May 5, 2020
The Tale of Zoom Security Breaches, Vendor Risk and How They Converge In The Time Of Covid 19
Zoom Video Conferencing is THE technology company of the 2020 Covid 19 Pandemic. And its security and privacy weaknesses that have been revealed these past few weeks proves out a problematic flaw in the current state of vendor risk among EVERY enterprise across the globe.
While confined to their homes, millions of people turned to Zoom and its ultra-reliable video conferencing technology to conduct sales calls, chat with friends and family and even to gather remotely for Passover Seder.
Photo of author’s family ‘Zooming’ during Passover Seder
At the same time, story after story across the national, local and IT news highlighted numerous security and privacy flaws in how Zoom delivers its service.
These stories included tangible evidence of hacking based on product bugs, weak security design and substandard encryption methods. Zoom’s CEO, Eric Yuan, issued a very loud and public mea culpa and promised that the whole company would do better on cybersecurity.
With that said, how did a tech company that was relatively unknown as few as 4 years ago completely infiltrate hundreds of thousands of businesses as the go-to video conferencing software of our time with so many obvious and gaping security holes?
The answer is that vendor risk teams – which typically catch these types of security flaws – are totally overmatched. They’re fighting a boxing match and struggling to get through Round 1 of a 15 round bruiser. What is needed is a total paradigm shift in order for vendor risk teams to stand a chance.
That new paradigm should include an organization dedicated to conducting due diligence of vendors on behalf of hundreds of customers. As a thought experiment, imagine two scenarios:
Scenario 1: Hundreds of companies each individually review Zoom and its security practices and procedures. Each company dedicates one person to gathering and reviewing data. That person spends four hours reviewing data and ultimately makes a yes/no decision as to whether or not to use Zoom. This review is done once every 2-3 years.
Scenario 2: One company is paid by hundreds of companies to do an incredibly thorough review of Zoom, dedicating 5-10 professionals. They spend weeks reviewing Zoom data, conducting interviews, and they even go on-site to validate physical controls. This review is conducted annually and perhaps even more frequently.
The second scenario is more efficient, smarter and far less costly for each individual company. This is the shift that we need to see in vendor risk management that will eventually allow enterprises to appropriately manage their vendor risk.