2020 was a wake-up call for more than healthcare pandemic preparedness. It also exposed some huge security and privacy vulnerabilities, which many cybercrooks have exploited thousands of times throughout 2020 for remote workers. And not only work-from-home (WFH) employees have been affected, but also those mobile workers and all the contracted workers and supply chain workers who have largely been going under the radar of CISOs and information security departments for the past two to three decades. Will cybersecurity and privacy professionals heed the lessons learned from the awakening?
If organizations addressed at least the following three issues, they would dramatically reduce their cybersecurity threats and vulnerabilities, reduce privacy breaches and information security incidents, improve compliance with their legal responsibilities, reduce successful cybercrime attempts, improve employee awareness (resulting in increased employee satisfaction), and also be viewed as a more trustworthy organization—one where employees want to work and stay working because privacy and cybersecurity for employees are as high of a priority as cybersecurity and privacy compliance is for the organization.
In the past 5-10 years, privacy and information security training vendors have moved to narrowing focus to largely phishing awareness and password security. Phishing and passwords are certainly important and should be covered with effective training. However, there are many additional areas where all employees need to be aware. Not only do more topics need to be covered, but organizations also need to provide more than just a general privacy and security training offering to all employees, which certainly is important and needs to be provided, but is not sufficient on its own.
Organizations must also provide privacy, along with associated security, training to work teams who have responsibilities that require specific and unique types of activities to be in place to provide sufficient privacy protections. For example:
Many different types of privacy and security training, to many different targeted learners, needs to occur on an ongoing basis to increase effectiveness of training to stem insider threats, as well as to improve overall security protections.
There is still a one-time-before-contracting and checklist mentality in most organizations when it comes to vendor/third-party and supply chain security and privacy management and oversight. 2020 has demonstrated that organizations cannot just tootle along with the same old status quo vendor oversight practices. Not only does due diligence—incorporating assessments and research—need to occur prior to engaging vendors and other types of third parties, but other steps need to be taken on an ongoing basis as long as you have a relationship with each third party.
Organizations need to set up regular meetings to cover what's new: if they have new systems or applications, or have experienced organizational changes, such as acquisitions or divestitures, or if they have moved to remote working for their staff that used to perform activities within business facilities—activities performed on your organization's behalf. These provide insights to where new risks to the personal data you've entrusted to each of them might come from.
For example, if a third party has laid off staff, ask the representative of the third party if any of the staff had access to the data that they stored, collected, processed, etc. for you. If they answer yes, then go deeper; ask what they did during offboarding to ensure their ex-employee no longer has access to your organization's data or systems. If a vendor's employees are not working from home offices, ask them about the security and privacy controls they are using, and how they are ensuring no unauthorized access to your organization's data, applications, and systems are occurring from those home offices where others (family, friends, roommates, etc.) share living space. Your questions to them in response will depend upon the answers they give to you.
Many organizations are still using the exact same remote and mobile working security and privacy policies today as they were in December 2019. Many more organizations still have not created documented remote and mobile working security and privacy policies and procedures that are customized to fit each of their own organization's unique business environments. And way too many flawed assumptions are being made about remote workers (employees and contractors). Consider just a few questions:
I'm currently finishing my twentieth published book, "Security & Privacy When Working from Home and Travelling," which will be released by CRC Press in a few months. The privacy issues, and also security issues, I researched and wrote about fill 750+ pages of small-font, no-spaced lines in my rough draft! I'm cutting and condensing now. But when the issues are looked at closely, many organizations will be astonished at how many new risks they now must address.
If each organization makes these three actions a priority to perform in the coming weeks, they will substantially reduce their security and privacy risks, particularly for their remote and work-from-home employees; and as a result, they will also reduce their privacy breaches and security incidents.
This will be a great beginning. But organizations must not stop here! They've only just begun. Organizations then should identify the additional actions to take to further improve their information security and privacy management program maturity. Privacy and information management are not destinations; they are ongoing processes that must be followed for as long as business activities occur.