The mass move to online work and education has thrown a wrench into the security plans of organizations of all kinds. As people tend to default to the simplest, easiest way to do their job—whether it’s the safest or not— it’s the duty of information officers to set up policies and controls to make it simpler to do things properly. After all, if things are too difficult to do via an approved system people will use alternative methods.
Jay Leask and Hunter Willis sat down with AvePoint’s Chief Risk, Privacy, and Information Security Officer Dana Simberkoff to get her thoughts on how the quarantine caused by COVID-19 affected the privacy industry and some of the largest security-related obstacles organizations have to tackle today.
With COVID there’s been a massive acceleration of digital transformation. How has that affected the work of the privacy industry?
Dana: There are a couple of issues at play there. For one, COVID-19 and the almost instantaneous push to a remote workforce have caused many companies that were carefully planning their cloud strategies to have to jump headfirst into the cloud. So instead of implementing their multi-year plans for slowly making the transition, training their users, and cleansing their data, it’s been a sudden shift.
While there are many business benefits of undergoing that transformation, many of the policies and procedures have been written for very different work environments (office spaces) so there often haven’t been proper governance or controls in place. It’s been difficult to do privacy by design, privacy by investment, or a real risk analysis on those systems before the switch happens.
At the same time, having employees working from home creates a litany of privacy conundrums:
- You’re working at home, not working in a formal office environment
- You may be working at home with your family. You may have your spouse or children there; that same concept of privacy isn’t the same in a work-at-home environment.
- Due to health issues because of the pandemic, our sense of privacy has changed. Think about the amount of information we now have to give to the government, retail shops, restaurants, and so on without a say in the matter. Where does that information go? How long is it being stored for? How’s it being protected? If we weren’t in our current situation we’d never give them that information or the information of our children.
If you had to pinpoint the biggest obstacles to security and privacy for organizations post-pandemic, what do you think they are?
Dana: One of the biggest challenges for companies is to be able to demonstrate that their policies reflect a change in their conditions, and that they implemented a change–even retroactively–to address any privacy and security issues. Regulators and even auditors will have some leniency for some time (there hasn’t been “normalcy” in the workplace for the past year, after all) but that won’t last forever, and there’s some work that has to be done. In other words, you’ll be able to have a somewhat relaxed environment for a bit, but not for long.
I assume many of the companies who moved to the cloud will at least stay in the cloud partially if not completely. I don’t think we’ll see the end of this shift to working from home, and the workplace likely won’t be the same from now on. Companies that moved to the cloud will probably see the benefits and decide to stay there in some capacity.
That said, an evaluation can be done retroactively that examines what kind of content was put out and how those containers were created. Governance can then be applied to net new content and collaboration spaces before doing the same for past content. They’ll then have to document the risks that were taken. It’s fully possible to operate in the cloud with good security and privacy controls; it just takes some time, effort, and planning.
To hear Dana’s full conversation on COVID-19’s impact on data privacy with Jay and Hunter be sure to check out their podcast episode here!