A-LIGN’s Compliance Crosswalk podcast features discussions at the intersection of security, privacy, compliance, and risk management. On the premiere episode, hosts Blaise Wabo, Healthcare and Financial Services Knowledge Leader, and Arti Lalwani, Risk Management and Privacy Knowledge Leader, share their thoughts and insights on the state of cybersecurity after the pandemic.
Remote Work Threatens Cybersecurity
The world has changed as a result of the pandemic with people working from the office, home, the beach, local coffee shops, basically anywhere. But what does this mean for cybersecurity with employees accessing networks that might not be as secure as the one at the workplace? In short, increased risk.
A virtual private network (VPN) can help mitigate that risk, provided that employees use it every time they hop onto an offsite network. Companies can better protect themselves by updating their remote work policies regarding connecting to offsite networks, and implementing controls so that risks aren’t exploited by bad actors.
“Communication is key,” Arti says. “Who do you go to when breaches happen?” Blaise recommends organizations look into installing mobile device management or mobile app management software on work devices. The technology enables IT administrators to control, secure, and enforce policies on devices, adding another layer of risk mitigation.
The Rise and Risks of Telemedicine
In addition to remote work, another trend that resulted from the pandemic is the acceleration of telemedicine. Blaise notes that from 2019 to 2021, telemedicine increased by 2,000%. While telemedicine enabled patients to receive care when going to see a doctor was unsafe or impossible during the most precarious moments of the pandemic, it has become a target for cybercrime. Thus, precautions must be taken to enhance security around sensitive patient data.
With privacy as an ongoing concern in telemedicine, providers must be more proactive about getting consent on information they retain during a session. They must also take measures to secure virtual communications. It’s vital (and the law) that applications used during the virtual meetings are compliant with HIPAA regulations.
Additionally, providers and patients should ensure that telemedicine apps completely remove sensitive data that might have been stored. Simply deleting apps from a device doesn’t necessarily mean the data has been completely eliminated.
During the pandemic, consumers significantly increased the use of e-commerce. Even those that might have been wary of putting their credit card information on the internet found themselves placing orders on Amazon and other online retailers. While it was convenient and served as a lifeline to both retailers and consumers, it was a boon to hackers as well.
“I believe the instances of credit card fraud increased over the last two years,” says Blaise. Arti understands this all too well, saying that she had to change her credit card number four times over the last two years purely due to cybersecurity breaches. Her recommendation: Set up alerts!
For organizations looking to secure sensitive financial information, Blaise recommends encrypting data and using binary encryption keys. These allow for authorized decryption, but if hackers managed to decipher part of the key, they won’t have access to all of it.
Put a Plan in Place
Leveraging a cloud infrastructure to host organizational data will also help reduce the risk of hacking. Most companies don’t have the resources to properly secure on-site servers, but the major cloud providers (AWS, Azure, IBM, Google) all meet best-in-class compliance standards and stay updated with the latest security certifications.
But even the largest of cloud providers can go down, as the world discovered in December when AWS suffered three outages affecting companies like Slack, Imgur, and Asana. Arti says that organizations should institute a business continuity plan relevant to each location in the event their website is forced offline due to a technical mishap, security breach, or even weather-related disaster.
Plans should also address the issue of ransomware attacks, which are on the rise and require organizations to pay money to retrieve control of their IT network from hackers. Going through an external penetration test can expose network vulnerabilities. Also, getting key personnel in the same room and running tabletop exercises and conducting a ransomware preparedness assessment on how to respond to a cybersecurity incident will help prepare team members should an attack actually occur.
Putting a plan in place can also be greatly beneficial for employee turnover, a trend that we saw emerge toward the end of the pandemic.
The Great Resignation Hits Compliance
The compliance field isn’t immune to the Great Resignation, as the pandemic has caused workers in the field to reassess how work fits into life. Organizations must recognize their team members as human beings first with full lives, and not just employees. “We don’t live to work anymore. We work to live,” says Arti. Companies need to rethink their culture going forward so that employees are thriving personally and professionally.
Companies looking to fill cybersecurity and compliance roles will need to assess their talent needs in light of the labor shortage. They won’t find that defined ideal candidate with the desired 10 years of industry experience. Instead, they should consider a candidate who might be green, but can bring other skill sets to the table. It then falls on the company to provide initial and regular training to keep employees updated on ever-changing compliance requirements. As an added benefit, broadening the candidate pool can also help in recruiting more diverse talent who can bring new insights and add to a healthy company culture.
Join Blaise and Arti in May for episode two of the Compliance Crosswalk podcast.