Are you in control of your data? What are the issues for individuals and businesses?

The COVID pandemic changed the way companies work. While there were some companies and industries that allowed some remote work before 2020, since then, remote and hybrid work environments have become the norm for many. This has created both benefits and challenges, and has made the transition to hosted and cloud environments from internal company-based IT systems even more attractive for efficient operations.

Training

As personnel spend less time together in offices – and more time in less-controlled remote environments – training good IT and data hygiene practices becomes that much more important. Nobody is perfect, it is key to regularly remind people both of what they should be doing, and the risks of not doing so.

  • Conduct regular training sessions, and make at least some mandatory.
  • Remind personnel that each of us can take small steps that together can significantly reduce risk.
  • Try to make the training meaningful (targeted to particular groups or use cases).
  • Consider multiple (quarterly/monthly) shorter sessions over the year, rather than one or two long programs, which both reinforces the messages more often, and makes the content more digestible (and attending the sessions less painful).

Understand and manage your vendors

The vast majority of companies don't directly control their data. Much of it is held in hosted environments controlled by third parties, and often even management of those third parties is done by IT service providers, rather than company employees. When using outside parties to handle company data – whether personal or corporate data – it is fundamentally important to have a clear and current understanding of what each service provider does, since while the services can be outsourced, most of the risk is usually retained.

  • Every organization has its own priorities, culture and risk tolerance, and processes need to be designed and implemented with that in mind.
  • Understand the potential benefits (lower cost; better security – if managed correctly) and risks (less control over data; lack of understanding and ability to manage data and security practices) for each vendor and process.
  • Create and maintain a formal vendor management program, and designate and appropriately authorize individuals to operate the program (it often fits well with a procurement function).
  • Conduct appropriate security, systems, privacy, process and financial due diligence on vendors before, during and after engagement.
  • Make sure that all key functions (business unit, IT/security, privacy, compliance, legal, finance) have input into the process, preferably before final vendor selection.
  • Require maintenance of specific standards – which should generally align with the due diligence questions and issues – by contract (some laws require this as well).
  • Remember that ongoing relationships require ongoing oversight, so make sure that you have (and appropriately exercise) audit rights to ensure that standards are being met.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.