Across the globe, businesses and workplaces are beginning to reopen their doors after months of quarantine and shelter-at-home orders. Resiliency plans were tested, and organizations adapted for the demands of an unprecedented situation.
The next phase towards “normal” requires careful implementation of plans and heightened attention on security and risk. While the checklist of concerns is vast (and growing), let’s focus on the risks related compliance, privacy and the dynamic workforce, and how to address them.
Health Concerns Become a Privacy and Compliance Risk
As businesses reopen their doors and workplaces welcome back their employees, organizations will become a conduit for local governments in helping mitigate exposure and tracking potential outbreaks. RSA Chief Technology Officer Dr. Zulfikar Ramzan expects “people will be required to provide some form of attestation about the state of their physical health in different settings.” From the office to the ballpark, mall or local diner, Tony Karam, Risk and Security Strategist at RSA, believes temperature checks or the collection of “other biological or physiological data” could be become a requirement before allowing someone access into that environment. While this may be necessary for the long-term health of everyone and ensuring a gradual return to “normal,” the collection of this data introduces new complexities for an organization’s risk management and data privacy strategies.
Some of the initial concerns to ponder and address in the near-term include: How will this health data be managed? Where will it be stored? Most importantly, how will it be secured and who will have access to it? As Karam points out, these are “really big concerns.”
The exploitation of personally identifiable information (PII) by fraudsters and bad actors has been on-going for years. Consider now what the future could hold if organizations begin regularly collecting health data from employees and customers. As Kevin Haynes, Chief Privacy Officer at Nemours Children’s Health System warns, “a data breach [of health records] could trigger catastrophic impacts, such as reputational damage if sensitive patient information is leaked.”
For organizations returning to work after a health crisis, two immediate concerns need to be addressed: compliance challenges and data privacy risks.
- The risk for regulatory leaders is how to reopen their physical locations while staying compliant with individual mandates at the state or country level. For multinational organizations, this challenge is compounded as they face dozens, or even hundreds, of individual requirements. However, like the challenges faced when complying with GDPR or CCPA, organizations should adapt their strategy to comply with the most stringent mandate. This will help organize efforts and reduce the time and energy needed to manage each individual requirement. However, it’s important to remember that “compliance does not equal security,” says Robert Carey, Vice President and General Manager of RSA Public Sector Solutions.
- While the privacy challenges ahead may seem daunting, Angel Grant, Director, Solution Marketing at RSA, says “don’t overcomplicate it” and focus on the basics. She advises that companies look at this data through the lens of the C-I-A triad (confidentiality, integrity and availability). Build a governance strategy that applies the right controls, and don’t forget about the access governance piece of the equation. Limit who has access to the data and secure how privileged users can access the data.
Revisiting Identity and Access Management in the New Boundaryless World
Organizations raced to deploy remote work capabilities to eligible staff during the initial outbreak of the health crisis. For those across the private and public sectors, this may have been the first time employees were connecting to the network from a location outside of a physical office. In some cases, “access controls were lessened because people were working remote” and out of expediency, “increased privileges were given to those who wouldn’t have them in the past,” explains Grant.
Separately, organizations may be looking to employ temporary workers to help fulfill a specific, short-term need, says Dr. Ramzan. In these cases, provisioning access may be necessary, but that must be tracked to completion and rescinded after the employee’s last day.
Both Grant and Ramzan believe that as part of the next phase towards recovery and “normal,” businesses must revisit their access governance strategies. Further, Tony Karam advises that security leaders prioritize “re-certifying rights and entitlements more frequently” given that there could be “accumulation of [privileged] access” by employees who shouldn’t have it.
This requires the enablement of risk-aware, context-driven governance by integrating risk management and access management in identity governance and lifecycle processes, rather than managing each separately. In addition, discover outliers and inappropriate access by using a risk-based approach to quickly identify outlying access requests and prioritize them for remediation.
As it relates to identity access, there are a number of considerations organizations need to address as they adapt for their new normal. Dr. Zulfikar Ramzan says, “don’t focus on just one form factor” when implementing multi-factor authentication to power a remote workforce long-term. While many prefer hardware or software one-time password (OPT) tokens, don’t overlook biometric options like facial recognition or fingerprint ID. This is important because, as Ramzan says, “everyone’s situation is unique.” For some, physical limitations may prevent them from being able see or access a hardware or software token. He advises organizations look at their authentication strategy “in the broadest sense” as a way to reduce friction, but not compromise security.
As organization adapt for their future, security and risk must be a fundamental priority for the business. Although the list of potential challenges on the horizon are too long to catalogue in just one blog post, compliance, privacy and dynamic workforce risks should be among the top concerns to be addressed in this next phase of normal. Avoiding or neglecting these issues could lead to a security incident or reputational damage.
In a time of change and uncertainty, consider what threats could undermine your business’ future and what scenarios are exposing your organization to increased risk. Apply the needed security and risk controls today to thrive in your next normal.