Zooming In On Cyber Governance: Top Ten Actions For Boards And Execs

Shortly after the coronavirus shutdowns began in March 2020, businesses and people across the country started using Zoom for remote working, video meetings, and keeping up with family and friends.


The virus that killed the economy was a blessing to the video/chat communications company; its subscriber base shot up from 10 million in December 2019 to 300 million by April 2020. 


But with its popularity came more scrutiny, and privacy and security issues rained down upon the company in a never ending torrent. From late March to June, Zoom had a slew of lawsuits filed against it, negative headlines appeared every few days in the global press, and the use of Zoom was banned by governments, companies, and schools. 


The company is now engaged in a frantic effort to fix security holes, smooth over public relations snafus, and save itself. Many of its problems, however, could have been avoided by better governance over privacy and cybersecurity issues. A look at the issues Zoom has struggled with in a short 90-day period provides an excellent case study for directors and boards on digital oversight and offers lessons on how to avoid similar pitfalls.


What Zoom Got Wrong


Zoom failed to understand that privacy and security are equivalent to trust in the marketplace. It did not build privacy and security into the application’s development lifecycle and make it a centerpiece of its offering. The company also did not take its privacy compliance requirements seriously and made numerous false statements in its privacy policy about what it was really doing with user data. In addition, it was unprepared to manage security events and made seat-of-the-pants decisions on issues that resulted in uproars, more negative publicity, and apologies. 


Reality hit on March 26 when Motherboard revealed that Zoom was sharing user analytics data from its iPhone app with Facebook, irrespective of whether the users had a Facebook account. The next day the company announced that it was stopping the sharing of data with Facebook and apologized. Nevertheless, a class action lawsuit was filed against the company, claiming that data sharing amounted to an unauthorized disclosure of personal data in violation of the California Consumer Protection Act (CCPA) because its privacy policy did not disclose the  arrangement. 


Next, Zoom classrooms were broken into (“bombed”) by hackers who displayed swastikas on students’ screens. The New York Attorney General sent a letter to the company inquiring about its privacy practices, and the FBI issued a public warning about Zoom’s security vulnerabilities. Then, The Intercept reported that Zoom was not using the end-to-end encryption that it touted in its marketing materials. Next, researchers starting finding bugs…software vulnerabilities that allowed password theft, enabled hackers to take control of microphones and webcams, allowed root access to MacOS desktops, and enabled the gathering of Zoom meeting IDs. 


Next, Zoom classrooms were broken into (“bombed”) by hackers who displayed swastikas on students’ screens. The New York Attorney General sent a letter to the company inquiring about its privacy practices, and the FBI issued a public warning about Zoom’s security vulnerabilities. Then, The Intercept reported that Zoom was not using the end-to-end encryption that it touted in its marketing materials. Next, researchers starting finding bugs…software vulnerabilities that allowed password theft, enabled hackers to take control of microphones and webcams, allowed root access to MacOS desktops, and enabled the gathering of Zoom meeting IDs. 


All of this resulted in Congress sending Zoom CEO Eric Yuan a letter asking for information about the company’s privacy practices and a second class action lawsuit was filed over the sharing of data with Facebook. Further embarrassment occurred when the University of Toronto’s Citizen Lab revealed that Zoom was using a much weaker encryption than it claimed to be using and at least some of the encryption keys were issued from Zoom servers in China, which meant the Chinese government may have had access to Zoom meetings. 


Yuan began sounding like Mark Zuckerberg, who is famous for apologizing and begging for forgiveness for privacy oversteps that Facebook has made. “I really messed up as CEO, and we need to win their trust back,” Yuan said to the Wall Street Journal. The parade of horribles continued the next day as Zoom acknowledged that some video calls were erroneously sent through two Chinese servers. Then, a third class action lawsuit was filed, citing the unauthorized disclosures to Facebook, the misrepresentations about end-to-end encryption, and the vulnerability that let malicious actors use webcams. 


