As Covid-19 rightly dominates the headlines, organisations everywhere are suddenly putting their business continuity plans into practice. These should of course include how staff can work remotely, as has become the norm in many countries.
However, in order for all staff to work effectively, your organisation should already have digitised vast quantities of business-critical information. This information digitised accurately and sustainably, and held and accessed securely, is crucial to your organisation’s survival.
Unless your workplace is a library or archive, it is likely that most documents you use will be digitised. Digitised information will by definition be vaster and more accessible – and therefore much more vulnerable to fraud or other misuse. Given how many employees are currently working remotely, and assuming that very few of them are relying on paper-based documents, the risk of information going astray or being misused is extremely high and there are now new cyber security risks to consider.
Most employees normally access digitised information in the office, using the organisation’s (presumably) secure network and server. Those who travel – sales and other staff, including internal auditors – are familiar with using a dedicated laptop with secure, encrypted access to only that information needed to do their jobs.
The current environment, though, means the vast majority of many organisations’ staff will now be working from home. Often for the first time. Many will have work laptops, but many will be using their smart phones, personal laptops, tablets or home PCs. They will be trying to follow – possibly for the first time – instructions on how to connect securely to work systems and use collaborative software (such as SharePoint). Those who usually depend on support staff to scan and upload hard copies may find themselves taking half a day to discover, through trial and error, the organisation’s preferred configurations for digitising documents. Since these people are often senior decision-makers, the organisation will be ill equipped to afford wasting their time.
How effective are your organisation’s controls under normal circumstances? If they are poor – if people can access pretty much anything, from anywhere, any time – then chances are high that in the current climate, the organisation’s information is at high risk.
Several organisations with sound controls have already discovered that their systems cannot cope with the surge in staff logging in remotely. Yet others have realised that the systems can cope, but much more slowly. This brings increased risk of staff using workarounds, such as emailing a work document from their personal email address to a colleague’s personal email address, either out of frustration or an actual (or perceived) need for urgency.
Fear of missing a deadline or target can prompt people to engage in all sorts of risky behaviour beyond using personal email. This could include accessing confidential information directly rather than going through proper channels; uploading dubious files or links direct to work systems; and not taking the time to check emails purporting to be from senior managers requesting business-sensitive information. It could even be as basic as not agreeing or adhering to document version standards. This could quickly lead to confusion and poor decision-making, as senior managers receive supposedly accurate documents with ‘up-to-date’ information that isn’t.
Keep in mind, too, that your organisation’s IT and IT security teams will be stretched thin. Staff could be unwell or caring for family members; those who are able to work full time will be busy addressing the logistical problems of large numbers of colleagues trying to work remotely for the first time. They may have decided to ignore a certain amount of incoming activity they would normally flag as suspicious. This is the perfect opportunity for cybercriminals who are already taking advantage of the unsuspecting, the busy and the careless in these unprecedented times. It has been reported that there has been a surge in phishing scams exploiting COVID-19 with both individuals and organisations at risk.
Many people will look at these scenarios and say, ‘Well, what could we do? These are extraordinary circumstances, and much of what you describe is happening on a small scale anyway’. However, as with so many business practices, this pandemic is revealing a great deal about how we manage and use our digitised information. And at the root of it – as with virtually everything – is corporate culture.
If you have recently audited your organisation’s controls over digitised information, it will probably have fallen under the headings of information or cyber security. It will also likely have raised points about inconsistent approaches, use of third-party suppliers and quality of management information. All of these problems will be magnified in the current situation – and resolving them means addressing culture.
Consider the following questions:
All of these points bring us back to culture and tone at the top. Digitising information and using it is only partly a technological task; it is above all a cultural, human task. And, as we are quickly discovering, the human element is the only one that can provide solutions. At the same time we need to look at the new cyber security risks, ensuring the organisation, where appropriate, improves cyber security to help further protect the organisations data and that of its clients – it doesn’t necessarily have to have vast amounts of money and time to implement.
In this pandemic crisis:
Remember your role – internal audit’s mission is to provide an independent, objective assurance and consulting activity designed to add value and improve the organisation's operations. It is ultimately here to support the organisation’s success and delivery of its strategy, including sustainability.
Prioritise – consider key risks to the organisation now and how these are changing. Is the organisation clear what they are, do key controls mitigate risks?
McKinsey & Co. - Responding to coronavirus: The minimum viable nerve center
The Economist - We must fight to preserve digital information