More Due Diligence Needed on Security of Collaboration Tools
End user organisations warned they need to have serious conversations over security
Companies are often not doing enough to carry out due diligence when it comes to buying and implementing collaboration tools in the enterprise, warned Lifesize COO, Michael Helmbrecht.
In an exclusive interview with UC Today, Helmbrecht said that in light of the Zoom Video Communications issue where hackers could potentially access the cameras on Apple Macs thanks to a vulnerability in Zoom’s software, IT leaders need to ask the right questions about the security of their collaboration solutions.
He said that companies “need to look beyond the logos and badges that we all put on our websites and talk about the product, especially if you’re going to make an enterprise-level investment.”
“What is the company’s approach to security? And how do they design and manage for security throughout everything they do? It’s not just about talking about your GDPR compliance, or HIPAA,” he said. “It’s the fundamentals of what you do automatically versus what you expect me as a customer to figure out that might be an exposure and then take mitigation steps against.”
Helmbrecht added that security should be automatic and not something people should have to think about.
With moves among senior ministers from the “Five Eyes” countries (UK, US, Canada, Australia, and New Zealand) to ban end to end encryption for communications products, there is a greater need for transparency in how collaboration products are secured.
Helmbrecht said that it is important for vendors to be transparent in what they do as far as security is concerned and automatically encrypt communications. He added that if a government has the ability to pull unencrypted data without a court order, this would be a “challenging and dangerous thing” as it brings us all to a place where customers could be exposed to malicious actors getting access.
He added that while vendors should comply with laws and take seriously the legal responsibilities they have, these laws should be:
“…structured in a way that organisations can keep their data and their employees safe and should not put an undue burden on them”
Whatever the threat is to data and communications, Helmbrecht said that customers do have concerns over the security of the collaboration products they use but need to ask the right questions of vendors to ensure the tools they use are properly secure.
“We’re doing a lot more now to try to educate customers about the questions to consider and ask, because what we find is, a lot of the questions that are asked are somewhat cosmetic; they’re very high level,” he said.
Thorough questioning needed
He added that high-level questions such as asking a vendor if they do penetration testing or are GDPR compliant aren’t sufficient in trying to understand how a vendor is actually securing data and instilling security as a cornerstone of their engineering and developer culture.
“We have to ask more thorough questions. The questions about ‘how’ are often more important than ‘what’ – like ‘How do you manage this? How is your organisation prioritising security and ensuring that it’s continually at the forefront?’” he said.
He added such questions are “really critical things.”
Helmbrecht said that:
“an obligation falls on us as a vendor and anyone else in the market to make clear to customers what we secure and how”