In the second installment of a five-part series, five senior compliance practitioners tell Compliance Week how their organizations are reacting to new cyber-threats introduced by the pandemic.
What new cyber-risks has COVID-19 introduced, and how is your firm protecting against them?
Meet the executives
Chief Risk Officer
Years in compliance: 30
Regulatory Counsel & CCO
Years in compliance: 7
Founder and President
Cheatham Roberts Consulting
(Formerly Managing Director and CCO of Civitas Capital Group)
Years in compliance: 26+
SVP, Chief Risk, Compliance & Ethics Officer
UPMC Health & Insurance Services
Years in compliance: 20+
President & CEO
Years in compliance: 25+
DISCLAIMER: The views reflected by the practitioners quoted are theirs alone and do not represent the views of their companies.
ANDREW BEAGLEY: The pandemic has created multiple potential cyber-challenges as organizations reevaluate business priorities and operating models. Remote working can lead to an increased risk of browser-based attacks caused by unsecured and unreliable wireless networks. Perhaps a greater risk arising from the pandemic is the ever-present concern of an increase in cyber-debt. In difficult times it is more important than ever to stay focused on the need to evaluate system effectiveness and make appropriate investments to minimize the risk of weak links creating vulnerability in an organization’s technology architecture. If left unchecked, there is an inherent risk of increased cyber-attack.
KORTNEY NORDRUM: Deluxe, like so many other organizations, went work-from-home very quickly and unexpectedly. We pulled the trigger and then figured out how to make it work from a privacy and compliance perspective. One of the biggest risks we’ve faced is that we can’t control or monitor employee behavior at home the same way we do when employees are onsite. We’ve had to spin up new training and awareness campaigns to teach our folks all of the cyber-security pitfalls of working from home—and how to stay out of trouble. Ecommerce fraud, phishing schemes, and ransomware attacks have grown exponentially, and we’ve had to pivot to train our employees to be prepared to protect Deluxe, and themselves, from these attackers.
LAURIE ROBERTS: Since the pandemic started, the cyber-risks have evolved. With more employees than ever working remotely and through various different devices and solutions, it is even more important to assess cyber-security policies and procedures. A heightened dependency on digital infrastructure raises the cost of failures. Businesses are increasingly offering or enforcing work-from-home policies, and social interactions have become confined to video calls, social media posts, and chat programs. Cyber-criminals exploit human weakness to penetrate systems. Periodic testing of systems will provide insight into the effectiveness and weaknesses of procedures that can be addressed without harm to the organization.
KC TURAN: We’re seeing increased cyber-risk involving virtual networks and phishing schemes trying to capitalize on the remote working environment. In healthcare, we’re seeing increased phishing, malware, and ransomware attacks as bad actors perhaps see healthcare as a softer target than other industries, especially with our focus on COVID. You need strong cyber-security to have effective privacy, and cyber-security breaches often lead to privacy exposures. We’ve enhanced our email, endpoint, firewall, switch infrastructure, and network segmentation security, which represent viable threat vectors. We’ve also reemphasized our employee training, communications, and phishing simulations to address the human error component of cyber-risk.
STEVE VINCZE: As someone who supports life science commercial, medical, and executive teams, the pandemic has introduced new risks and challenges in protecting patient information and ensuring appropriate processes are implemented to obtain patient consent to share protected health information (PHI) in a manner that both supports the best interests of the patient from a healthcare perspective and that protects their PHI. The pandemic, which has forced us all into a ‘Zoom World’ of virtual communications, makes us dependent on this world where the very cyber-risks may reside. It’s a unique balancing act where on the one hand patient lives may be dependent on getting certain health-related information and patient support, while on the other hand only certain authorized individuals can access this information to communicate with the patient but to do so you must get the patient’s consent. It can be a frustrating circle of failed attempts, as not all patients may be equally technologically proficient or ‘fluent.’ These circumstances pose genuine practical and operational challenges. What we have done is first taken time to understand the current state in detail, examining detailed processes with the actual people who use them. We ask, ‘How may we improve and strengthen the system while staying compliant and without sacrificing patent care?’ When you start with the clear premise that patient safety always comes first, and that we must comply with HIPAA and protecting PHI, you quickly rally people around core principles that result in a passionate, solution-oriented commitment to work together to ‘do what is right’ and come up with solutions that achieve both goals.
Special report: Compliance, infosec & battling cyber threats
- Currently reading
Ask a CCO: How is your company reacting to cyber-risks introduced by COVID-19?