It’s been a few months since the COVID-19 virus has changed the way we live and work. While we seem to be over the peak and things are beginning to re-open slowly but surely, there is no certainty regarding a second wave. We also don’t know what the ‘new normal’ may look like both in terms of how we live and how we work. One thing is certain – companies had to adapt quickly to a work-from-home (WFH) capability. The companies that already had an established and mature WFH policy likely had the security and data privacy issues covered. Companies that adopted quickly to a WFH capability often had efficiency and security issues to resolve.
WFH is here to stay and will expand into work-from-anywhere for some, increasing the security risk around both logical and physical assets. This new trend reinforces the need for right-sized cybersecurity programs and training as more employees are outside the firewall and often not working on corporate-owned devices. Now is the time for companies and professional firms (e.g., legal, private equity, venture capital) to re-assess their security and client privacy policies.
The next steps and priorities depend on your starting point. A company with a well-established security program and certifications in ISO 27001 or SOC 2 already are in a continuous assessment mode as they are audited yearly. On the other side of the spectrum, earlier stage companies and some SMBs don’t have a security program established, may have their servers in a co-location data center without established firewall configuration management practices, or end-point security.
How to Get Started
- If you don’t have a security program get to work! Take a risk-based approach to protect your logical and physical assets. A minimal viable product methodology for creating your security plan will ensure that you don’t implement an overly burdensome program.
- Re-train your employees, especially regarding the security and privacy issues caused by WFH. If they have confidential physical documents in their home office, do they have a paper shredder? The same in-office practices need to be expanded to at-home.
- Focus on private network security, two-factor authentication, and end-point security, including the ability to lock or erase corporate-owned mobile devices remotely.
- Use globally accepted security frameworks like NIST CSF as a design tool for your program.
- Reach out to security providers for assistance if you don’t have in-house expertise.
About the Author
Rocky Vienna is Crosslake’s Practice Director for IT Due Diligence and Cybersecurity. With over 25 years of experience, he has led global enterprise initiatives at an impressive array of Fortune 100s, start-ups, and medium, fast-growth companies in healthcare, technology, financial services, retail, digital publishing, hospitality, and higher education.