With everyone willing to abandon Zoom for several pretty serious security mistakes, it seems the future of our digital world will hopefully now better see the benefits of stringent security requirements for technology we are both using and building for others to use.
While Zoom has quickly become my favorite video conferencing software, I’m certainly not condoning the previous technical behavior of the Zoom development team. As a security practitioner I’m certainly shocked they wouldn’t take more scientific approach that included cybersecurity, but I’m also not surprised. They, like many companies, lack to consider the consequences of not having a cybersecurity program. One that requires the scrutiny of configurations prior to being released to the real world to use. Speed to market has time and again continued to help companies who have bright ideas and great programs be set up for failure.
There are some lessons learned here. It is clear we must include cybersecurity in planning and budgets. We should also recognize significant loss of business integrity that occurs when the public finds out you didn’t care about cybersecurity and you see your largest customers abandoning you for the competition because the competition has a stronger cybersecurity program. I will say its lucky for Zoom it was a cybersecurity research team that found the issues. This could have been a tad bit worse had some criminals discovered some of the recent critical weaknesses like the way encryption was occurring in the product.
However, we all heard about the "room raiding" or "zoom bombing" or whatever you want to call it. You can guess random Zoom meeting numbers and hop in a meeting and misbehave by sharing video and audio. This can be disruptive but if you are moderating it’s an easy fix. Adding a password requirement you resolve the issue completely. Regardless, it was the beginning of the fall of trust for the product. Coupled with several critical issues identified by the research team it was more than enough evidence for key organizations to begin to remove the product from their workstations and add it to the software blacklist.
Zoom has responded by falling on their sword and equipping the organization with Alex Stamos who has quickly responded by gathering a council of CISOs to assist in the new secure orchestration of operations at Zoom. While cybersecurity may not have been in the grass roots of the company, its certainly an integrated part of the business from here on out. I am sure the position to adopt a good cybersecurity program will help Zoom rebuild their reputation so the many of us who appreciate and enjoy using the product can continue to do so safely. I mean, we still deal with Microsoft on a daily basis and it’s been releasing critical security vulnerabilities every month for the past twenty years.
Lessons learned from Zoom's mistakes
- Include cybersecurity in your budgets and planning
Zoom did not have cybersecurity planning and budgets and if they did it was in a very limited capacity. Companies should be conducting cybersecurity risk assessments in a continuous manner since the moment they can afford it. These vulnerabilities would have been identified by internal teams, resolved internally and not publicized.
- Cybersecurity can be a revenue driver or revenue destroyer
Zoom did not have a strong cybersecurity program that led to the finding of critical vulnerabilities that caused customers to abandon product for direct competitor. They went to products they believed are more dedicated to cybersecurity.
- Cybersecurity is more expensive if you have to rush it in
If you don’t plan for it initially, when you have to put it in to prevent further breaches or a significant vulnerability, it’s always more expensive. Larger eyes are on the problem making the need to resolve in haste all the more important. Reactive cybersecurity can be put in place, but only at the cost equivalent to a small country's GDP.
- Speed to market is bad, but it’s worse if you don’t include cybersecurity
It’s safe to assume if you build a product for others to use on the public internet and you don’t include some cybersecurity measures you are a few cards short of a deck or just plain ignorant. Not being able to afford Big 5 consulting is not an excuse. With the amount of resources today you can read about cybersecurity on your own. It’s not 1995 anymore, time to start thinking through strategy around your business and product weaknesses before someone else finds them for you.