robsonphoto - stock.adobe.com
Coronavirus: Standard Chartered bans employees from Zoom
Standard Chartered is the first bank to have instructed its staff to refrain from using Zoom
Standard Chartered has become the first major banking business to ban its employees from using the Zoom unified communications and collaboration (UCC) application on its systems.
According to Reuters, which first reported the story, Standard Chartered’s employees were informed of the new restrictions in a memo circulated last week by its CEO Bill Winters, in which he also warned workers not to use Google Hangouts.
Standard Chartered – which is not a Zoom enterprise customer but was seeing extensive use of the service by people using it as a shadow IT application – probably took the step in part given the potential for security flaws to affect its ability to remain in compliance with stringent financial services and data compliance legislation, such as the General Data Protection Regulation (GDPR).
Last week, as Zoom rushed to lock down its service following widespread reports of so-called zoombombing – where malicious users gatecrash meetings held on the service – and accusations of a slapdash approach to privacy, it emerged that multiple government bodies and other enterprises around the world have told their employees to stop using it.
A Zoom spokesperson defended the service, saying: “A large number of global institutions, ranging from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities and others, have done exhaustive security reviews of our user, network and datacentre layers and confidently selected Zoom for complete deployment.”
Computer Weekly contacted Standard Chartered to discuss the ban but had not received a response at the time of publication.
It is understood that several official audio and videoconferencing tools are in use at Standard Chartered, including BlueJeans Network.
As of the end of March 2020, BlueJeans had seen daily conferencing traffic to its meetings grow by over 200% in Germany, Italy, Spain and the UK compared with the previous month, reflecting the rapid and possibly lasting shift towards universal remote working at businesses that are able to support it.
Paul Scholey, senior vice-president and general manager, international at BlueJeans, said that Zoom is an easily set-up and highly user-friendly tool, thanks in part to its freemium business model. However, this also made it easy for Zoom to establish itself without the blessing of the IT and security teams, making it very hard to police, he added.
“Security has to be a two-way thing between the provider and the user. Security has to be collaborative,” said Scholey. “In the world of shadow IT, those issues aren’t taken to heart and best practice doesn’t get drummed into people.”
Read more about securing shadow IT
- CASB tools have gained traction as cloud security becomes more important. Among other features, a cloud security access broker helps companies to pinpoint shadow IT.
- More technologies than ever are available to people now that the cloud is so pervasive, and, as a result, shadow IT has become a problem. Expert Michael Cobb explains what to do.
- Shadow IT can be a good thing if users communicate their needs with IT, and administrators listen. But security still needs to be top of mind.
Anecdotally, said Scholey, the experience of Standard Chartered may turn out to be a common one, because a lot of organisations that had unofficially jumped on the Zoom bandwagon during the sudden transition to universal remote working in March are now realising it doesn’t meet their needs in circumstances where security is a priority.
“A lot of people are now coming to us to say they want to onboard more users,” he said. “Not necessarily because they’re saying they don’t want to use Zoom, but they’re definitely trying to minimise their use of it.
“We build our solution fundamentally around a secure model. Others prioritise usability features and commercial features above that.”
Among other features, BlueJeans uses end-to-end, US federal government-approved AES 128-bit CMC encryption, works extensively with device manufacturers to ensure its service is optimised for secure use on various platforms, and has committed to stringent data privacy practices.
But regardless of what service remote workers are using, there are several steps they should take to use their collaboration apps securely and appropriately.
These include: never sharing meeting IDs to outsiders on social media platforms; protecting meetings with moderator passwords where available; keeping a beady eye on exactly who is joining meetings; taking a proactive approach to the use of live meeting controls – such as booting disruptive people – where available; reading and understanding the service provider’s data privacy policy; looking for services that have WebRTC browser-based options to minimise the need to download; and reinforcing basic cyber security hygiene around clicking on unsolicited or dodgy-looking links.