Zoom – Firms Should Conduct a Risk-Based Assessment Before Implementation

By Tim Buckler

Shallow depth of field image (selective focus) with the Zoom video conference app/site

As many firms have started heavily leveraging remote conferencing systems to maintain business continuity during this COVID-19 outbreak, Zoom has seen a sudden rise in popularity and an equally sudden rise in cybersecurity concerns.  There are many reports detailing both the lack of available protections and the implementation of those protections by firms.  Zoom has existed for 9 years so many of these bugs, policies and oversights should have been remediated before now.  They have put into place an implementation freeze to focus on their cybersecurity concerns, but there still are serious concerns about their leadership and workplace culture that allowed this issues to remain for so long.  Below are only some of their issues; any firm continuing to use Zoom should conduct a risk-based assessment immediately.

Zoom also published a white-Paper this month that describes their infrastructure, security, etc.  Anyone that continues to use Zoom should review this and ensure that they are leveraging all of Zoom’s available protections.  Zoom has made it clear that they take these concerns seriously and are in the process of implementing solutions.

Zoom previously claimed that they use end to end encryption; however, Zoom is able to view and read the recordings and messages on their servers, which it would not be able to do with proper end to end encryption.  Zoom has updated their descriptions to say, “TLS encryption for meetings.” This messaging link’s path still includes “end to end” but now says it uses TLS.

Zoom’s privacy policy had language indicating that they were using your personal information for advertisements, marketing, etc. This included automatically generated transcripts of your sessions, who you were talking to and screen shots of the sessions.  This would have serious implications for financial industry firms sharing personally identifiable information (PII). At the end of March, Zoom updated their privacy policy to minimize or eliminate many concerns; however, firms should review this new policy before continuing to use this service.

Zoom had security flaws that allowed for remote execution of code and Windows logon credential stealing.  Zoom has released a patch that has eliminated these issues.

If your firm is looking for what to do next, here are some recommended steps:

  1. Review potential alternatives: there are competitors that have strong track records with cybersecurity. Skype, for example, is opening up their platform to allow meetings without signing into an account.
  2. Conduct risk-based vendor assessments: Zoom has access to client information and other sensitive data. Services like this should be considered higher risk and have additional due diligence performed on a regular basis.
  3. Keep services behind your corporate firewall: Not allowing outside parties to enter your internal meetings reduces (but does not eliminate) outside attacks.
  4. Communicate to your staff: Inform them off the potential dangers of using Zoom. Inform them of the steps to take if they receive meeting invites that weren’t expected, configuring meetings to ensure only invited parties can join, etc.

Oyster has the background and perspective to help you build the cybersecurity program that is right for your firm, and conduct a comprehensive review of your existing program. We  help you bridge the gap where business and technology meet, ensuring that you have the resources to understand the threats and the ability to protect yourself. You can learn more about how to protect your firm and the cybersecurity services we offer, or call (804) 965-5400 and one of our Relationship Managers will be happy to help you.

About The Author
Photo of Tim Buckler

Tim Buckler

Tim Buckler has spent 10 years in the financial services industry, with a focus on project management, cybersecurity, data analysis, and compliance. Tim’s experience includes project management support for clearing platform conversions, cybersecurity assessments, GDPR and CCPA assessments, performing 12b-1 Mutual Fund fees analysis for regulatory initiatives, and ownership changes for custodial IRA held annuities.