So, you’re in a pinch. Suddenly your business team can’t meet in person, but there is still a daily need to
collaborate. You hadn’t prepared for this scenario in advance, so you are scrambling for a solution.
There’s significant buzz about a videoconferencing app. You heard about it from a friend or saw it on
Google or maybe even used it with a call hosted by a colleague. You look them up online, sign up, and
install the software. You initiate your first test call and think to yourself “That was so easy!”. No vetting,
no testing, no overhead. Just simple and easy. You didn’t even have to call your IT people.
Such is the story of thousands of companies over the last few weeks. Unknowingly, those businesses
have subjected their most intimate business interactions (including customer data, in some cases) to a
platform with the following concerns:
- Opens a vulnerability that allows lower level users the ability to gain the highest level of
permissions or access the camera and microphone
- Does not adequately protect video sessions, allowing attackers to interrupt or unknowingly
record video calls
- Does not offer end to end encryption of session data as advertised, has been compared directly
to malware, and shares user data with other organizations
Of course, I am referring to Zoom, whose popularity has exploded seemingly overnight. If business
owners were presented with these issues as part of their decision-making process, overwhelmingly they
would run to its nearest competitor. Many of these flaws were not revealed to the public until after,
indeed because of, Zoom’s rocket trajectory. But how were these businesses supposed to know? While
Zoom’s lackluster record on security/privacy is concerning, they are not an isolated case. This is not a
commentary on vendors with poor security records, but rather the factors that contribute to a decision
process that chooses a software like Zoom.
Consumers who utilize a software with a poor record of security fall into a few categories:
1) The business’s security requirements are minimal
2) Other business considerations outweigh the risk
3) The business’s security requirements are undefined
4) The business is unaware of the risks posed
I’d argue the first group is simply the third group and just hasn’t thought about it yet. No owner is truly
okay with the intimate details of their business exposed at random. The other groups are all results of
being under prepared. Either security requirements are not defined, applications are not vetted, or the
organization has not established appropriate alternatives. Even the UK government, who has defended
using Zoom during this COVID-19 crisis, recognizes Zoom’s shortcomings and are preparing a more
appropriate long term solution.
What is at the core of so many choosing an app with significant security flaws to handle such a sensitive
function? How can businesses prevent the issue from recurring? Many businesses simply do not provide
enough consideration to cybersecurity, a global pandemic has only highlighted the gap. Combined with a
lax approach to cybersecurity is a dearth of business continuity planning – it is simply not high enoughon priority lists. Businesses did not have a solution in place and did not have time to evaluate the
options available in the time available.
Those decisions are reflective of the root cause. At the core is an underestimation of cybersecurity and
its complexity and ubiquity. Any data that touches a network, internal or external, needs to be secured
at some level, unless it is truly meant to be for public consumption. Otherwise, assume it is at risk of
being exposed. Protecting data is not a simple task and should not be treated casually.
Here’s the point: If protecting your data is important, it should be handled by a professional. The
average consumer can no longer keep up with the breadth and depth of threats on the internet. As
Zoom shows us, there are vendors who are willing to cut corners and take risks with your data security.
In exchange, they offer convenience and free plans. Not all free plans are bad, but how can the average
consumer know which vendors to trust?
If you do not have a trusted IT resource, find one. If you do have one, please use them. Work with them
to define your business’s security requirements. Evaluate your technology against these requirements.
Ensure all your users understand these requirements and execute in that context. All businesses pay a
cost for their data security- with time and money or by accepting the risk. Which are you choosing?
-Marc Gibson, CEO/Founder of DThree Technologies