The COVID pandemic changed the way companies work. While there were some companies and industries that allowed some remote work before 2020, since then, remote and hybrid work environments have become the norm for many. This has created both benefits and challenges, and has made the transition to hosted and cloud environments from internal company-based IT systems even more attractive for efficient operations.
Training
As personnel spend less time together in offices – and more time in less-controlled remote environments – training good IT and data hygiene practices becomes that much more important. Nobody is perfect, it is key to regularly remind people both of what they should be doing, and the risks of not doing so.
- Conduct regular training sessions, and make at least some mandatory.
- Remind personnel that each of us can take small steps that together can significantly reduce risk.
- Try to make the training meaningful (targeted to particular groups or use cases).
- Consider multiple (quarterly/monthly) shorter sessions over the year, rather than one or two long programs, which both reinforces the messages more often, and makes the content more digestible (and attending the sessions less painful).
Understand and manage your vendors
The vast majority of companies don’t directly control their data. Much of it is held in hosted environments controlled by third parties, and often even management of those third parties is done by IT service providers, rather than company employees. When using outside parties to handle company data – whether personal or corporate data – it is fundamentally important to have a clear and current understanding of what each service provider does, since while the services can be outsourced, most of the risk is usually retained.
- Every organization has its own priorities, culture and risk tolerance, and processes need to be designed and implemented with that in mind.
- Understand the potential benefits (lower cost; better security – if managed correctly) and risks (less control over data; lack of understanding and ability to manage data and security practices) for each vendor and process.
- Create and maintain a formal vendor management program, and designate and appropriately authorize individuals to operate the program (it often fits well with a procurement function).
- Conduct appropriate security, systems, privacy, process and financial due diligence on vendors before, during and after engagement.
- Make sure that all key functions (business unit, IT/security, privacy, compliance, legal, finance) have input into the process, preferably before final vendor selection.
- Require maintenance of specific standards – which should generally align with the due diligence questions and issues – by contract (some laws require this as well).
- Remember that ongoing relationships require ongoing oversight, so make sure that you have (and appropriately exercise) audit rights to ensure that standards are being met.
Please reach out to Doron Goldstein, another member of our Data Innovation, Privacy and Cybersecurity practice, or your Withers relationship partner if you would like to discuss data protection or remote work practices training for your organization or for assistance implementing your vendor management program.
Backing innovation
Where private capital and powerful ideas meet