The impacts of COVID-19 have been numerous and widespread, but most significant to businesses is the requirement to effectively and efficiently interconnect a dispersed workforce to an equally dispersed client base and supplier network.
As a consequence, collaboration and video conferencing applications have seen a huge surge in demand and are being used by companies and organisations which may have never previously considered their use necessary, or certainly not a priority.
One application in particular has seen an increase in usage of over 300% and adoption by a multitude of users. This ranges from families and loved ones maintaining family ties, through the Small to Medium business sector and up to the larger businesses and organisations; being used to maintain internal productivity and essential communications with suppliers and clients alike. Obviously, this is Zoom.
Consideration of the Risks
But what are the risks? It should be acknowledged that Zoom is under significant scrutiny by both the attacker and user communities. General media and the more focused security industry coverage of Zoom have highlighted significant security and privacy concerns over the Confidentiality, Integrity and Availability of user data. Concerns range from the use of substandard encryption, weak credentials and the unauthorised collection and sharing of user credentials to name but a few, more well-known vulnerabilities. However, there are more complex, systemic vulnerabilities at the development level, such as root shell access, remote code execution and hard-coded credentials.
The use of Zoom, or any other video conferencing technology, should be researched and evaluated based on the specific business use case and organisational risk appetite. If the term “Risk Appetite” is new to your business or organisation, it refers to the level of risk that is deemed acceptable before action is considered necessary to alleviate the risk.
Identification of the Risk Appetite is a management responsibility, overseen and ultimately approved at the highest (Board) levels, and requires an understanding of the business’/organisation’s strategy, goals, risk experience, culture and stakeholder perspective. More granular risk tolerance boundaries should then be developed to assist all levels of management to maximise opportunities whilst avoiding unnecessary risks. The benefits are to:
- Assist a company to better understand and manage its risk exposure;
- Assist management to make informed risk-based decisions;
- Assist management to allocate resources and understand risk/benefit compromises; and
- Help to improve transparency for investors, stakeholders, regulators and credit rating agencies.
In the case of Zoom, concern around the level of identified vulnerabilities has already caused some public and private sector, both national and international, users to review their usage, change their mind and select an alternative collaboration toolset. Foreign governments, such as the Australian and German governments have banned employees from using Zoom completely, as have multiple commercial companies such as Daimler, Ericsson and Google. Following advice from the UK ICO, NHS Trusts have ceased using Zoom and have moved to approved alternatives such as BlueJeans, Skype for Business or Microsoft Teams.
Some would ask why Microsoft Teams and Skype for Business are considered as being more secure and this would be due to the Security Development Lifecycle employed throughout the Microsoft development process. This facilitates the development of secure, mutually supporting software, ensuring security compliance. The development of Zoom, it could be argued, lacked this security development consideration in favour of a reduced time to market strategy.
The use of the Zoom video conferencing application does offer a cost-effective solution; however, there are still security issues that should be considered, in conjunction with the sensitivity of the data in question and the business risk appetite. A general rule of thumb is to assume that what takes place on a video conference will not necessarily stay on the video conference.
Consequently, it is recommended that personal information subject to the General Data Protection Regulation (GDPR) and industry sensitive, confidential information should not be shared over any application with significant security concerns. For those businesses and organisations that do need video conferencing collaboration tools for more sensitive data exchanges, such as regulated industry sectors and those that handle personal data, the UK NCSC has issued 14 principles under its Cloud Security Guidance.
It should be acknowledged that Zoom has recently released Version 5.0. This release will see some security enhancements such as support for AES 256-Bit GCM encryption and the ability to report users to the Zoom Trust & Security Team to review potential misuse of the platform. Additionally, administrators will have the ability to select Data Centre routing preferences; however, it is uncertain if there are default settings, such as mandated routing via the US or China for example, included in this capability. However, at the time of writing, the level of independent testing cannot be confirmed; the stated security enhancements for Zoom Version 5.0 therefore cannot be independently verified.