Zoom’s lesson on responding to security issues

Posted on 2020-06-09 by Matt Strahan in Business Security

When investigating software to use, I’ll inevitably have a look at their security record. What vulnerabilities have they had? Should I be worried?

Sometimes you see something really really dumb. Like an SQL injection in 2020. Or backdoor credentials… Wait I mean an “undocumented user account“.

Sometimes the security record makes news, like for Zoom at the moment. They’re suddenly one of the biggest pieces of software on the internet, and that means they’re being picked apart. There’s worries about privacy issues and their end-to-end encryption. Zoom has become a household name, and more than a few people have said to me “aren’t you worried about their security issues?”

For me, though, when I see an organisation in the news I don’t concentrate on what happened. For me, that’s in the past. An incident can happen to any organisation, and sometimes it’s bad luck or immaturity in their security rather than negligence.

Incidents are in the past, what really matters is what they do now. Let’s say you showed me two organisations. One of which has never had a security issue, an unblemished record without even any public security vulnerabilities. Organisation number two has had a security issue that made the news and they learned from it, improved their security, found their gaps, and made the steps public. I’d definitely trust my data with number two.

The problem with number one is that when there’s no public knowledge about their security then the cynical parts of my mind go “well they may have covered up security issues, or simply no-one’s looked at them yet”. No news isn’t necessarily good news when it comes to cyber security, it’s just no news.

Let’s go back to how Zoom has gone ahead with its security. They fixed their issues, brought in Alex Stamos, bought an end-to-end encryption company, and even wrote a public paper on how they are planning on implementing end-to-end encryption. Wouldn’t you like to have your data with a company that takes security so seriously?

This is a lesson for whenever you are doing due diligence. You shouldn’t just concentrate on incidents and security vulnerabilities, but instead concentrate on how the organisation responded to those issues. Were they proactive or defensive? Were they honest or did they try to cover up? Did they take it as a wider lesson and improve the entire organisation or did they just patch that one part? The response is more illuminating than the incident itself.

About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

Photo by visuals on Unsplash.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn