Mar 23, 2020
In just a short amount of time, COVID-19 has had an immense impact on the global economy, as well as business operations around the world. How companies stay resilient and can adapt in the face of COVID-19’s impact, will be a topic of discussion for many business leaders as new information continues to surface. Along with COVID-19’s impact, the changes business leaders implement to respond to the ongoing crisis may introduce unintentional security and privacy risks.
Our daily routines are being impacted, along with the activities we perform. This creates opportunities for hackers, and others with malintent, who thrive in this type of environment, to take advantage of uncertainties and changes to routines. What has not changed, however, is an organization’s responsibility to protect data and to secure systems to reduce the risk of a breach or unauthorized access to information. The regulatory requirements, and other state and industry standards for protecting information, are as critical as the day they were implemented, if not more so. GDPR, CCPA, NYDFS, PCI DSS, CFIUS, HIPAA, HITRUST, SOX, and so on – still need to be adhered to.
The risk to an organization could increase if processes, implemented to help secure systems, protect data and information, and maintain daily operations, are not followed. Personnel, who have the assigned roles and responsibilities for managing systems and the corresponding data environment, need continued support and assistance to meet their job assignments.
To add to the complexity of daily operations, organizations have been forced to consider remote work options and telecommuting to slow the spread of the virus. There are certain technical considerations for remote workers, the first being the devices that they will use to conduct business. For organizations that provide laptops, this is generally a non-issue, however, if your workforce is typically in the office, working remotely can present some additional challenges from an equipment standpoint.
How will businesses secure remote access to company systems and data?
Businesses across the globe have been instituting remote work requirements to decrease the likelihood of spread and impact on business operations. Due to the increase of remote workers, businesses should secure access to company systems and data to ensure secure transmission of personal information. The actions below can help secure remote access to the organizations’ systems:
- Require secure connections to remotely access company systems. A VPN solution should be leveraged to ensure the transmission of data is secured over public networks. A common practice for many organizations is to use multi-factor authentication in conjunction with VPN to ensure authorized access.
- Ensure session timeouts for connections into company systems. Allowing remote connections to stay open indefinitely increases the window of availability for unauthorized access.
- Ensure workstations timeouts for remote workstations. With the increase of remote workers and remote workstations, businesses will be unable to physically secure these areas. By implementing workstation timeouts, businesses can reduce the availability of unauthorized access if a workstation were to be left unattended remotely.
- Require email using the organization’s distributed solutions. Organizations are so dependent on email communications and in most instances, corporate email is available remotely. Employees should be reminded not to conduct corporate business over personal email accounts, text messages or third-party apps that are not managed by the organization. This is a great opportunity to pick up the phone and speak with people in lieu of other typical communication channels.
How will businesses secure mobile assets?
Businesses should consider how mobile workstations will be secured. Due to remote working capabilities, an increase of mobile workstations provided to employees will need to be secured. Data at rest should be encrypted. Hard drives on workstations are commonly encrypted to ensure confidentiality of data. Just to start.
We are all adjusting to the changes as a result of COVID-19. By supporting and reinforcing your organization’s processes, procedures and solutions, which were implemented to protect your data, the risk can be better managed.
If you are concerned about the vulnerability of your organization, contact our Risk Services Leader, Tiffany Pollard (firstname.lastname@example.org) to help guide you through ensuring your systems are safe and secure.
Mar 18, 2020
Provided By BDO Alliance, USA
A Checklist for Organizational Leaders
On March 11, the World Health Organization (WHO) declared the novel coronavirus (COVID-19) outbreak a pandemic, with numerous countries—including China, the Czech Republic, Hong Kong, Italy, Slovakia and the U.S.—announcing travel restrictions and social distancing measures.
Beyond the immense impacts the outbreak is having on public health, the pandemic directly impacts economic activity and poses unique challenges to businesses across industries because of its potentially compounding and unpredictable consequences.
