Collaboration Tools Expose the Remote Office to New Vulnerabilities
Brian Thomas | April 10, 2020
As the COVID-19 pandemic sees millions of employees shift to a work-from-home model, collaboration tools like Zoom and Slack have never been more critical or popular. Zoom is currently experiencing a 378% year-over-year growth in its daily active user count and was downloaded 2.13 million times in a single day as lockdowns went into effect worldwide.
However, while these work-from-home tools connect us in our isolation, they also expose users and organizations to new cybersecurity risks. Indeed, reports of security and privacy concerns associated with the Zoom app have given rise to the phenomenon of “Zoombombing.” In these scenarios, pranksters and threat actors exploit software vulnerabilities to hijack virtual meetings to obtain sensitive information, eavesdrop on conference calls, or conduct other malicious activities, warned the FBI in an April 1 public service announcement.
Zoom CEO Eric Yuan acknowledged that security problems had emerged as a result of its platform being used in new and unexpected ways — and announced several steps the company is taking to address them. But the responsibility for securing teams and data during these unprecedented times doesn’t lie solely with service providers. Corporate security teams that find themselves exposed to increased cyber risk associated with this dramatic shift to the remote office must also act now.
Proactive third-party risk management is essential
The uptick in telework is challenging security teams in many ways. Notably, it’s redefining what technologies are defined as critical. Just a few weeks ago, the term “critical” was reserved for the cloud or other major IT infrastructures; but in an age of remote work, collaboration tools are now being redefined as “critical” digital assets.
As such, security teams must ask tough questions about the security posture of the software they bring onboard — and prioritize these vendors for a closer level of scrutiny. Areas to focus on may now include the vendor’s privacy policies, how your data is handled and used, what encryption protocols are in place, in addition to vital info like their patching cadence, and how they manage their own third-party and supply chain risk.
Security teams should also review contracts with these vendors to ensure they contain language that requires the service provider to uphold their security and data privacy commitments.
Get back to security fundamentals
In addition to applying the above third-party risk management practices, now is the time for organizations and their employees to revisit basic security fundamentals, including user education.
Whether large or small, organizations must take steps to ensure that users are properly trained on how to use collaboration tools securely. Measures to consider include restricting access to remote meetings, ensuring video conferencing invites come from a trusted person, using passwords where possible, avoiding sharing links to virtual meetings, and being aware of social engineering tactics aimed at revealing sensitive information. Security leaders should also encourage employees to ask questions if they suspect malicious activity and educate their teams on a clearly defined process for escalating any concerns to the right point of contact.
Telework isn’t going away, so security teams must adapt
Even after the COVID-19 crisis is over, telework is likely to remain a vital part of our lives. As employers and employees realize the liberating power of technology to change how teams collaborate, it’s important to remember that, even with the most comprehensive cybersecurity policies in place, the fundamentals of good security programs and third-party risk management haven’t changed.
As the “Zoom-ification” of business grows in popularity, organizations must continuously monitor and assess vendors to address cyber risk, even beyond the onboarding phase. Employees must also stay on guard to help assure the organization’s data and network are safe and secure.
Between difficulty communicating with boards and executives, decreasing budgets, and difficulty measuring how exactly risk was being reduced, security leaders are under pressure to change the way they do things. The situation for security...
Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...
In the cybersecurity industry we deal with news of breaches or potential threats nearly every day, but when you really think about it, it’s bizarrely rare how little these events impact our everyday lives. Yes, they impact the professional...