It’s been a few months since the COVID-19 virus has changed the way we live and work. While we seem to be over the peak and things are beginning to re-open slowly but surely, there is no certainty regarding a second wave. We also don’t know what the “new normal” may look like both in terms of how we live and how we work. One thing is certain — companies had to adapt quickly to a work-from-home (WFH) capability. The companies that already had an established and mature WFH policy likely had the security and data privacy issues covered. Companies that adopted quickly to a WFH capability more often than not had efficiency and security issues to resolve.
WFH is here to stay and will expand into work-from-anywhere for some, increasing the security risk around both logical and physical assets. This new trend reinforces the need for right-sized cybersecurity programs and training as more employees are outside the firewall and often not working on corporate-owned devices. Now is the time for companies and professional firms (e.g., legal, private equity, venture capital) to re-assess their security and client privacy policies.
The next steps and priorities depend on your starting point. A company with a well-established security program and certifications in ISO 27001 or SOC 2 already are in a continuous assessment mode as they are audited yearly. On the other side of the spectrum, earlier-stage companies and some SMBs don’t have a security program established and may have their servers in a co-location data center without established firewall configuration management practices or end-point security.
How to get started
- If you don’t have a security program, get to work! Take a risk-based approach to protect your logical and physical assets. A minimal viable product methodology for creating your security plan will ensure that you don’t implement an overly burdensome program.
- Re-train your employees, especially regarding the security and privacy issues caused by WFH. If they have confidential physical documents in their home office, do they have a paper shredder? The same in-office practices need to be expanded to at-home.
- Focus on private network security, two-factor authentication, and end-point security, including the ability to lock or erase corporate-owned mobile devices remotely.
- Use globally accepted security frameworks like NIST CSF as a design tool for your program.
- Reach out to security providers for assistance if you don’t have in-house expertise.