Podcast: Covid-19, compliance risk, remote assessment and training

In this podcast, we look at the increased risks to compliance that come with coronavirus social distancing measures, with Mathieu Gorge, CEO of Vigitrust.

We talk about the compliance risks that come with remote working and the increased threat of malware, ransomware and phishing attacks.

Gorge also talks about the need for a remote working policy and how compliance assessments and training can be delivered remotely during this period.

Antony Adshead: What compliance risks do we need to be aware of during the current Covid-19 situation?

Mathieu Gorge: First of all, we need to understand that the risk surface of any organisation has dramatically increased.

We went from a minority of people remote working to everybody working from home. That obviously means that a number of folks might have had to use personal devices because they may not have been supplied with company devices to start with.

And although some companies are handing out laptops to employee homes, it’s still a problem because you cannot mix and match personal storage with company storage, even though there’s still cloud storage available.

There’s also a major increase in malware, ransomware and phishing as well as some phone scams related to Covid-19.

So, you need to make sure you are fully aware of that and if you look at compliance from a generic perspective, that still applies.

PCI-DSS still applies and they have issued some advisory around those scams and the issues with malware. They’ve also said they appreciate that this is a transformation time and for how we work.

That said, PCI will still apply and you need to protect credit card holder data. And, in fact, we are seeing similar advisories from the ICO and the CNIL in France saying you need to be careful, you need to watch out how you store your data, how you transmit it, how you process it, and to bear in mind that, at some stage, the crisis will be over and we’ll still be checking that people remain in compliance.

So, it’s important not to drop your guard.

Adshead: How do organisations ensure they don’t drop their guard with regard to compliance in the current situation?

Gorge: I think the first step is to update, or design if you don’t have one, a teleworking policy that is extremely strong and detailed and that shows what kind of data you can work on remotely, what you can access, the type of authentication that needs to be used in order to access the systems. Also to remind people of the value of data and talking about how the data is created, whether structured or unstructured, how it is saved or stored.

That requires some additional training and we’re seeing a huge increase in requests for remote training and e-learning, mostly on basic cyber security but also on data storage and privacy. So, the focus is really on data.

One thing I would say is that security advice and compliance advice is still available from many firms, albeit remotely. And we’re still seeing a number of large organisations and important standards organisations and regulators issuing advice about how to conduct remote assessments, how to use checklists to make sure you don’t fall out of compliance.

So, the advice would be to train your users, make sure you update your policy, focus on your data, use the checklists, make sure you don’t fall out of compliance at this time because this crisis will pass and compliance is not going to go away. So, stay safe and don’t drop your guard.