is worse than platform x or y that would be your alternative?

Secondly, security is really about risk – and as a business, it’s about the risks that are important to YOUR business, YOUR customers and YOUR suppliers.  There may be security vulnerabilities with a platform, service of piece of software but what is the RISK and potential IMPACT of that to your business?  You need to consider carefully the data that might be at risk, including recordings, and aspects such as reputational damage.   If you are an organisation who are discussing very sensitive topics when using your web conferencing platform of choice, it may be important for you to choose the most secure platform you can.  If on the other hand, you are simply using it for daily catchups with no real sensitive discussions or data transferred, the security of the platform may be less important – which brings me onto a third point.

Effectively managing security in business is a balancing act.  That balance is between “Security” and “Productivity”.  The two typically tend to be at odds.  The popularity of Zoom is driven in large part by it’s ease of deployment, ease of use and intuitive features, along with maybe some default configurations that err on the productivity side of the see-saw.  Those things often contribute to “lower” security.  Again, what’s important to you as a business here really should be contributing significantly to your decision making.  If security is a higher priority, put more emphasis there when comparing platforms.  If usability is more important, absolutely don’t discount security, but it might lead you to a different decision.

Security is a shared responsibility

One thing to be very conscious of, and something that often isn’t given enough consideration is that the responsibility for security is SHARED between the software or platform your organisation and its users.  It is NOT, I repeat it is NOT just down to the company you purchase the platform from.  Every platform has configurations and settings that can make it more or less secure, more or less easy to use. 

Most vendors, Zoom included, issue guidance on configuration best practices for both security and usability.  Take the time to understand it, configure appropriately and educate your teams through training and configuration/usage guidelines, and you will improve security and reduce risk in areas that the vendor, frankly, can’t be expected to have control over.  If your teams are recording calls and then sharing the recordings outside of Zoom on insecure sharing platforms, that security gap isn’t Zoom’s – it’s yours.

The final point to consider is future.  Zoom has some historic and current security issues and has made some errors of judgement for sure.  Their response, at least of late, seems to be positive and they seem to be following through.  It is important to understand what that intent and commitment looks like going forward when considering alternatives too.  Make this part of your evaluation.  

Doing what’s right – for you

In summary, I believe that some companies should stop using Zoom and move to another platform, and others are probably wise to stay as they are, mitigate any risk through appropriate education and configuration, and keep a close eye on Zoom’s future actions.  Whichever side you fall on, it should be a considered, risk-based decision, based on what you need.

Make the right decision for you.