Cybersecurity – Where Do We Go from Here?
By Thomas J. DeMayo, Principal, Cyber Risk Management
As we move past the six-month mark of being immersed in the global COVID-19 pandemic, it is important to reflect and appreciate where we have been to allow us to strategize and plan for where we need to go next. The IT landscape has experienced a fundamental shift since March as IT teams have scrambled in the fight for business sustainability to support remote work.
As we look to the future, many businesses are fully embracing the reality that a Monday through Friday in-office schedule will most likely not return. While this has many tangible social benefits, new risk implications and operational challenges will present themselves. We offer the following key considerations as your business navigates forward in this unprecedented time.
- Change your perspective: Transition your view of cybersecurity from the perspective of a physical location to that of the person and the device. Your ability to effectively manage identities and devices from any location will set the foundation for the strength of your evolving security program.
- Know your data: As you embrace more flexible work arrangements and potentially increase your cloud footprint, it will be essential that you have a very clear picture of the types of data you consume. This includes how you consume it, why you consume it, where you store it, how you protect it, how you transfer it, and how you eventually dispose of it. If you can’t clearly answer all of those questions, your business may face the risk of losing or exposing a key business asset.
- Value your data: Once you fully understand your data landscape, you need to value it. Not all data is created equal and not all data requires extensive controls to protect it. To accomplish this, you need to establish a data classification framework. Focus your efforts and budgetary resources on protecting what matters most to your business and what would cause the most harm if lost or exposed.
- Communicate: Not all risks can be, or need to be, managed by technical controls. Clear and effective communication is more often than not one of your best tools in managing risk and maintaining control. Keep your employees informed, specifically with how they are expected to manage and handle the data based on the value you have assigned. For example, don’t have employees storing data in cloud-based applications that the business has not approved.
- Maintain visibility: A key control is accountability, which more often than not comes from visibility. This concept not only applies to technology and data, but visibility into employees and their behaviors. While you should always have faith and trust that employees will remain honest, we need to make sure that the control environment necessary to deter, prevent, and detect any deviations adapts to the decreased physical visibility of your workforce. Fraud prevention controls need to be assessed and may need to be updated.
As a business, the pandemic has thrust upon the world many changes for better or for worse. As a business, this is a time to really step back, evaluate your current technical and data landscape, and make sure you are positioned to come out of this better, stronger, and more efficient. The good news is you don’t have to do it alone. At PKF O’Connor Davies, we have the resources to help you navigate your path forward across all facets of your business. We encourage you to contact us today as you continue down that path of success.
Thomas J. DeMayo, Principal, Cyber Risk Management
CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCFE
PKF O’Connor Davies, LLP
665 Fifth Avenue, New York, NY, 10022
212.867.8000 or 646.449.6353 (direct)