The business impacts of COVID-19 went far beyond a workforce used to sweatpants and slippers in lieu of their former business casual clothing, said speaker Ralph Villanueva at ISACA Conference North America 2022.
The conference took place last month in New Orleans, Louisiana, and online, and this hybrid style of gathering has become a popular response to the COVID-19 pandemic. Villanueva’s presentation, “Post-Pandemic IT Security and Data Privacy Risks: How to Recognize and Mitigate Those,” covered how the pandemic impacted businesses beyond the work-from-home environment and created IT security and data privacy risks, and then offered methods of attenuating those deficiencies.
Villanueva broke down COVID-19’s impact into four categories:
- Business disruption
- Government intervention
- Economic recession
- Pandemic control
Business was disrupted by operational changes and resource allocation; business model changes and the bottom-line impact created an economic recession. While attempting to get the pandemic under control, there were health information challenges and PII and PHI data everywhere; and with government intervention, our private data was in government custody, as they placed public safety concerns over privacy. Both individually and as an amalgamation, these circumstances created IT security and data privacy issues.
Although data privacy encompasses IT security, Villanueva acknowledged that there are important distinctions to make about requirements between the two. IT security is about confidentiality, integrity, and availability; authentication, authorization, and accountability; and network, systems, and database engineers. Data privacy includes all these aspects and then some, with focuses on data subject rights, data sharing, transfer, and disclosure, and data processors and controllers. While IT security is about confidentiality, integrity, and availability, data privacy is more concerned with one’s rights.
So, why is post-pandemic privacy risk mitigation so important? According to Villanueva, it is crucial in attenuating financial, operational and reputational risk; in enabling the company to trim excess capital and operational expenses; and in aligning company processes with enterprise missions, visions and objectives. While creating business resiliency measures, it is important that companies do not take ad hoc measures like hasty approvals, reactive implementation, skipping adequate testing and omitting communication with relevant stakeholders, said Villanueva, because doing so will only open the organization to more cybersecurity risks.
When planning to mitigate deficiencies and gaps, Villanueva proposed investigating the risks, goals, standards, and requirements associated with an organization’s IT security and data privacy plans. Risks need to be categorized as financial, operational, or reputational, and then dealt with using the appropriate risk mitigation method. Goals need to be labeled as short or long term and align with the enterprise’s mission, vision, and strategy. Both internal and contractual requirements need to align with appropriate standards, and there need to be proper consequences in place for non-compliance. All these aspects are intertwined with one another and influence each other greatly, so it is important to take a thorough approach to this ongoing planning cycle.
With the proper management, board, business stakeholders, and technology stakeholders, IT security and data privacy issues can be resolved. The COVID-19 pandemic has highlighted organizations’ reliance on cybersecurity and revealed just how important it is to have the proper measures in place to protect enterprises’ information and data. No matter if the workforce is in the office in khakis or working from home in their pajamas, it is crucial for businesses to put the proper effort into recognizing and mitigating IT security and data privacy risks.