What Happens When You Let Vendor Risk Assessments Slip: Zoom and Security Risks

April 17, 2020 John Ambra

As organizations evaluate how to navigate through the pandemic, the spotlight has shifted to how to rapidly manage operational imperatives as part of executing a business continuity plan. Vendor resilience and active assessment of third-party risks are critical parts of maintaining your infrastructure.

Zoom, based in San Jose, Calif., is a leader in remote enterprise video communications, with an “easy, reliable cloud platform for video and audio conferencing, chat, and webinars.” This spring, Zoom meetings have become household names as we’re practicing physical distancing while maintaining social relationships between work colleagues as well as with friends and family.

Unfortunately, Zoom has also been making headlines for its data security practices. The company has been accused of selling user data to Facebook and other companies, which has spawned a class-action investor lawsuit over privacy and security flaws (April 8). The New York Times reported that the New York attorney general is demanding a full review of Zoom’s privacy and security practices.

Zoom's privacy policy, in fact, began to draw widespread attention in mid-March for provisions about its storage and use of customer data. At the time, the platform said it would collect, store and share data with advertisers, potentially including “the content contained in cloud recordings, and instant messages, files, whiteboards” shared on the platform. That included videos and transcripts, Ars Technica reported (March 31).

Additional problems:

  • Zoom is facing a lawsuit from a plaintiff in California under the new California Consumer Privacy Act (CCPA), which went into effect on January 1, arguing that the company “failed to properly safeguard the personal information of the increasing millions of users of its software application.” (Cyberscroop, March 31)
  • Information is shared between users who sign up under the same email domain – useful for work colleagues, but not great for those using personal email addresses. (Vice’s Motherboard, April 1)
  • There are concerns that the platform’s claim that it “secures a meeting with end-to-end encryption” is misleading (The Intercept, March 31)
  • Revelations that some Zoom traffic from Taiwan was routed through China (BBC, April 7)
  • Thousands of email addresses and Zoom passwords are for sale on the dark web (NBC, April 14)

Zoom Chief Executive Officer Eric Yuan apologized to users, saying the company had fallen short of the community's privacy and security expectations and was taking steps to fix the issues, including turning off its shared usage data with Facebook. On April 9, Yuan told the New York Times that he regretted that the company had not considered its privacy risks to consumers before the pandemic. “The risks, the misuse, we never thought about it.”

Major organizations are banning the use of Zoom, including Google, SpaceX, NASA, New York City Schools, the U.S. Senate, the German health and foreign ministries, Taiwan’s government, and the Australian Defense Force. (Tech Republic, April 9)

 

Assessing vendor risks

For companies using Zoom as a video conferencing solution to enable connectivity among a newly remote workforce, how do you learn about and manage these vendor risks? Let’s take a look at how SAI Global’s tools within SAI360 for vendor and third-party risk management can help.

During the pandemic, you need to quickly assess who your vendors are and what immediate impact they could have on your organization. If you have already onboarded your vendors through a vendor management portal, you can quickly reach out to your key contacts and have then respond to a pandemic assessment with a deliberate action plan.

  • Rather than a standard 1,200-point questionnaire, have them answer the 30-50 most critical questions about their business operations today.  
  • Reduce lag between assessment comments and reviews with automated notifications and inline comments and responses.
  • Once the assessment is complete, you can fully understand how your vendors have been affected by COVID-19 and the steps they have taken to respond and recover.

To identify the emerging risks of using Zoom, social media and news vendor monitoring with SAI360’s integration with ZeroFox enables that level of insight. IT risk managers using SAI360 for vendor monitoring would receive automatic alerts so that they can evaluate risks and consider switching to a different solution.

Through our vendor risk solution, you can understand the health of your vendors and suppliers with real-time, event-driven cyber, financial, credit information on third parties. You can quickly assess and gather vendor health in a single view with continuous monitoring rules to automate decisions and alerts for vendors.

Monitoring third-party software and vendors is one of many steps in risk mitigation, which can also include:

  • Requiring the vendor to change their process or business to meet your needs
  • Ensuring a level of trust through documentation
  • Protecting against missteps with legal language
  • Periodic check-ins on the vendor performance
  • Terminating the vendor/business relationship completely

With SAI360, risk managers are in a stronger position to keep your executive team informed with real-time reporting and analytics, whether you need to present COVID-19 response actions at a high level or with detailed granularity. Get a true picture of your ever-changing vendor risk profile and determine clear next steps with out-of-the-box risk intelligence reports. Don’t get bogged down with distribution of reports, instead, leverage flexible sharing including mobile-friendly options and automatic email delivery on a pre-set schedule.

This example illustrates the business imperative: Organizations need to know who your vendors are, who your key contacts are, and what your contract terms are so that you have the resources available to evaluate the vendor’s risk level against your data security position and threat models and quickly triage as necessary.

Without an effective vendor risk management program, an organization can face real and tangible damage in the form of financial losses – the average global cost of a data breach stands at an estimated US$3.86 million – customer losses, and reputational and brand damage. Sizing up vendor and third-party risk is difficult.

Learn more about how to assess, address and mitigate risks for third-party software and vendors in our white paper.

 


Visit our pandemic information center, which includes reading materials, podcasts, and other best-practice guidance around managing business continuity, compliance, and risk management amid the coronavirus pandemic.

Learn more about our solutions for managing third-party risk.

Or, request a demo to see how SAI Global has helped organizations like yours.

About the Author

John Ambra

John Ambra joined SAI Global in July 2015 as Vice President of Risk Product Strategy. He has more than 18 years working on complex enterprise platform and service implementations for Risk Management, Compliance, Audit, Enterprise Risk Management (ERM), Business Intelligence and Information Security across many industry sectors.

Follow on Linkedin More Content by John Ambra
Previous Flipbook
Sizing Up Risks for Third Parties and Vendors
Sizing Up Risks for Third Parties and Vendors

Third parties and vendors can bring a lot of value to the table — but with that also comes risk. How do you...

Next Article
Resilience 2020: 6 Webinars on Business Continuity Planning
Resilience 2020: 6 Webinars on Business Continuity Planning

For business continuity and crisis management teams: Everything you need to keep your business running amid...

See for yourself why our VRM software is an industry leader. Try it for free to evaluate your vendor and supplier risks.

START FREE TRIAL