4 Areas of Focus for Security During the Pandemic
Articles by: Richey May, Apr 30, 2020
Undoubtedly, COVID-19 represents process and security challenges for many companies. With stay at home orders lengthening and the conditions of government-sponsored monetary relief changing by the day, many firms may struggle to pivot from the short-term mad dash to get employees set up at home to a long-term strategy.
Our Business Advisory Team has outlined four areas to focus on over the next few weeks to help company leaders protect data in this new environment over the long term, and be prepared for SOC I and SOC II internal control assessments in 2020.
1. Updates to work from home policies and procedures
Most companies likely have a work from home policy in place. However, many of these are designed to support a limited number of employees or focus on temporary travel. Some companies may also fall behind on updating these policies under normal circumstances. Now, many companies exist with most or all employees operating remotely, with many making accommodations quickly. Assess your policy and education materials to see if they include the following:
- Tracking and security of IT assets taken home. Hardware used by your employees at home needs to be recorded and records need to be backed up. Existing policies and procedures may not cover physical security of assets that have been removed from the secure office location. What additional steps do your employees need to take when working from home to maintain physical security of digital assets?
- Restrictions on printing from home. Your employees may have previously had access to secure shredding, so security concerns about physical documents were contained. However, it’s unlikely home shredding is secure, so you’ll need to make sure employees understand what they can and can’t print when working remotely.
- Security of shared/transmitted data. Your IT teams are fighting a constant battle against phishing attacks, which has only increased since the pandemic began. Teams may be sending information via e-mail instead of using approved transmission methods. Securing as many networks as you have employees is much more difficult than securing one main office. For this reason, you may want to block downloading and saving from many sources, and make sure that employees have a secure means for transmitting information both internally and externally.
- Requirement for employees to acknowledge revised policies. How you distribute and record your employee’s acknowledgement is not trivial. Do you have a tool to do this effectively? Is it repeatable or interactive? Will your employees respond better to video training? Think about how to help them remember the information.
2. Access rules for employment and role changes
Access rules can be a big project to manage. Is your current system working? Role changes, terminations and layoffs all require permissions and access changes, likely across many different systems. IT, HR and managers need to work together to stay informed of employment or role changes to ensure the right people have access to the right data. In addition, processes for bulk terminations may differ from traditional practices. Make sure that you maintain documentation of alternative processes to hire, terminate, and alter access of employees.
3. Physical security and access to facilities
Most likely, you have taken some basic steps to secure your office locations while they are unoccupied. The next steps are to consider what type of physical access employees, maintenance and building owners may have during this time and how it may be compromised (purposefully or accidentally). Do you have digital locks that can be enabled, except in case of emergency? Can you secure sensitive items (such as hard drives with customer data) behind a second lock? What rules do you need to follow to allow access for emergency services, such as firefighters, or maintenance? Is there someone monitoring the physical security of the building while it is unoccupied?
4. Maintain timeliness of reviews for reconciliations virtually
Previously your reviews and reconciliations were likely scheduled to occur in person. Migrating these to a digital format may not be easy, especially if you don’t have reliable access to the data you need to provide to your accountant. However, you don’t want to fall behind and create a backlog of work after the crisis is over. At that point, it may be very difficult to track down errors and discrepancies. Ensure you are staying on schedule with reviews and work with your accountant to find a virtual solution. If alternative temporary measures have been put in place, make sure you are prepared to discuss these with your auditors.
COVID-19 is affecting businesses in many different ways. Some are increasing hiring, while some are laying off employees and some are using this time to find process improvements. You may feel you have competing priorities, but security likely remains a top concern. We’re here to help: contact us with any questions about how to keep your data safe and processes in line with your policies.