Ask any CEO what makes their product unique, and user experience will be at the top of the list. Products that are easy to use to ensure quick adoption and build brand loyalty are often at risk. It makes sense. After all, why use something difficult to navigate when there are easier solutions on the market? Here is zoombombing and how to secure your teams for remote work.
People searching for easy to navigate solutions has led to the boom of a build-it-first mentality.
But the COVID era has quickly shown the vulnerabilities in this approach with tools that have become critical to life during the pandemic. Many across the US are entering our third month of stay-at-home orders due to the spread of the coronavirus and looking towards a new standard of remote or flexible work — once things open back up.
The world is a different place than we left it before the pandemic and the writing is on the wall.
The way we work will never be the same. Take Twitter, which has said that employees have the option of never coming back to the office to work. While Facebook, Google and Slack have said they don’t expect workers back in the office until 2021 — if even then.
As we consider our new normal, it’s critical that we understand how we got to a place of enterprise communication being so easily hacked and learn from our mistakes. At a high level, corporations and corporate security people believe privacy is their enemy. They don’t worry about privacy; they worry about securing confidential data and ensuring they’re in compliance with regulations – privacy can be an effective tool to meet both of these goals.
The Zoombombing Craze
For example, “Zoombombing,” swept the nation at the height of COVID-19, affecting everything from a popular daily public WFH Happy Hour, to an online event hosted by Recode and New York Times journalists Kara Swisher and The Information’s Jessica Lessin.
Even SNL alum, Will Ferrell got in on the trend, promising 2020 USC grads a new car with their diplomas. Issues sprang from Zoom’s design choice that conference hosts “[do] not need to grant screen share access for another participant to share their screen.”
It’s tempting to shrug off “Zoombombing” as a tasteless prank.
Yes, a tasteless, if entertaining prank. Some don’t think about it in the context of a critical design flaw — but it underscores the security issues perfectly.
Without a clear market leader in the enterprise collaboration space, no service is safe — everyone is an obvious target. When work and our social lives moved online, Zoom became the clear frontrunner and therefore drew the attention of pranksters and cybercriminals alike.
Who bears responsibility? Certainly not the employees??
As we rushed into fully remote work – something many had never experienced before the pandemic – we adapted in live time. Coffee tables were cleared off for makeshift home offices, and we learned to work around our new and sometimes very distracting office mates (spouses, roommates, children and pets). We were largely trying to find the quickest solution to get back up and running after being displaced.
But the blame doesn’t necessarily come down on companies either.
Businesses were in triage to provide employees with new ways to communicate with each other. With how quickly everyone had to shift to communication and collaborating remotely, maintaining strict cybersecurity standards, wasn’t top of mind – even the DoD rolled them back. They simply assumed the remote solutions available would meet the mark believing the claims most companies had made that their solutions were end-to-end encrypted.
Flaws such as “Zoombombing” created by prioritizing ease of use in communication tools existed long before COVID-19, they were simply amplified as the pandemic spread.
The world is finally realizing that most communication platforms – chatting, video conferencing, or otherwise – were never designed to be highly secure tools. Not being highly secure was all fine when confidential work could be done in person. As we look towards a new standard of remote work — we need to be more critical not only of the tools deployed but the products we design.
How do you ensure that a platform is truly secure?
A good place to start with security — is end-to-end (E2E) encryption. True E2E encryption is the method of communication in which the users and only the users in communication can see messages or be included on a call.
One of the places Zoom faltered was by falsely marketing that its meetings were E2E encrypted.
But that would mean video call data is encrypted at all times in transit so that not even Zoom could access it? Zoom was merely delivering client-to-server encryption, something that Slack, Google, Skype, and most enterprise tools offer.
Client-to-server is a foundational level of encryption but it does not secure information fully from end to end.
As we can see from a slew of headlines — the encryption doesn’t stand up to increased attention from “advantageous threat actors.” Now, something [and someone] is spending the next few months and millions of dollars to go back and fix.
We can’t change the past, but we can look to right these wrongs as we move forward. Our new mindset must include balancing ease of use with privacy and security. Things like preventing anyone not invited to a message or meeting to see or hear the content. Taking time to protect personal information and maintaining call histories for only as long as required by law. The highest priority is to make sure only the users can have access to it must become standard.
Speed and security are often at odds, which in the case of COVID-19 meant making trigger decisions around readily available technologies. We can learn from this experience though, and put better, more secure tools in place as we look towards our new state of work.