The Federal Trade Commission and Zoom Video Communications, Inc. announced last month that the two parties had settled a complaint alleging the videoconferencing company deceived users about its level of security. Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a statement that Zoom’s platform has been critical in keeping families, friends, students, and businesses connected during the pandemic.
However, “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected,” Smith said.
A Zoom spokesperson said in a statement that the company has addressed the issues identified by the FTC.
"The security of our users is a top priority for Zoom," the spokesperson said. "We take seriously the trust our users place in us every day, particularly as they rely on us to keep them connected through this unprecedented global crisis, and we continuously improve our security and privacy programs."
Prior to the pandemic, Zoom was a name known mostly to medium and large businesses, CFO Kelly Steckelberg said during the recent MIT CFO Summit. About 80% of its revenue came from customers with more than 10 employees, with the remaining 20% coming from its customers with fewer than 10 employees. By the end of June, that latter customer base had almost doubled to 36% of Zoom’s revenue.
Steckelberg said those more typical customers for Zoom usually have an IT department to help educate users on how to keep meetings secure.
When Zoom took on those new users in the early months of the global pandemic, “we had experiences where people were having meetings disrupted, and access to information that was inappropriate,” she said. “While we were certainly growing and having extreme abundance as a result of this crisis, we had our own internal crisis that became a very public crisis for Zoom.”
Steckelberg shared how the fast-growing company addressed its security problems and what lessons it learned along the way.
Rather than take a defensive position, Steckelberg said, Zoom formed a council of chief information security officers from outside the company to get feedback and collaborate on ideas, and CEO Eric Yuan set up weekly ask-me-anything webinars.
Steckelberg had the “humbling” task of talking to investors.
“I think that our customers, our investors, our employees appreciated the transparent nature with which we approached that,” Steckelberg said.
To address the security issues internally, Zoom turned to its development process.
Steckelberg said the company put a 90-day stop to all development unless it was related to a feature or functionality that would make the platform more secure and improve user experience.
“We really needed to focus on ‘How do we fix the problems at hand?’” she said.
Make a new habit
And that focus on security is still in place today.
In the past, if there was ever a conflict between a design for user experience and one for security, the former would win, Steckelberg said.
“Now there’s a much more balanced approach there, where security is front and center in everything that we do,” she said. “Every product, feature, design decision that is made, security and privacy is always considered.”