Ale Brown, Kirke Management Consulting and Dominic Vogal, CyberSC
Ale: Good morning Dom! I hope you had a good holiday weekend and that you stayed safe. Since it seems like the only relevant topic nowadays is COVID-19, why don't we talk about how you think it has impacted the security industry. I have been talking to some colleagues and have been reading a lot about how privacy, even though it is top of mind, has been put "on hold" for the benefit of public health issues. This may have long lasting benefits but also risks. But what are your thoughts in terms of cyber security? How is this pandemic going to change the landscape in the short and the long term?
Dominic: In the short term we've seen many organizations rush to make remote work possible for their staff and employees. Many of these solutions were hastily put in and not necessarily secured in an optimum fashion.
We're seeing the human factor of security become even more important as people will be more susceptible to phishing and social engineering attempts because of the multiple distractions and stress of the current situation. Video conferencing solutions are also being quickly adopted without sufficient security analysis or business requirements review.
Left unaddressed these short-term problems will lead to significant long-term problems which will be exponentially more expensive to address as well as pose an existential threat to smaller organizations.
Ale: Oh, I thought it was going to take you a bit longer to bring up Zoom!
But since we are on the topic, what do you think about the exponential level of adoption of the tool? As a privacy professional, I am worried because the proliferation of “free” online tools almost always means you’re giving up your personal information for the company in question’s benefit. On top of that, there’s been issues from a security perspective, starting with “unwanted” meeting visitors. What are other concerns related to security when it comes to Zoom and what is the best way to protect ourselves until these issues are addressed?
Dominic: Video conferencing platforms certainly came to the forefront the past month. While Zoom certainly had some security misgivings the issue was overly sensationalized by the media. The bigger problem is that most organizations rush to put in solutions without identifying their business and security requirements beforehand.
It's like buying a sedan and then complaining that it doesn't have enough seats. Zoom and most video conferencing solutions have "good enough" security for most organizations... Unless you are Fort Knox or discussing nuclear launch codes. Regardless of what video conferencing platform you are using, take the time to optimize the configurations so it is as secure as possible.
Ale: I agree with you that perhaps the issues with Zoom were a constant point of discussion for a while and it was too much (although the people that experienced "Zoombombers" may not feel this way!).
From my perspective, I think it is important to understand the "why" behind having a free service. Something I have learned through the years (sometimes painfully) is that nothing is really for free. You have to give something in return.
Looking at the Privacy Statement that Zoom had, it was pretty obvious that they were using people's personal information to package it and sell it to third-parties. We have seen in the past what the consequences of this practice are. And people are willing to share because they don't see the consequences of giving away their information. It is not tangible; it is not clear, so they think the risk is not there. In our current situation of a spreading virus, does that seem like a good analogy?
So, if someone is using Zoom or any other videoconferencing tool, what do you recommend for them to do in order to protect themselves and their companies? perhaps they are not discussing nuclear codes, but they could be discussing confidential and business sensitive information that could impact their business if it comes out. Do you have a 1-2-3 approach to ensure security of information?
Dominic: I agree and I think this situation has brought forward that many software platforms often don't think about privacy and security from the get go. The CEO of Zoom publicly stated how he was taken aback by the fact that he should have prioritized security and privacy. Zoom is not alone in this thinking. Most online platforms do not have privacy and security are the forefront.
Hopefully this serves as a catalyst for broader change. In terms of specific best practice for Zoom - make sure your meeting is password protected, don't share link publicly, have the moderator control who is allowed into the meeting room. Some basic configurations can go a long way to reducing the risk to acceptable levels.
Ale: These are great pieces of advice! and I completely agree with you. I sadly see it every day when talking to businesses. Privacy and security are an afterthought - and by that I mean protecting privacy and security, because in some cases, they are more that happy to use other people's information for their benefit. I think this situation will allow for a more in-depth dialogue and reflection about how to be ready to manage risk.
It has been very clear that a lot of organizations didn't even have a Disaster Recovery plan in place, let alone a regular tabletop exercise to ensure that everyone knew what to do in the case of an emergency in order to allow for business continuity. In my experience, not having a solid Disaster Recovery and Business Continuity plan has different consequences operationally, financially but since we are talking about security and privacy here, well, these areas are impacted too. As you said before, implementing solutions in a rush means that details are lost and companies are exposed to breaches and other issues. What are the key "watch outs" that companies should keep in mind from a security perspective when it relates to Disaster Recovery and Business Continuity?
Dominic: Great points!! Planning for business continuity is one of the most overlooked aspects of running an organization. The biggest security question mark circles around data access. Don't give everyone access to everything. That violates a basic principle of security - least privilege access. Take the time to make sure that employees only have access to what they need in order to do their job. Take a data centric approach.
Ale: Yes, a data-centric approach is what privacy management is about (specifically for personal information). If all controls go out the window when your day-to-day operations are disrupted, bigger issues will ensue as a result of trying to keep the business open. And these issues may become bigger and harder to manage than just trying to maintain revenues.
This has been a great conversation and very insightful. In summary, what advice would you give business leaders in this time of unprecedented events and new ways of doing business?
Dominic: I agree it's been a real barn burner of a convo! Business leaders need to realize that privacy and security need to be integrated as part of survival mode during this time. They are not frivolous items you deal with just when times are good!
Enjoy the rest of your holiday Monday!
Ale: Completely agree and I hope you enjoy the rest of your Monday too!