COVID-19: Is Management Asking the Right Questions?

What if you are the owner or manager of a business in today’s world?

A few weeks ago, our world was turned upside down – to say the least. Management’s focus shifted from business as usual to figuring out how to keep employees safe and company doors open for business (in-person or virtually), all while maintaining some semblance of what your business was before life changed as we know it. Sure, you celebrated victories like being able to keep as many of your employees on staff as you could, for as long as you could. You may have even qualified for the CARES Act and/or an SBA loan so more folks could remain employed for longer – but that is only a small piece of the bigger challenge.

Like many organizations across the country, business changed overnight from usual operation to suddenly being forced to do business differently almost overnight. So, you do have a Business Continuity Plan (part of your business continuity management program, or BCM) and your company may even be testing it annually. A few critical systems have probably been tested, and maybe even an employee or two has taken a company laptop home to demonstrate that they can connect from home. Great! Or is it?

You may have dusted off your pandemic plan (if you had one) and confirmed that you had hand sanitizer, masks, and some gloves squirreled away in a closet at your corporate office. That’s good, right?

Then one day you start having throughput issues on your network, and employees are complaining that they can’t connect from home. Your IT staff tells you that not everyone has a laptop, and that there are not enough of them in the company for everyone. Then your Compliance Officer calls to tell you she is concerned because there is no teleworking or remote work policy, or that the one you have doesn’t address everything that it should.

At this point it hits you that the call center and back office folks are working from their homes. You know… rifling through folders and papers that are spread out on the dining room table. Or that while they are speaking on the phone with your clients, their family members are parading guests through the house. There goes your client’s right to privacy. Wait! What?!

Then you realize there are no cameras, sign-in log, receptionist, an escort, or alarms at these new satellite offices that just popped up overnight after the governor required your business to close its physical doors and social distance. This “stay-at-home” order has forced employees to work from home with no definitive end-date. Are the laptops provided by the company or are they employee-owned? At a minimum, are they secured in a locked room? Do they have full disk encryption? Most likely, you enforce that they connect to company systems/resources over a virtual private network (VPN), but do they use multi-factor authentication (MFA)? Have you reviewed your firewall settings since employees began working remotely from home networks? The controls you previously had in place seemingly have flown out the window.

What about your service providers? Are they considering all these risks too? Looks like your vendor management program may need to be updated with these new unique considerations.

Governing bodies, regulations, security and privacy laws, and standards such as the FFIEC, HIPAA, CCPA, and PCI do not relax requirements just because a pandemic hit – bad actors are certainly not taking a vacation! If anything, there are many more risks introduced in this new normal. These risks exist now, so time is of the essence, but where do you begin?

Compass IT Compliance can help. Our experienced, certified team of IT security, audit, and compliance professionals can help. Contact us today to discuss your unique situation!