What Happens When You Let Vendor Risk Assessments Slip: Zoom and Security Risks

Vendor resilience and active assessment of third-party risks are critical parts of maintaining your infrastructure.

As organizations evaluate how to navigate through the pandemic, the spotlight has shifted to how to rapidly manage operational imperatives as part of executing a business continuity plan. 

Zoom, based in San Jose, Calif., is a leader in remote enterprise video communications, with an “easy, reliable cloud platform for video and audio conferencing, chat, and webinars.” This spring, Zoom meetings have become household names as we’re practicing physical distancing while maintaining social relationships between work colleagues as well as with friends and family.

Unfortunately, Zoom has also been making headlines for its data security practices. The company has been accused of selling user data to Facebook and other companies, which has spawned a class-action investor lawsuit over privacy and security flaws (April 8). The New York Times reported that the New York attorney general is demanding a full review of Zoom’s privacy and security practices.

Zoom's privacy policy, in fact, began to draw widespread attention in mid-March for provisions about its storage and use of customer data. At the time, the platform said it would collect, store and share data with advertisers, potentially including “the content contained in cloud recordings, and instant messages, files, whiteboards” shared on the platform. That included videos and transcripts, Ars Technica reported (March 31).

Additional problems:

• Zoom is facing a lawsuit from a plaintiff in California under the new California Consumer Privacy Act (CCPA), which went into effect on January 1, arguing that the company “failed to properly safeguard the personal information of the increasing millions of users of its software application.” (Cyberscroop, March 31)
• Information is shared between users who sign up under the same email domain – useful for work colleagues, but not great for those using personal email addresses. (Vice’s Motherboard, April 1)
• There are concerns that the platform’s claim that it “secures a meeting with end-to-end encryption” is misleading (The Intercept, March 31)
• Revelations that some Zoom traffic from Taiwan was routed through China (BBC, April 7)
• Thousands of email addresses and Zoom passwords are for sale on the dark web (NBC, April 14)

"The Zoom app notifies Facebook when the user opens the app, details on the user's device.., [their] time zone and city, which phone carrier.., and a unique advertiser identifier.. which companies can use to target a user with advertisements", WTF https://t.co/KxpdLk55g4

— DHH (@dhh) March 26, 2020

Zoom Chief Executive Officer Eric Yuan apologized to users, saying the company had fallen short of the community's privacy and security expectations and was taking steps to fix the issues, including turning off its shared usage data with Facebook. On April 9, Yuan told the New York Times that he regretted that the company had not considered its privacy risks to consumers before the pandemic. “The risks, the misuse, we never thought about it.”

Major organizations are banning the use of Zoom, including Google, SpaceX, NASA, New York City Schools, the U.S. Senate, the German health and foreign ministries, Taiwan’s government, and the Australian Defense Force. (Tech Republic, April 9)

Assessing vendor risks

For companies using Zoom as a video conferencing solution to enable connectivity among a newly remote workforce, how do you learn about and manage these vendor risks? Let’s take a look at how SAI360's tools within SAI360 for vendor and third-party risk management can help.

During the pandemic, you need to quickly assess who your vendors are and what immediate impact they could have on your organization. If you have already onboarded your vendors through a vendor management portal, you can quickly reach out to your key contacts and have then respond to a pandemic assessment with a deliberate action plan.

• Rather than a standard 1,200-point questionnaire, have them answer the 30-50 most critical questions about their business operations today.  
• Reduce lag between assessment comments and reviews with automated notifications and inline comments and responses.
• Once the assessment is complete, you can fully understand how your vendors have been affected by COVID-19 and the steps they have taken to respond and recover.

To identify the emerging risks of using Zoom, social media and news vendor monitoring with SAI360’s integration with ZeroFox enables that level of insight. IT risk managers using SAI360 for vendor monitoring would receive automatic alerts so that they can evaluate risks and consider switching to a different solution.

Through our vendor risk solution, you can understand the health of your vendors and suppliers with real-time, event-driven cyber, financial, credit information on third parties. You can quickly assess and gather vendor health in a single view with continuous monitoring rules to automate decisions and alerts for vendors.

Monitoring third-party software and vendors is one of many steps in risk mitigation, which can also include:

• Requiring the vendor to change their process or business to meet your needs
• Ensuring a level of trust through documentation
• Protecting against missteps with legal language
• Periodic check-ins on the vendor performance
• Terminating the vendor/business relationship completely

With SAI360, risk managers are in a stronger position to keep your executive team informed with real-time reporting and analytics, whether you need to present COVID-19 response actions at a high level or with detailed granularity. Get a true picture of your ever-changing vendor risk profile and determine clear next steps with out-of-the-box risk intelligence reports. Don’t get bogged down with distribution of reports, instead, leverage flexible sharing including mobile-friendly options and automatic email delivery on a pre-set schedule.

This example illustrates the business imperative: Organizations need to know who vendors are, who key contacts are, and what your contract terms are so that you have the resources available to evaluate the vendor’s risk level against your data security position and threat models and quickly triage as necessary.

Without an effective vendor risk management program, an organization can face real and tangible damage in the form of financial losses – the average global cost of a data breach stands at an estimated US$3.86 million – customer losses, and reputational and brand damage. Sizing up vendor and third-party risk is difficult.

Learn more about our solutions for managing third-party risk.