Businesses have struggled for years to control and track the movement of data throughout the organization. The COVID-19 pandemic has further exacerbated this issue.
Problems with connectivity and interoperability between legacy systems and software-as-a-service (SaaS) platforms prompted employees to consistently use personal instances of cloud-based services to aid in the completion of their work.
As people are continuing to quarantine, businesses are now forced to evaluate the impact this transition has had on their own security posture. The paramount question that has resulted from this introspection is one that has been looming for several years: “Where is my data?”
That question was at the top of the agenda for the July 22 episode of the Go Beyond Disruption podcast, titled “Cybersecurity Advisory: Where Did Our Data Go?,” featuring guests Daimon Geopfert, national leader, Security and Privacy Consulting, RSM, and Audrey Katcher, CPA/CITP, CGMA, partner, Business Advisory Services, of RubinBrown. I hosted the podcast.
Geopfert noted that one thing many organizations have not fully thought through is where they can be exposed in terms of managing their own data. To facilitate remote work capabilities, many organizations were forced to quickly adopt and deploy remote access solutions and migrate to SaaS-based environments.
While effective at meeting the immediate business needs, these implementation and migration efforts were largely performed agnostic of compliance requirements. As such, many companies may be facing potential fines and sanctions and could be forced to figure out solutions to deal with regulatory violations.
As remote work and migration to the cloud continue to become more commonplace, it is important for organizations to review their risk and compliance frameworks to ensure that the use of these services adheres to any and all applicable regulatory requirements.
Historically, data loss prevention and e-discovery tools have been very effective at identifying sensitive data and monitoring data flow throughout an organization because they have capabilities such as automatically watermarking or tagging data movement through designated applications and groups. More recently, cloud security brokers have started offering dedicated platforms and tools that allow organizations to more effectively monitor the use of known SaaS-based services.
While tools such as these serve as means of detection, organizations should give top priority to prevention because it will save them money in the long run. To help implement and enact preventive controls, Katcher recommended the following seven-step process:
- Define: Define the confidentiality levels for business data or privacy for personal data, what needs to be protected, and at what level. The highest level of security should be assigned to personally identifiable information (e.g., Social Security numbers, tax identification numbers, etc.).
- Identify: Find where data is stored. Communicate to everyone in the organization where data resides and why usage of “shadow IT” (i.e., nonapproved IT resources) needs to be restricted.
- Contain: Ensure that data is contained within organization-approved storage mediums and that unapproved storage equipment or locations are not being used.
- Monitor: Implement controls to ensure that confidential data within the defined environment remains protected. Ensuring that encryption is in place, that awareness training is performed periodically, and that devices used to access data are secured will serve to bolster monitoring capabilities.
- Recover: Confirming that data is backed up, secured, and recoverable by performing tabletop exercises will help to ensure that recovery is possible in the event of a disaster-type event.
- Insure: This doesn’t protect from reputational risks and other risks, but it is a good business practice as it helps to limit organizational exposure in the event of a breach.
- Commit: Commit your organization and your vendors/partners to this approach, and continue the conversation as an ongoing effort.
When implementing the aforementioned process, it is important for organizations to understand and apply a “duty of care” to their own data security responsibilities, with compliance and regulatory requirements being first and foremost. As Katcher and I pointed out during the podcast, when determining their responsibilities, organizations must ask themselves the following three questions:
- What did the organization commit to in its contracts?
- What did their vendors commit to so as to help the organization meet its commitments?
- What internal commitment is required from the organization’s own people?
Organizational leadership needs to enact monitoring capabilities to ensure that it delivers on its own commitments, whether to its customers or internally. Leadership also needs to have a system in place to confirm that its vendors adhere to the organization’s commitments, commonly known as a vendor risk management (VRM) program.
Identifying critical vendors, monitoring adherence to contractually defined service level agreements, and obtaining and reviewing vendor System and Organization Controls (SOC) reports are all critical components of a proper VRM program. Most importantly, organizational leadership needs an effective process to communicate to its own people the types of data stored, how data is to be secured, how data is to be appropriately handled, and for what they are accountable and responsible (e.g., reporting data breaches).
An organization should regularly review and update its policies and procedures and compare them to current regulatory requirements to ensure compliance. Of critical importance is taking an inventory of data, including that of cloud applications, and tracking where it is stored. Ensuring this information is monitored and updated frequently is vital for understanding where your data resides.
Remember, prevention is less expensive than recovery and repairing reputational damage from an incident, breach, or data loss.
For more news and reporting on the coronavirus and how CPAs can handle challenges related to the pandemic, visit the JofA’s coronavirus resources page.
— Jerry Ravi, CPA, CISA, is a partner and practice leader at EisnerAmper LLP specializing in Process, Risk, and Technology Solutions (PRTS). His focus is providing peace of mind to companies of all sizes with risks (and opportunities) that are mission critical to boards/C-suite. Ryan Zullo, CISA, a manager in EisnerAmper’s PRTS practice, contributed to this article. To comment on this article or to suggest an idea for another article, contact Jeff Drew, a JofA senior editor, at Jeff.Drew@aicpa-cima.com.