Open in app

Sign in

Write

Sign in

Zoom: the curious case of reputational risk

Gabor Matuz
6 min readJun 4, 2020

--

As COVID hits, it is Zoom’s time to shine. Usage skyrockets and just at the time when the name itself is becoming a verb, it is being hit over and over again by disturbing news about its security. This coincided with Microsoft making Teams free, Facebook coming out with group calls, Skype stepping up its game and Google Meet pitching itself as the secure alternative.

This was the dream sales pitch of any merchant of Fear Uncertainty and Doubt (FUD) in IT security.

Reputational risk is real and that is the complicated thing about it. It can be both an important point and a convenient place to hide, if somebody wants to avoid data based arguments and tries to push risk decisions from an emotional angle.

Too many times have I sat in meetings, talking about the necessity of certain security controls, to see if a security professional runs out of real arguments — reputational risk is the trump card. It is the perfect argument if you feel you are losing ground. Vague enough that it is hard to counter with data (although possible), yet everybody has seen it happen so you can just leave it to peoples’ imagination. It lends itself to availability bias. To make the bias worse, there is usually no postmortem to quantify the losses. On the other hand we all remember the headlines.

Those with vivid enough imagination would paint the exact scenario of Zoom. Surely, Zoom must have been driven out of business, right?!

Luckily, because of the expected magnitude, I don’t have to argue that Zoom suffered no loss or that CEO Eric S. Yuan had no sleepless nights. Neither that there is no concerted effort to make up for the lost trust. I’m willing to concede that all the above probably happened, but this is irrelevant. I’m talking about proportions here.

If you buy the stories of FUD salesmen, what you would expect to happen is carnage, devastation and maybe even an Arthur Andersen type collapse. That clearly did not happen even though it was a perfect setup. So let’s look at the apocalypse:

  • Zoom has a single digital product
  • It is in an established field with large competitors like Skype and Webex. Those are from providers that often already have a foot in the door (Microsoft, Cisco), strong traction and little space for Zoom to distinguish itself
  • Zoom is in an unprecedented spotlight, adding large numbers of users, because people are forced to work from home in the COVID pandemic
  • Microsoft quickly follows Zoom with making Teams free during the pandemic. Essentially making it an easy substitute especially for people who use Office. This pushes Zoom even more from the business users’ side (March 5)
  • Reports (March 26) start to come out about privacy issues (March 30) related to Zoom
  • During a tense period between China and USA (main market for Zoom), turned out Zoom used Chinese servers at the time. This conceivably makes it possible for Chinese authorities to decrypt messages (April 6). Revelations like this trigger the UK government to ban using Zoom (April 24). Company setup prompts even more questions, Nancy Pelosi calls it a Chinese entity (April 15); the FBI issues a warning, a number of investigations into the security of Zoom kick off
  • In the meantime more and more security issues surface. From annoying Zoombombing (March 27) to dangerous credentials theft (April 1), eavesdropping issues (April 22), disclosure of saved calls (April 16). Issues that start to become real as 500k accounts are being sold on the dark web. To be fair the last one is not on them, but good luck explaining that.
  • It quickly becomes clear that Zoom had known about some of the issues (April 20) and it has a somewhat spotted past in fixing vulnerabilities. This arguably makes any explanation by Zoom even harder.
  • Some schools, one of the key target audiences for Zoom, start outright banning it (April 5), similar to SpaceX, NASA and Google (April 8). Keep in mind Google is a company that many listen to when it comes to security. These companies are joined by a growing group of the German Ministry of Foreign Affairs, Pentagon, US Senate, Singapore teachers
  • It is clear that people also get the message as seen in Google Trends. Searches for “zoom security” spikes between late March and mid April. Frankly, it would be hard not to notice at this point
  • Facebook announces video conferencing in Messenger, closing the envelope from the customer side (April 24)
  • Google finishes off the combination with a blow to the newly exposed weak side. It emphasises security and privacy of its new free Google Meet offering (April 29)
  • With the end of April, Europe and US start to open up and Asia shows no sign of mayor relapse.

It is not a long shot to say, when it comes to reputational damage, this was not a good month for Zoom. Must have been hell for Eric to both rapidly solve scaling systems and put out fires in the privacy and security department. To their credit they have put a great effort into fixing the issues as fast as they can.

Without doubt this was a huge blunder for Zoom and their public image. So I guess it is no surprise to anybody that the share price of the company since March 26th has gone UP 45%! Just to be clear, that is ON TOP of the 120% increase from mid December.

I’m the first one to admit the share price is not the best proxy or the easiest to untangle. There are numerous forces at play. If the shares were down say 20% I’d say the counterfactual is anyones guess.

Said counterfactuals also have to contend with the fact that the very reason Zoom got picked up instead of Skype/Teams/Webex is the lack of security: no signup required, you can log in to a conversation just by having a link.

Hands up anyone who does not find Zoom more annoying ever since you had to let participants in, use passwords etc to avoid Zoombombing!

Based on the Q1 results released by Zoom, both regular channel big enterprise sales jumped. In proportions the small company sales grew even more.

From where I’m standing, it is hard to see the devastation.

To make it clear, I’m not stating that reputational damage does not exist or less security is better. What I really dislike is selling via FUD and using bullshit emotional arguments.

The reward and return on investment on any development in digital markets is highly unpredictable. The same is true for security enhancements. Even more so given that the payoffs are non-linear, probability distributions all screwed up and there is very little data. The most extreme case of this is reputational damage.

If you do qualitative risk assessment, if there is something to add from an IT Security Professional’s perspective to balance out the naive estimate of a decision-maker, is to tell them: your basic instinct will be to overestimate the loss!

Now you have Zoom as a good example to point to. Next to, of course, Snapchat. A company that specifically pitched itself from a security angle and then arguably managed to mess up everything it could.

That said, I’m very interested in responses from people who think reputational risk is more of a certainty. Especially if they had been able to anticipate that Zoom would not get devastated or think that Zoom was going to get devastated but managed to recover through some miracle. Or maybe from people who think Zoom did get devastated. I believe we would all benefit if we could get a better handle on the range of reputational risk.

Zoom
Cybersecurity
Risk Management
Reputation Management
Security

--

--

Gabor Matuz

Written by Gabor Matuz

122 Followers

Security enthusiast into all things efficiency. Current project: https://inthewild.io/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams