“Information Technology” has assumed crucial roles in business operations nowadays.   It is an essential infrastructure that accommodates business operations, enhances competitiveness, and facilitates operational continuity and flexibility.  In the wake of “Covid-19” pandemic, “social distancing” was inevitable in mitigating contagion risk. A number of enterprises imposed “Work from Home” policy while many academic institutions started conducting online classes.  Zoom, a videocall program developed by Zoom Video Communications Inc., became one of the most popular applications at the time.

Opportunities come with risks

Despite favorable situation and business condition for Zoom, which saw its users shot up through the roof while its market capitalization more than doubled YTD, safety concerns over its system and data privacy become important issues that Zoom need to resolve.  During the period, Zoom application on iOS was found to have sent users’ data i.e. device information and Unique Advertising ID to Facebook but Zoom did not clearly inform users about its actions. This means whenever we log in to Zoom on iOS, our information will be sent to Facebook to allow selection of ads that may suit our interests even when we do not own any Facebook account at all!

Recognizing the controversial issue, Zoom’s CEO Eric Yuan admitted that Zoom did send users’ data to Facebook after it provided options for users to log in through Facebook, which required the use of Facebook’s program development system.  However, Zoom has now removed such system from its application on iOS.  A class action against Zoom was consequently filed at the California Court in March.  There were also accusations that Zoom gained unspecified amount of monetary returns for feeding users’ data to Facebook.  However, Zoom’s legal department denied and claimed that the accusation was groundless.

The New York Attorney General’s office also sent a letter to Zoom, asking it to disclose data privacy policy and security practices.  In the letter, the office expressed concerns that Zoom’s existing security practices “might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network.”  

New round of crisis...with daily scandals

Zoom’s fortune has turned for the worse as a new trend of cyber attack called Zoom Bombing emerged.  Under such threat, attackers would join group videocall and harass participants with obscene pictures or indecent messages until it is not possible to continue the meeting normally.

Such incidents made major corporations hesitated to rely on Zoom.  Taiwan has prohibited state agencies from conducting videocall on Zoom application given concerns over national security.  The Taiwanese authorities only permits programs developed by Google and Microsoft because they deem the two companies have acceptable cyber security standards.  Germany’s Ministry of Foreign Affairs also sent a circular, asking its staffs to avoid using Zoom for remote meeting due to cyber security concerns.

 Zoom is a superb case study that reflects new form of IT risks, which are no longer distance issue.  According to NTT Group’s Global Threat Intelligence Report 2020, “cyber criminals” can quickly find new ways to attack regardless of how proactive organizations may be in preventing cyber threats.  More than half of cyber attacks in 2019 were a mixture of attacks via Web-Application and Application-Specific.

The NTT’s report also disclosed that number of attack targets rose in all industries, with the technology industry ranking first (25% of total attacks), followed by government sector (16%), financial institutions (15%), business and professional services (12%), and academic institutions (9%).

The research finding above may remind ones with (humorous) sayings that “There currently are two types of companies, the first are companies that have been hacked and know that they do and the other are companies that have been hacked but still have no clue.”

...What type is your company? (Hopefully neither of the two)

Board in the new era ... (needs to) aware of cyber threats

Threats of business operation in the digital era (mixed with the pandemic) do not limit to the operational level but also affect business strategies.  As the leader of organization, the Board should drive for effective IT policy and ways to tackle potential cyber threats.  It should also push for the organization to recognize the significance of continuous IT risk management.

As a director, you must ensure that cyber threats management is not the sole responsibility of the IT Department but of everyone in the organization.  Therefore, you should emphasize IT knowledge development in all levels of personnel to create awareness throughout the organization and ready to cope with new threats in timely manner.  You should also use the opportunity to examine your Boardroom and discuss with other directors whether “Has the time come for the Board to have a director with IT expertise?”

After all, it depends on discretion of the Board and Management whether how much they are willing to “invest” to manage IT security risks.  Do bear in mind that risk management is like buying insurance policy, you buy one and usually nothing happens. But when you do not buy one, all kind of threats would strike you out of the blue.

Apilarp Phaopinyo
Senior CG Analyst
Thai Institute of Directors Association