Monitoring and Updating IT Security and Controls in the Wake of COVID-19

Early on in the pandemic, as offices cleared out and employees began working remotely, IT departments deployed tens, hundreds or even thousands of new worksites, often in a matter of days. New technology equipment and software was purchased and deployed as quickly as possible. Microsoft TEAMS, Slack, Zoom and company-provisioned cloud storage were among the most popular new tools “spun up” to meet the immediate needs of employees and client.  

The coronavirus came; where did your data go?

During these first few months, the mantra was to get the job done quickly with as few disruptions as possible. IT controls and security were not at the top of most priority lists. IT departments were too busy putting out fires to ask questions like: “Who are the administrators?” “Are our organization’s data governance and protection solutions being applied to these new tools?” and “Are the new tools federated/shared with customers, partners or other parties?”

But the move to remote work opened the door to new IT security risks. The walls of the organization expanded as many companies added their employees’ personal devices to the organization’s network. Company protocols for assessment of personal devices may have been relaxed to speed up the process of getting employees working remotely. Meanwhile, employees got things done using Google Drive, OneDrive, Dropbox and other free programs that may not previously have been in the company toolbox.

What can an organization do now to improve data security in this new environment?

As time goes by and organizations have adapted to the changes, many are now taking stock of their remote operations with security and controls in mind. What is the impact on an organization’s data security? It depends, and every organization may find that its data has dispersed in different ways. Here are some examples:

Disclosure of sensitive information. This is particularly critical in health care, but applies to other industries as well. Organizations should consider whether sensitive files are now being stored in new locations. Is it possible for confidential information to be printed in home offices?

Recording of sensitive conversations. The number and frequency of web-based meeting has skyrocketed, and security controls may not have kept pace. Do you know who recorded which web meetings and where those recordings are stored?

Safety of what’s on screen. With the movement to remote work, many employees began using various devices to join video services from new and different physical locations. As they focused on making sure the technology, devices and services worked, many were not focused on background or ambient visuals. In some observed cases, passwords and other sensitive information could be seen in what was thought to be a private setting. Are your web conferencing users aware of what’s visible across their web cameras?  

The first step is to find out the answers to these questions:

  • Where are your devices going/connecting? Can you look at their DNS (web address) connections?
  • Who did we just partner with? Did we just perform a large SSO / CASB integration?
  • What did we open up? Did we just allow more through our firewall?

Once these questions are answered, you’ll have a better understanding of where you spent money and whether and where your organization may have entered into any long-term commitments. With that in mind, you can take the next step: separating the short-term solutions from the long-term commitments you want to retain.

For those quick fix solutions you don’t plan to retain, you will need to consider how you will store the data in workplace archives or another location.

You may find that some solutions that were considered to be temporary actually work well and should be kept for the long term. For example, many organizations expect to continue holding some or even all meetings and conferences on Zoom or other platforms to reduce travel costs. In those cases, determine how these changes will be integrated into overall operations and whether additional licenses, software or other equipment will be needed.

Therefore, this is also a good time to evaluate and perhaps rethink your IT operations to incorporate some of the beneficial changes and adapt to the “new workplace.” Many organizations will need to initiate a process to evaluate the effectiveness and scalability of IT systems and services to meet the sudden increase in remote workers during the 2020 pandemic.

As part of this process, you will want to update your governance policies and procedures, modify internal controls, and conduct a deeper assessment of recently added solution providers. This may include an audit of new licenses that may have been added or may need to be added following recent changes in operations. In reassessing and updating, you will need to deploy additional security training for employees and connect in monitoring tools to the newly deployed solutions.

At this time, the future of remote work is uncertain. But one thing you can be certain about: security will continue to be a growing concern as organizations adapt to the changes ahead. For assistance in evaluating your organization’s data security, contact us. We are here to help.

© 2020

 

Click here to register for Accounting for Uncertainty Webinar Series | Every Tuesday in October 2020
SUBSCRIBE TO OUR NEWSLETTER