The COVID-19 health crisis has caused organizations to scramble quickly in order to scale systems and build new functionality outside of established practices and methods. These rapid organizational changes expose organizations to new threats and vulnerabilities. Anytime an organization develops functionality and access from new systems, the Privacy By Design must be in place to guide product owners, project managers, architects and engineers through design and implementation.
The Privacy by Design concept calls for privacy to be taken into account throughout the entire process or organizational change. This includes testing for flaws that would allow unauthorized access to information. This testing must occur during each phase of the organizational change to avoid costly re-solutioning upon completion of the project.
Effective controls based on solid Data and Cyber Governance must be implemented during times of change and uncertainty. Data and Cyber Governance is traditionally drafted to provide guidance when establishing security controls. When unexpected changes occur, security controls must be reevaluated. Gaps and vulnerabilities that surface due to required changes in operations must be filled with policy revisions.
All organizations should establish a written information security plan, to protect customers’ information. To maintain security when instituting operational change, security standards should be amended to:
Organizations should cross-train appropriate personnel in cyber requirements so that the organization can respond to a cyber incident even if primary personnel are sick or incapacitated. This could include making sure that all key and backup personnel know the location of the core documents and policies traditionally sought as part of a cyber breach.
Employee awareness is the key to firms staying secure. An environment of fear and distraction means personnel are more likely to forget to use good cybersecurity practice. Cybercriminals are opportunistic and attracted gaps in cyber policy Ensure effective communication between your team members and cybersecurity leaders by communicating guidance to employees through updated cybersecurity training materials. Cybersecurity controls and procedures in the updated training materials could include:
Organizations are required to review existing security policies and make revisions as appropriate to secure the sensitive data that is shared in collaboration among remote employees while working from home.
Before using security vendors for critical parts of your security program, verify that those vendors have similar plans and redundancies. If a decision is made to quickly bring in additional staff or contractors, be sure to use appropriate regulatory compliant business associate agreements as needed. Ultimately, this is the perfect opportunity to ensure that all key players that your firm works with are aware of the firm’s cybersecurity program, incident response & backup/recovery plans and regulatory compliance obligations.
The COVID-19 health crisis underscores the importance of a good corporate culture and a strong commitment to good governance. Having solid Data and Cyber Governance provides the organization with guiding principles when things get hectic and helps prevent basic security mistakes. An organization’s corporate culture should place high importance on cybersecurity and should include the Privacy by Design Principle when implementing organizational change.
Craig Besnoy Esq., CPA is the Chief Business Officer for Ready Learner One and a technology attorney specializing in intellectual property, data privacy and security who dedicates a substantial portion of his practice to advising both Fortune 500 and startup companies on business and strategic issues including digital transformation, growth strategy, cybersecurity and privacy.
He works with national and international companies in retail, media, manufacturing, pharmaceutical, e-commerce, computer software, transportation, technology and hospitality.
Craig earned his B.S. in accounting from the University of Alabama and his J.D. from the Benjamin Cardozo School of Law where he specialized in Intellectual Property Law. He is admitted to practice accounting and law in New York. Craig has earned accreditation as both a Certified Information Privacy Manager and a Certified Information Privacy Professional/United States (CIPP-US), from the International Association of Privacy Professionals (IAPP).