Polymer

Download free DLP for AI whitepaper

Summary

  • Zendesk presents both platform-side and customer-side vulnerabilities.
  • From SQL injections to compromised accounts, these vulnerabilities pose significant risks to data security.
  • Proactive measures such as multi-factor authentication and data loss prevention (DLP) are crucial for mitigating risks.
  • Organizations can automate Zendesk security and compliance through AI-driven third-party tools.

In today’s ultra competitive digital landscape, businesses need to ace their customer service offering to attract, win, and retain customers. 

In fact, McKinsey research shows that investing in the customer experience (CX) can improve sales revenues by up to 7% and profitability by up to 2% in just one year. 

To enhance the CX, many organizations look to cloud-based platforms that digitize and streamline customer support, and one of the leading providers is Zendesk. With customers including Uber, Airbnb and Slack—just to name a few—Zendesk has become almost synonymous with customer service software.

But, is it secure? 

The answer is more complex than a simple yes or no. As you’ll discover in this article, Zendesk has the potential to be a secure resource for businesses, but it can also be a weak link in the proverbial cybersecurity chain.

Here, we’ll look at Zendesk’s known vulnerabilities in more detail, along with their implications and strategies for mitigation, so you can use the software with confidence. 

Overview of Zendesk vulnerabilities 

The vulnerabilities associated with Zendesk fall into two overarching categories: flaws on the platform side and flaws on the customer side.

This is because Zendesk works on the cloud’s shared responsibility model. While Zendesk is responsible for securing the underlying platform, it is up to the customer to secure user identities and data access. 

Here’s a closer look at how the vulnerabilities in each of these categories play out: 

Platform side

  • SQL injections: SQL injections pose a significant threat to web security, providing attackers with a gateway to manipulate database queries within an application. This manipulation grants them unwarranted control over the website’s database, potentially leading to the compromise of sensitive user information.
  • Cross-site scripting:  In a cross-site scripting (XSS) attack, threat actors insert harmful executable scripts into the code of a reputable application or website like Zendesk. Typically, they lure users into triggering the XSS attack by tempting them to click on a malicious link, thereby initiating the exploitation of vulnerabilities within the system.
  • Other vulnerabilities: Like all web based applications, Zendesk is vulnerable to a variety of malicious attacks specifically designed to manipulate web applications. The OWASP Top 10 outlines the most prominent security concerns, and Zendesk states in its manifesto that it “continuously and dynamically scans core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks.” 

Customer side 

  • Compromised accounts: Zendesk grants customer support agents access to sensitive information such as names, phone numbers, and email addresses throughout support interactions. Should an unauthorized entity breach a support agent’s account, they could exploit any discovered customer data for fraudulent activities. With over 24 billion passwords available for purchase on the dark web, this threat demands serious attention.
  • Incorrect permissions: To preserve compliance and data security, you need to ensure that the right users have access to the right data—no more, no less. Unfortunately, though, many organizations fail to implement adequate permissions in Zendesk, meaning employees having excess access to sensitive information, which leads us on to the next issue. 
  • Misconfigurations & data leakage: according to Gartner’s projections, the landscape of cloud data breaches is set to undergo a significant shift, with misconfigurations emerging as the predominant cause by 2025.Within Zendesk, these misconfigurations occur when employees improperly configure triggers and tickets, inadvertently granting unauthorized access to sensitive workspace information. The ramifications of such misconfigurations can be severe, potentially leading to data leakage, breaches of confidentiality, and compromised customer trust.
  • Third-party applications:  Zendesk’s versatility extends beyond its native capabilities through its support for integration with a plethora of third-party applications. While these integrations enhance functionality and streamline workflows, they also introduce an additional layer of complexity and potential security vulnerabilities. The security risk inherent in third-party applications lies in their susceptibility to exploitation by malicious actors.

Notable Zendesk CVEs 

So far, we’ve explored Zendesk’s vulnerabilities abstractly. However, these risks aren’t just hypothetical. Over the past few years, Zendesk has been impacted by several high profile vulnerabilities, which were reported to the Common Vulnerabilities and Exposures (CVE) system.

Here is an overview of the most notable ones: 

  • In 2022, security researchers published details of SQL injection and logical access vulnerabilities in Zendesk Explore, which would have allowed threat actors to leak Zendesk customer account data. 
  • In 2021, security researchers found a flaw in the Zendesk upload process that allowed hackers to easily spread malware under the guise of reputable company links. 
  • Security researchers discovered that Zendesk Chat’s WordPress Plugin was prone to a cross-site request forgery vulnerability, which allowed remote attackers to perform certain administrative actions and gain unauthorized access to Zendesk. 

The silver lining with these vulnerabilities is that they were unearthed by well-meaning security researchers, meaning customer data likely remained untouched.

Better still, Zendesk actually incentivizes security researchers to identify vulnerabilities through its dedicated bug bounty program. It offers hackers financial rewards for finding and reporting vulnerabilities, which the company will then mitigate. 

Nevertheless, the above examples highlight that Zendesk is undoubtedly vulnerable to hacking. Just as ethical researchers have found flaws to enhance Zendesk security, malicious actors could find vulnerabilities to exploit as well. Even though Zendesk’s bug bounty program is commendable, it doesn’t guarantee complete immunity from threats. There’s always a risk that a malicious actor could discover a new vulnerability and catch Zendesk off guard. 

Zendesk security incidents on the customer side

While we’ve delved into the ramifications of security vulnerabilities originating from Zendesk, it’s crucial to recognize that customers can inadvertently trigger data breaches and leaks within the platform as well.

Take, for instance, Zendesk’s automations and triggers, which can execute actions automatically based on preconfigured settings. If not configured accurately, these features may inadvertently expose sensitive data to unintended recipients or make it publicly accessible. 

