Written by Tate Kesner
As a past director with a software company, we had to submit an Emergency Plan in case of a situation that would prevent our staff from coming to work. How would we continue to work with our thousands of clients around the country? In doing so, they were actually very well prepared for the current situation, where sales, customer support, development could safely and reliably work from home. This isn’t the case for many companies during this National Crisis, and we should all take notice.
Phase 1: Workers Security
It wasn’t just about staying in contact with the client, but more about security while outside our internal security protocols or intranet. Now that our industry and others have been forced to adapt to working from home, our security in many cases is at risk of being compromised. If this is not a concern, it should be; because hacking, phishing, ransomware, and many other security breaches are ready to take advantage.
Could you imagine having 5K, 10K or even 30K client records being held ransom (pay or they are deleted)? Even more troubling is the fact that many companies/employers sent their workforce and their laptops home to work remote until further notice.
- Are the Laptops Encrypted/Secure?
- Has VPN connection been established?
- Are Remote Login Procedures Set?
- What is the VoiP Phone and Security Availability?
These are all areas that should be of concern with employees working remote.
Phase 2: Client Security
The security of your clients’ data is always important, whether it’s being accessed from internal and/or remote locations. Not only the software should be secure, but so should the environment that the data is stored/housed. Have you done your due diligence on the vendors that are using, storing or accessing your data? If not, you should get a game plan together. If data isn’t secure, then it is only a matter of time before a simple breach will happen.
To accomplish this, a couple of things should be considered.
First, when the data is encrypted between systems; is it just during transit or is it encrypted when not in use as well? Having it encrypted at rest and in transit is by far the best. Another factor is the level of encryption; such as a simple 128 bit encryption or the highest available 256 bit encryption.
Which brings us to the Number 1 consideration for your data; how secure is the actual storage and access of the data? You will hear 2 terms to consider, SOC 2 Type 1 Compliant and SOC 2 Type II Certified.
*The Type I report is preliminary to the Type II report and is based on the ability to test and report on the design suitability only. Type I reports are issued to organizations that have controls in place, but have not yet audited them.
*The Service Organization Control (SOC) 2 Type II certification is among the most coveted and hard to obtain information-security certification. It demonstrates that an expertly trained independent accounting and auditing firm has examined an organization’s non-financial reporting control objectives and activities, and has actually tested those controls over time to ensure that they are operating effectively. If you are serious about not becoming the next news headline about an information security breach, then start putting a premium on SOC 2 Type II certifications.
As you finalize your security, due diligence and verifications; take special care to store your data with a 3rd party who cares to create a secure environment for accessing, transferring and utilizing your data.
Our industry will never be the same, but with a little planning and evaluation, you can secure your future. Start now and remember to put the SOC 2 Type II certification in your Security Evaluation checklist!