With massive quarantines, travel restrictions and factory shutdowns, companies are struggling to quantify potential exposure. Attempting to mitigate potential losses from an unknown number of variables is daunting, especially when the situation is changing daily. Business owners and risk managers will face not only tactical execution and recovery challenges, but also the prospect of navigating a lengthy insurance claim process.
Understanding how to determine and capture lost revenue and income stemming from this unpredictable outbreak is critical to minimize financial implications. To do that, business leaders must determine their infectious disease risk profile:
Here are the key questions organizational leaders need to ask to evaluate their risk profile and the corresponding action items to navigate the ongoing outbreak:
1) How prepared is my organization? What does “prepared” look like to our organization?
- Conduct a business continuity risk assessment to identify potential internal operational, financial and market risks; determine direct and indirect impacts; and generate an action plan. Third-party vulnerabilities should be incorporated into action plans.
- Identify a response team to lead ongoing crisis management efforts, coordinating with appropriate federal, state and local authorities. These efforts should include regular communication to internal and external stakeholders.
- Communicate with internal and external stakeholders—as well as their surrounding communities—about what coronavirus is and key protective measures people can employ. Leveraging information from WHO’s dedicated public advice page is a good place to start.
2) What are our organization’s capabilities, strengths and weaknesses, including across the supply chain? Which third-party risks do we have, and where are they concentrated?
- Build scenario models to determine ways to mitigate any additional risks to your supply chain, working closely with your suppliers.
- Insulate your supply chain from disruption. Identify ways to diversify your supply chain if possible and assess the cost-benefit of maintaining duplicate facilities or routes on an ongoing basis.
- Create a backup plan. Identify alternate sources should your primary source of supply be unable to deliver on services.
3) Have we clearly communicated to our workforce what steps they should take and how they should respond to different scenarios identified?
- Evaluate work-from-home arrangements and options for remote meetings and videoconferencing. Employees working remotely, meanwhile, will need secure remote access to necessary files and services, likely using a VPN, as well as collaboration tools including instant-messaging apps, project management platforms and shared documents.
- Review remote working policies and guidelines. Remote workers should only use their work computers and not their personal computers, and managers should be trained on how to be virtual leaders by setting clear expectations and emphasizing regular communication.
- Review policies for paid time off, sick leave and short-term disability. Employees should be reassured that they will not be penalized for taking sick leave, and they should not come into the workplace while sick because they are worried about losing out on income. Policies for payment if the workplace is temporarily closed or employees are furloughed will also need to be reviewed and clarified.
4) What is our organization’s insurance coverage, and do we have funds to support this crisis? Does your organization have coverage for an insurance claim?
- Evaluate your insurance coverage for business interruptions. Identify the impact from civil authority and ingress/egress coverage, service interruption, supply chain interruptions, loss mitigation, and extra expenses like increased logistics and redistribution costs, higher costs related to workforce disruption as well as shifting productions to potentially higher-cost locations, and others.
- Establish milestones for claim recovery. Resources are likely going to be stretched thin for the foreseeable future. It is important to create milestones and hold all members — from the adjusting team to internal stakeholders — accountable for achieving those goals.
5) How can this threat unfold and evolve, and what scenarios do we need to consider for our organization?
- Regularly monitor announcements from the WHO and the Centers for Disease Control and Prevention to determine other potential impacts that could be coming down the pike for your organization.
- Establish various versions of your enterprise risk plan that can be adapted to help mitigate risk should other waves of the outbreak take place, taking into consideration where they might unfold.
- Consider accounting implications and total tax liability changes. For example, COVID-19 could complicate how businesses comply with Current Expected Credit Losses (CECL) accounting given the complication to forecasting credit losses. Total tax liability, meanwhile, could be impacted in several ways depending on individual circumstances and the actions taken by national and local governments.
Following this checklist can better enable you to make informed operational and strategic decisions while balancing the risks inherent to an infectious disease pandemic. Beyond that, you can use the intel gained from your self-evaluation to build your capabilities over time and support the business case for future investments in resiliency.
Categories: Other Resources