By this time, it was April 9 and Zoom had a new list of embarrassments:


  • Senator Richard Blumenthal publicly urged the Federal Trade Commission to investigate Zoom over privacy and security concerns

  • U.S. school districts began banning the use of Zoom

  • The U.S. Department of Defense strictly reined in the use of Zoom

  • The U.S. Senate asked its members to stop using Zoom

  • Google banned the use of Zoom on company devices

  • Taiwan forbid its government agencies from using Zoom

  • Singapore suspended the use of Zoom for education

  • The German Ministry of Foreign Affairs banned the use of Zoom

  • A fourth class action lawsuit was filed – a shareholder suit claiming the company had violated the federal securities laws by misleading investors about Zoom’s “inadequate data privacy and security measures” and falsely represented its service had end-to-end encryption. 

  • A fifth class action suit names Zoom, LinkedIn, and Facebook for improper data sharing.

In the month of April, Zoom was sued 17 times. It is important to note that the foregoing is only a portion of the privacy and security issues that Zoom had to deal with between March 26 and April 9, 2020 – a span of 15 days. Serious Zoom security events continued to occur from April 9 into the month of June, including the posting of 500,000 Zoom usernames and passwords for sale on a criminal site, and Zoom zero day exploits offered for $500,000. Numerous security issues remain unresolved. The company has made a number of missteps in judgment, such as acquiescing to the Chinese government’s demands to suspend the accounts of dissidents (which resulted in more letters from Congress) and lying about the number of daily users it had, which impacted its stock price.  


How To Exercise Privacy and Security Governance


Zoom’s unrelenting privacy and security issues have not been one-off events that can just happen to well-intentioned companies. Instead, they reflect serious, systemic gaps and deficiencies in compliance and governance processes, the lack of a strong code of conduct and respect for privacy and security, poor crisis communications, and insufficient policies and procedures for software development. 

Companies that desire to learn from Zoom’s misfortunes and avoid their mistakes should ensure their directors and boards adhere to the following:


Top Ten Privacy/Cybersecurity Governance Actions


1.    Adhere to best practices and standards for the governance of information security and undertake the specific responsibilities assigned to boards and senior management.  

2.    Establish a culture of respect for privacy and security through top-level policies, actions, and enforcement.


3.    Assign key roles and responsibilities for privacy and cybersecurity to senior management personnel.


4.    Issue a Code of Conduct applicable to all employees, contractors, vendors, and business partners that requires honesty and transparency in business transactions and compliance with policies and procedures.


5.    Ensure that privacy and cybersecurity compliance issues are clearly identified and integrated into operational policies and procedures and the cybersecurity program.


6.    Require that all systems and code be designed, developed, tested, and maintained with privacy and security considered at every stage and code is developed according to secure coding practices.


7.    Ensure that software code undergoes regular code reviews and scans for vulnerabilities and risk assessments of cybersecurity programs are performed.


8.    Ensure that all privacy policies and public-facing information, especially marketing and securities information about the company and security of its systems and data, accurately reflect operational practices, especially with respect to the sharing and use of personal data.


9.    Require the escalation of serious privacy and security incidents to the senior management team and the board and ensure that privacy and security incidents are integrated into crisis communications plans.


10. Identify the key information flows that are required to keep the board informed about the foregoing and put in place an oversight process that includes monitoring the status of key risks.


Cybercriminals are relentless and new privacy laws are empowering consumers and regulators. The days of boards just asking interesting questions about cybersecurity and privacy a couple of times a year are over. ISO standards, laws, and regulations require companies to connect the dots between the data they collect, how they protect it, and who they share it with. They are required to accurately and transparently provide this information to shareholders and users. They are also expected to develop secure systems that cannot be hacked and exploited and put users at risk. Zoom found out the hard way.  Others can learn from their lessons.


Forbes


Learn how VCguard, Zoom Security add-on, fills Zooms Security Gaps.


  • Facebook
  • LinkedIn
  • Twitter

Keep up to Date, Subscribe Now...

© 2023 by Proven WebDesigns.

16312198491

Public Wi-Fi Security