Amidst its general path of destruction, coronavirus has blessed only a select few industries in lockdown (we’re looking at you baking supply companies) and fewer still have experienced a rise as meteoric as Zoom.

In the month of March, the video conferencing software jumped from 10 million to 200 million daily users. Everyone from politicians to pick-up football leagues is hosting Zoom chats making a moderately well-known company into a household name and an integrated part of our lives. 

But this rapid expansion has brought media scrutiny with it. The past few weeks the news has been littered with stories of Zoom security breaches and questions around its reliability and safety. We’re unpacking a few of the myths behind these reports and explaining why we, as a cyber security company, are still on the Zoom bandwagon.

Some technical stuff

First, almost all conferencing software, including Zoom, uses HTTPS/TLS- an encryption protocol that protects communications on the internet. It’s the same protocol your bank uses when you login online or via an app. The information is encrypted from you to the servers of the provider, and then re-encrypted from the provider to you via a similar secure link. 

Should the government be using Zoom to convey top secret information? Probably not. Is it fine for communicating openly with your team? Absolutely.

Basically, services like Zoom that use this encryption are inherently quite secure. Should the government be using Zoom to convey top secret information? Probably not. Is it fine for communicating openly with your team? Absolutely.

Security versus privacy

These two terms are very often and quite easily confused. Security protects strangers from unauthorised access to your data. Privacy has to do with the safeguarding of your identity. You can have security without privacy but not privacy without security.

The first wave of Zoom ‘security’ concerns was really about privacy and their collection of personal data of users. They have since updated their privacy policy to prevent anyone including Zoom employees from directly accessing data that users share during meetings including their names, and video/audio/chat recordings. “Importantly,” a Zoom spokesperson adds, “Zoom does not mine user data or sell user data of any kind to anyone.” While they don’t sell or share data with third parties, they do use Google Ads and Google Analytics.

If you really care about security

If you really care about security there are a few things you should always keep in mind when using videoconferencing. 

First, use a unique password. According to a recent report, 71% of accounts are protected by passwords used on multiple websites. One of Zoom’s highest profile ‘breaches’ was actually just a breach on another platform for which users had been using the same password thus opening them up to further attack.

71% of accounts are protected by passwords used on multiple websites.

Second, update your operating system and keep your video conferencing software up-to-date. This will mean any patches or protection by the company will be in place on your device. Alternatively, you can use a browser rather than a separate app which are less vulnerable to attack.

If you want to use Zoom there are some settings you can activate for enhanced protection and privacy. These include the option to watermark all content, and restricting meetings to people with a certain email domain (xxx@cybersmart.co.uk). ‘Zoom bombing’ (allowing random people to enter your calls) is prevented by requiring your attendees to use a password to join a meeting.

We don’t recommend recording meetings unless you’re happy with them eventually making the papers but if you must, you can choose to store them locally rather than on the cloud.

If you really, really care about security

If you work in an industry with incredibly sensitive data that requires end-to-end encryption, Zoom may not be the service for you. They don’t truly offer this but there are a few others that do. You might consider using Wire or Webex (this is what we use to conduct remote security audits for Cyber Essentials Plus certification).

Video conferencing is a must in the remote workplace but there are a few factors to consider when deciding which service to use. The National Cyber Security Centre offers some great guidance on this. 

As always, remember that the majority of cyber attacks can be prevented through basic cyber hygiene and the guidelines covered in the government’s Cyber Essentials scheme.

Cyber attacks happen virtually every day, and the impacts data breaches can have on SMEs can be catastrophic. Falling foul of GDPR legislation  can result in fines, loss of trust in your company and ultimately loss of revenue – so it pays to be compliant. 

However, what about the other organisations in your supply chain? Do they require access to your data or systems? Could your security become compromised as a result? While you might have the right cyber essentials in place, can you say the same about your suppliers? These are just a handful of questions all company decision-makers should be asking. 

Supply chain attacks: a history 

Supply chain attacks are nothing new. In fact, one of the largest data breaches in history (when the US-based retailer Target had the credit/debit card information of up to 40 million customers stolen) happened when the firm’s POS system had been infiltrated via malware that came via a supplier. In 2013, attackers used the “trusted” connection between the supplier and Target’s system to gain easy access. 

Putting appropriate controls in place 

All SMEs should understand the risks suppliers may pose and should ensure the supply chain is subject to the appropriate security controls. A good starting point would be to request all suppliers show evidence of having attained “Cyber Essentials” certification – the UK’s recommended security standard. However, this might even be insufficient for high-risk suppliers, who need to go one further and get “Cyber Essentials Plus” accredited.

Mitigating against risk 

As a company, you need to decide which controls you insist upon your suppliers having before you decide to continue doing business with them. If suppliers are unwilling or otherwise unable to comply with these requests, you need to consider whether you can put procedures in place to protect your data that allow you to continue forging a working relationship with them. 

Cybersecurity is one of the biggest threats faced by SMEs in the UK today, and its impacts on every entity within a supply chain, from top to bottom, are far-reaching. It’s therefore imperative for all elements of the supply chain to work together to maintain the strictest possible security measures. 

Find out more 

If you’d like to know more about Cyber Essentials certification or are concerned that your business might not be adequately protected against supply chain cyber-attacks, why not contact Cybersmart today? A member of our team will be happy to discuss your requirements or arrange a security audit of your current systems.