Standard Chartered has become the first major banking business to ban its employees from using the Zoom unified communications and collaboration (UCC) application on its systems.
According to Reuters, which first reported the story, Standard Chartered’s employees were informed of the new restrictions in a memo circulated last week by its CEO Bill Winters, in which he also warned workers not to use Google Hangouts.
Standard Chartered – which is not a Zoom enterprise customer but was seeing extensive use of the service by people using it as a shadow IT application – probably took the step in part given the potential for security flaws to affect its ability to remain in compliance with stringent financial services and data compliance legislation, such as the General Data Protection Regulation (GDPR).
Last week, as Zoom rushed to lock down its service following widespread reports of so-called zoombombing – where malicious users gatecrash meetings held on the service – and accusations of a slapdash approach to privacy, it emerged that multiple government bodies and other enterprises around the world have told their employees to stop using it.
A Zoom spokesperson defended the service, saying: “A large number of global institutions, ranging from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities and others, have done exhaustive security reviews of our user, network and datacentre layers and confidently selected Zoom for complete deployment.”
Computer Weekly contacted Standard Chartered to discuss the ban but had not received a response at the time of publication.
It is understood that several official audio and videoconferencing tools are in use at Standard Chartered, including BlueJeans Network.
As of the end of March 2020, BlueJeans had seen daily conferencing traffic to its meetings grow by over 200% in Germany, Italy, Spain and the UK compared with the previous month, reflecting the rapid and possibly lasting shift towards universal remote working at businesses that are able to support it.
Paul Scholey, senior vice-president and general manager, international at BlueJeans, said that Zoom is an easily set-up and highly user-friendly tool, thanks in part to its freemium business model. However, this also made it easy for Zoom to establish itself without the blessing of the IT and security teams, making it very hard to police, he added.
“Security has to be a two-way thing between the provider and the user. Security has to be collaborative,” said Scholey. “In the world of shadow IT, those issues aren’t taken to heart and best practice doesn’t get drummed into people.”
Anecdotally, said Scholey, the experience of Standard Chartered may turn out to be a common one, because a lot of organisations that had unofficially jumped on the Zoom bandwagon during the sudden transition to universal remote working in March are now realising it doesn’t meet their needs in circumstances where security is a priority.
“A lot of people are now coming to us to say they want to onboard more users,” he said. “Not necessarily because they’re saying they don’t want to use Zoom, but they’re definitely trying to minimise their use of it.
“We build our solution fundamentally around a secure model. Others prioritise usability features and commercial features above that.”
Among other features, BlueJeans uses end-to-end, US federal government-approved AES 128-bit CMC encryption, works extensively with device manufacturers to ensure its service is optimised for secure use on various platforms, and has committed to stringent data privacy practices.
But regardless of what service remote workers are using, there are several steps they should take to use their collaboration apps securely and appropriately.