In response to the COVID19 virus, governments around the world have placed strict policies on their citizens, restricting non-essential gatherings and movements, including non-essential office-based work. Now that much of the world’s workforce is now working from home – messaging, video, chat conference applications have been widely adopted and their business use is now commonplace. Instead of being the medium for remote meetings – the use of these applications is ubiquitous.
Millions of business have now rolled out these messaging applications by default. Even our local gym is providing classes via Zoom!
How have business’s considered the security of these applications before deployment?
In the rush to shift the operations to the home, application security was the last thing on people’s minds.
Zoom has received a lot of press regarding some documented security flaws and “Zoombombing” – where uninvited users can readily enter a “private” meeting. This week Zoom CEO has said that they will freeze feature updates to focus on security. Also, this week, Google has banned Zoom’s use across its remote workforce.
Such vulnerabilities can easily be applied to other applications. These applications have often been designed in a more social and consumer context with security and privacy not applied core features. In addition, such applications and tools are now facing unprecedented traffic, deployment, and use, placing further risks on the platforms.
Has business considered their own privacy laws – with applications being used simultaneously across geographies and jurisdictions? It goes without saying that sensitive and confidential information and data are being shared across these applications, whether via voice or chat, adding attachments/files, etc.
Our Threat Researchers have identified many routes of abuse across theses application – where breaches and vulnerabilities are more likely to occur and for many reasons. Meetings are easily recorded and then shared – these constitute a data file of a private conversation that is readily shared with third parties. Unauthorised entry into meetings, by accessing a widely distributed link (plus Zoom-bombing), as well as endpoints hosting such applications having their own set of security issues that are now outside of the organization control and visibility.
We recommend that businesses put in place security policies and consider the issues of privacy, security, and risks when dealing with the mobile and remote workforce. Our government here in the UK is suggesting that these social distancing policies will be lasting for months rather than weeks, which should give us greater impotence to investing some time into considering the widespread use of the messaging applications.