Video meet app Zoom which has become a case study on security and privacy engineering has left enterprises confused whether they should buy an enterprise license for Zoom right now, ban it from all company devices, or proceed with a trial to see how it works. According to a report from global market firm Forrester, for these firms, context and risk tolerance matter the most.
"Don't ban Zoom outright as you won't be able to stop users from adopting it. For security and risk pros, widespread adoption of Zoom increases their firm's attack surface. But adoption of Zoom mirrors Slack and other consumer IT technologies that land and expand in the enterprise by making things easy and targeting users, not buyers," said Jeff Pollard, VP, Principal Analyst Serving Security and Risk Professionals.
Don't assume the Zoom alternatives are more secure and more private. "If Zoom commits to security and privacy as its recent actions indicate, then at some point down the line Zoom could be one of the most heavily scrutinized — and secure — videoconferencing tools available. That's going to take a long time, as these issues require more than simply releasing patches," Pollard added.
Zoom is undoubtedly not the only platform for sensitive corporate communication with security issues. Zoom got hit first but that also means they took their beating earlier than others.
"If the company moves fast and fixes things, and continues with the transparency seen in its weekly updates regarding the status of fixes, it could come out ahead in the long run," the report mentioned.
Now, Zoom faces a host of privacy and security flubs because it failed to follow a simple rule: Every company must secure what it sells.
Communication platforms can have great UX and decent security without good privacy, but if they have bad security and bad privacy practices, it doesn't matter how good the user interface is — the whole show falls apart.
Researchers discovered numerous privacy and security flaws in Zoom, many of which have since been addressed, while the company plans to address others in future updates.
"For Zoom to prove long-lasting commitment to security and privacy, it needs to formally hire a CISO with expertise in post-breach environments, or one that understands the need to tie security to customer-facing requirements," said Pollard.
ZOOM CEO Eric S. Yuan has been remarkably accountable and approachable, "but like all executives, he needs to delegate — and champion — security and privacy responsibility to someone that will focus on it full time with his mandate".