While organizations were able to quickly meet the basic changes required to support employee and supplier Work-From-Home (WFH) demand and accessibility, other aspects may have fallen into non-compliance, including sensitive data and personally identifiable information (PII) protections, data governance, and data residency. To ensure continued operations, many companies will need to launch re-examinations of the new workspace, data, documents and supporting compliance, operational, privacy, and security policies and procedures. Businesses must ensure that appropriate measures are enacted and that they can effectively support ongoing customer, business partner, and governmental requirements.
When the COVID-19 pandemic broke out in March, there was a mad scramble to accommodate the shift in business to a WFH environment and develop new business models so that there would be minimal disruption of service across many industries worldwide. The exceptions were businesses that could not support WFH (e.g., the hospitality, restaurant, and travel industries).
Speed was vital to the success of supporting most employees working from home. Unfortunately, given the rapid move to WFH around the world, it is highly likely that this major shift in IT operations has inadvertently resulted in a number of out-of-compliance conditions. Moreover, many aspects of the realities of working from an offsite facility on an ongoing basis were not considered when the new guardrails were established.
It is now time to re-examine areas where enterprises may be out of compliance in some locations and geographies – or across many geographic regions. Two specific areas need scrutiny: (1) the digital and physical WFH environment, and (2) governance and controls.
The Digital and Physical WFH Environment
While most organizations allowed staff to work from home prior to the COVID-19 lockdown orders, many business applications – most of them providing access to sensitive data – were not accessible from locations outside a company’s site. In some cases, this was dictated by regulatory requirements (for example, trading in stocks and bonds on behalf of the firm). This was also true of some company-sensitive data and personally identifiable information (PII) related to customers and prospects. (Examples of PII include Social Security numbers and HIPAA-protected medical health data.) In recent years, GDPR from Europe and CCPA from California are top examples of important new governmental regulations governing data compliance.
As business managers and IT managers, we face several significant challenges to ensure compliance across the board that supports our corporate data policies and complies with governmental regulations.
One of the first challenges to address is protecting end-user devices that access business applications and data. Now that these applications and data are available from a company-owned, end-user device – or even worse, a personal device that may never be properly wiped clean during usage or upon disposal – it is necessary to lock these devices down correctly and to guarantee that they conform to regulatory requirements.
A second challenge involves the usage of these devices. The fact is that employees working from home represent a bigger threat to the organization than those at a company site. Companies must recognize that phishing attacks have ramped up considerably over the past few months and the probability of employees falling prey to them has increased. Secondly, the insider threat is greater now that disloyal employees no longer need to worry about someone looking over their shoulders and may now undertake malicious activities more freely.
Moreover, enterprises need to ensure that children, roommates, spouses, significant others, friends and family who have the ability to access the devices are locked out. Experience has shown that others will attempt to access the computer for their own personal business — and that they may even download unauthorized or undesirable applications onto the device. That action alone might bring along malware that could infect the entire company.
Another area of exposure is the interminable listening devices like Amazon’s Alexa and Echo or Google’s Assistant as well as other smart home devices. The Alexas of the world are constantly listening in to conversation – which is being sent to a facility somewhere for analysis. It is possible that PII data could be extracted and unknowingly used by third parties. In a similar vein, it is not difficult for hackers to tap into smart home devices – whose security features are quite lax – to gain access to the home network and eventually corporate end-user devices, where the PII data and corporate sensitive data may reside.
A fourth challenge involves the issue of physical documents. Companies have committed to protect company-confidential and PII data at all times – and the company is required to know where it is at all times (including digital and physical copies of the data).
Is your company still in compliance? We must take inventory of our applications and data and determine if we are supporting compliance with all governmental regulations and standards along with our company’s data-protection policies.
Here are some questions to consider: if a person asks to have their personal data deleted, as allowed by law, would that still happen — and would the company know for sure that the data was protected properly? In general, can the firm guarantee that all physical documents are kept under lock-and-key at all times or that they can be deleted when required? In a WFH environment, how can the firm guarantee that non-employees will not be able to see data-protected documents?
Governance and Controls
Governance of user data needs to change, and new policies and controls need to be established. The challenge will be to incorporate all the new protective measures without impacting employees’ ability to perform their jobs. For example, an account lockout policy should be put in place to deter attackers from gaining access. However, failed password attempt limits should not be so low that employees get frustrated from lockouts. Audit teams need to perform access, activity, and configuration audits frequently to limit exposure to compliance issues. Additionally, auditors should review and, if needed, update their continuous automated penetration and attack testing policies and procedures.
Moreover, companies need to look beyond their consultants and employees: they must validate that their outsourcers and supply-chain partners are also in compliance and can attest to it. Lastly, companies must be able to attest to their own compliance and be able to withstand an audit.
The Bottom Line
We are living through a period of tectonic shifts in the world’s economy. There is no business-as-usual – and the future is uncertain, even with a vaccine coming. However, even the extreme case of dealing with simultaneous health and financial crises should not prevent enterprises from complying with existing data-protection regulations. If there is one certainty, it is that, given enough time, governments will aggressively fine businesses that fail to comply with their regulations – resulting in financial damage to the business and its reputation. Thus, each organization must review its compliance situation – and begin addressing critical issues before government agencies start looking for corporate examples to penalize and publicly embarrass.
The shift caused by the COVID-19 pandemic is the New Normal for business for an indeterminate period, causing an acceleration of digital transformation, application modernization and data-based analytics. Business and IT executives must work together to optimize their new work models – and ensure that they are in full compliance with all appropriate regulations, across all geographic regions worldwide. The tools exist today to make that possible.