That’s just one example of many. Human error, poor password hygiene, and improper privilege management can all put sensitive data at risk.

In all of these scenarios, Zendesk isn’t accountable for data breaches, leaks, or compliance penalties; the responsibility falls on the customer. Therefore, it’s imperative to strengthen your approach to Zendesk security to mitigate these risks.

In the next section, we’ll show you how. 

Mitigation and best practices for Zendesk users 

To reduce the likelihood of a data breach or leak originating on the customer side, organizations must take several proactive steps to bolster Zendesk security. 

These are as follows: 

Enforcing multi-factor authentication

Multi-factor authentication is a security measure that requires users to verify themselves using at least two mechanisms, such as a password and a code sent to their phone, before logging into a service.

It’s imperative to have multi-factor authentication (MFA) in place throughout Zendesk. MFA stands as a crucial defense against unauthorized access, acting as a formidable barrier against password spray attacks.

Implementing customer-centric nudges

Navigating the information customers share within Zendesk can pose challenges. Often, customers reach out for support inadvertently disclosing private or sensitive data that shouldn’t be stored in support tickets. One solution is to incorporate gentle nudges or reminders into their experience, advising against including sensitive data when submitting requests.

These reminders can also be integrated into preset responses from your support team, effectively preventing sensitive information from entering your database. The best defense for safeguarding such data is to avoid storing it altogether, although this can be difficult due to human error.

Enhancing redaction practices

While Zendesk’s Automatic Redaction tool provides some level of protection against accidental data exposure, it’s not foolproof. Moreover, while Zendesk’s credit card number field meets PCI compliance standards, the redaction tool itself does not.

Given that PCI compliance fines can vary from $5,000 to $100,000 per month depending on the level of non-compliance, additional data protection measures are vital. This is where SaaS data loss prevention (DLP) tools come into play. These tools autonomously monitor and secure sensitive data, including PII, PHI, and HIPAA, within platforms like Zendesk.

Leading solutions utilize natural language processing and automation to actively identify sensitive data during transmission, encrypting it to ensure that unauthorized parties never gain access to protected information – even if inadvertently shared by a customer.

Employee training

Human error remains a primary cause of data breaches. Therefore, it’s essential to educate your staff on good security practices to mitigate the risk of accidental data leakage. 

However, not all security training programs are equally effective. As Forbes research shows,  when security training is too long, too information-rich or takes employees away from their work, information retention reduces dramatically. 

To counteract this and improve training success, we recommend personalizing your training and making it as engaging as possible to maximize return on investment. Further insights on providing superior employee security training can be found here.

The Role of regular security audits 

Securing Zendesk is far from a “once-and-done” activity. After all, the platform is in a constant state of flux. Securing it is therefore a cyclical journey, requiring regular security audits and reviews to ensure you’re maintaining security and compliance best practices. 

As users and privileges change, and customers share new tickets, you’ll need to implement the following processes to maintain optimum security: 

  • Regularly review and update your security policies and procedures. Keep your security policies and procedures up to date to reflect any changes in your data protection requirements.
  • Monitor your Zendesk environment for suspicious activity. Use Zendesk’s built-in tools and third-party solutions to monitor your environment for potential security threats and breaches.
  • Maintain the principle of least privilege by regularly assessing user access levels and decommissioning access where necessary. 
  • Check for misconfigurations that could enable unauthorized users to view or edit private ticket data. 

The trouble with implementing these processes is that they are manually-intensive and error-prone without the right tools. Either, your internal security team will have to spend an inordinate amount of time auditing your SaaS apps, or you will need to pay an external security company a costly fee to undertake the job for you every six months to a year. 

Both options have their weaknesses, and both are likely to result in blatant security gaps in Zendesk. 

The better way forward is to automate the auditing process through the use of AI-driven tools like Polymer DLP. These solutions scan your Zendesk environment in real-time, automatically discovering and remediating potential security issues whilst creating an audit trail on your behalf.  

Future-proofing your Zendesk deployment 

While securing Zendesk is no easy feat, third-party security applications are revolutionizing the efficiency of Zendesk security and compliance. 

Using automation and artificial intelligence, these tools empower organizations to embrace Zendesk for customer service without the worry of forsaking security in the process. 

In particular, organizations should look for third-party Zendesk security tools that: 

  • Use natural language processing (NLP) to discover, redact and protect unstructured sensitive data
  • Offer active learning to employees and customers through automated security nudges 
  • Rely on a zero-trust architecture to identify suspicious login activity and data movements

Conclusion 

Ultimately, Zendesk has the power to be a secure facet of digital business operations. While, like all software, the provider is vulnerable to security bugs, it takes an excellently proactive approach to discovering and mitigating these through its bug bounty program.

The biggest security risk when using Zendesk, then, isn’t the flaws inherent in the app–but misconfigurations on the customer side. It’s therefore vital to bolster Zendesk security through carefully selected third-party security applications that mitigate the risks of data loss and misuse within Zendesk. 

FAQ 

  • How secure is Zendesk? Zendesk is a secure customer service platform, but organizations must take proactive steps to enhance identity and data security when using the platform. 
  • Is Zendesk ISO 27001? Zendesk has achieved ISO 27001:2013 certification. 
  • Is Zendesk GDPR compliant? Yes, Zendesk is GDPR compliant. The company is deemed a third-party data processor within the GDPR because it handles its customers’ customer ticket data. 
  • What is the weakness of Zendesk? Zendesk operates on the cloud shared responsibility model. On the platform side, Zendesk is vulnerable to software bugs. Customers can also incorrectly configure Zendesk, allowing for accidental data leakage.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.

SHARE

Get Polymer blog posts delivered to your inbox.