The COVID-19 pandemic has forced many of us to discover new and often ingenious ways to continue to deal with our personal and professional obligations – albeit often at a distance. And, we all look forward to signs when we can begin to put this abnormal reality behind us.
By now, many of us have become (somewhat) settled into our routines, which might include work-from-home or dramatic changes in staffing levels and operations for our businesses. In addition, many of the typical audit and regulatory compliance activities have been replaced by operational support of the revised business models and workforce realignments. This shift in priorities is both a necessary and expected part of an organization’s response to the pandemic, where our primary goals are protecting health and safety. It is indeed inspiring to see first-hand how many organizations have put aside their normal practices and rallied to ensure the health and safety of their workforces.
Deferred, But Not Forgotten
While no one would argue that audit and regulatory compliance should supersede personal safety considerations, most crisis managers and security professionals would agree that pandemics and other catastrophic events are always accompanied by increases in various forms of crime, including cybercrime. We have already seen anecdotal evidence of huge increases in malware, ransomware, phishing, skimming and hacking. We have also seen a significant number of new attack variations which seek to exploit people who have recently been dispersed from offices to work from home.. The success rate of these attacks appears to be higher than normal, in part because the awareness, training and auditing activities that would normally help maintain an organization’s resistance to these attacks have been suspended. Compounding this increased risk of compromise is a corresponding increase in organizational liability that will continue to grow the longer the checks and balances of audit and regulatory compliance verification are deferred.
A Pragmatic Action Plan
Ensuring appropriate attention is paid to compliance is a goal all organizations should include in their action plans once the initial workforce and business triage under way. The first area to address is tackling the changes to the security awareness and training of the new workforce deployment model. Organizations should identify which personnel and roles have been significantly disrupted, and identify new or revised job aids, control changes, training and communication methods to help raise the awareness of these workers and increase the organization’s resistance to the elevated threats.
As most organizations do not know how long the workforce changes will be in effect, the improvements should focus on high-impact changes that can be deployed quickly rather than exploring strategic platforms and costly software development that may not be needed in the long term. In many cases, awareness communications can be deployed in conjunction with regular pandemic status updates to the entire organization to reduce the potential of flooding personnel with messages.
The second area to address is compliance, which is needed to monitor and report on the effectiveness of the existing and new security measures, so management has the information needed to identify critical weaknesses and make appropriate adjustments. Many organizations have mandatory regulatory or contractual compliance requirements which require regular assessment and reporting on the effectiveness of controls.
While most regulatory bodies and compliance councils have relaxed their oversight requirements while triage is underway and have provided allowances for performing audits and inspection remotely, at some point the requirements for reporting and oversight verification will resume in full, so organizations need to determine how they will continue to collect the data needed to comply with their compliance requirements.
Wash, Rinse and Repeat
The two areas identified in the action plan are important, but they are merely a starting point for organizations to consider as they begin transitioning out of triage and back into establishing full operational control and risk management over the abnormal reality the pandemic has created.
It is expected that organizations will review their risk and threat portfolio to identify additional areas where adaptation of controls and processes need to occur, or where completely new controls need to be developed, and create additional action plans which can be prioritized as personnel complete their triage assignments. This focused review, plan and execute pandemic risk management lifecycle should be repeated as often as is necessary until the organization concludes their pandemic response, and the tailored assessment and risk treatment processes should be considered for possible permanent adoption in organizations that did not already have a similar capability.