Compliance regulators don’t stop working when companies go remote

September 18, 2020

Nearly every single industry has been forced to manage the swift and dramatic shift to remote work caused by the COVID-19 health crisis. Beyond the colossal task of migrating to remote operations overnight and ensuring off-network employees have the resources they need to be productive, many businesses are contending with new and weighty compliance challenges as well. For instance, healthcare and life science organizations must find ways to adhere to HIPAA requirements while patient care and management takes place virtually, and sensitive healthcare data changes hands remotely. Financial institutions, construction organizations and more are dealing with similar requirements.

Compliance regulators don’t take days off – not even in a pandemic. Faced with steep penalties for non-compliance and potential reputational damage, organizations are being forced to rethink their compliance strategies to account for new and emerging risks. For digital businesses today, the best place to start is by assessing how systems should be good enough, understand how data integrity is currently being managed, identifying any compliance hazards or gaps, and considering how automation can help address them.

Compliance must scale and evolve

Generally speaking, many organizations rely on compliance frameworks to ensure the privacy and security of all data and content across a wide range of company repositories. These guidelines are typically laid out as a written set of controls that correspond to key data safety and security policies that ensure compliance. This “checklist” approach is designed to be organized and actionable for IT administrators, making it clear which compliance policies are and aren’t met. Some businesses simply rely on basic on-premise file sharing services as their compliance management solution. But do these strategies hold up in today’s mostly virtual business environment?

These types of legacy compliance frameworks and systems are intended to extend across an organizations’ entire IT infrastructure. But as that infrastructure grows and becomes more distributed, and compliance regulations become more stringent, the demands on those systems can become overwhelming. Just look at NIST Special Publication 800-53. It comprises 2,000 individual security and privacy requirements. Each requirement corresponds to some aspect of your IT infrastructure that, if not met, could create a vulnerability for sensitive content. Any lapse would result in non-compliance, limiting your ability to conduct business and opening you up to substantial financial penalties. The same is true for most other regulations as well. The average HIPAA fine in 2018 was approximately $2.5 million, so the stakes are incredibly high when it comes to ensuring you have a compliance strategy that can scale.

The sudden shift to a predominantly remote work model has only highlighted the shortcomings of existing compliance strategies. In particular, it shows them to be antiquated, one dimensional, static and overly reliant on manual oversight. They don’t take into account the many challenges of modern enterprise content management, especially across newly instated workforces that are accessing company data from non-traditional work sites. Some company content is essentially stateless – because of remote collaboration and access, and continuous alterations to the data, content assets are rarely ever static and highly susceptible security and compliance risks if not managed properly. So, in order to effectively maintain compliance, you must monitor and evaluate your company data and content perpetually.

There simply aren’t enough IT personnel with enough visibility into content stored across all your cloud, on-premise and remote work environments to handle compliance manually. Every time a new API connection is made, a user is added (or removed) and every time a new file is stored, the burden grows exponentially. An increasingly distributed workforce adds additional complexity and risk to this process as well. To effectively manage these challenges, IT teams need help to understand which employees have access to files, when those files are accessed and modified, and how all of this impacts your compliance status.

The role of automation in modern compliance management

When your entire workforce is operating within the office, it’s much simpler to centralize governance to ensure security and compliance of those files. But since every remote worker has essentially set up his or her own unique company IT environment at home today, centralized, manual control has become untenable. Companies depend on critical files and content to make informed business decisions, meet customer needs and maintain operations. Overlooking unauthorized access or improper storage of those assets because you’re unable to properly manage the deluge of off-network activity can have disastrous consequences. Automation can help provide the advanced level of insight and analysis that today’s digital businesses need to maintain compliance at scale and across distributed workforces. It removes the need for IT admins to manually track compliance criteria and risks using frameworks or checklists, providing always-on, continuous monitoring across all company environments.

Automating compliance management is a more proactive, consistent and reliable approach that can help you and your IT and data governance teams gain deep visibility into how your content is being used, what aspects might be at risk and how it can be protected. For instance, automated compliance can help you better manage data storage timelines to adhere to contractual obligations and regulatory criteria (avoiding compliance risks and penalties that come with retaining sensitive data too long). It can also more efficiently track and alert you to potentially risky user access indicators, such as a remote employee accessing and exfiltrating files he shouldn’t be able to access. Streamlining these processes is particularly important as more employees than ever before are operating outside the traditional network perimeter, accessing and interacting with company data and files on endpoints in unfamiliar environments.

How does it work? Your must lay out rules that dictate acceptable content usage, collaboration and management practices that align with all compliance criteria required of your organization. You can then apply automation to establish a baseline of “normal” operations and compliant activity, and monitor that those policies are being upheld across every company repository and environment. Automated alerting for any deviations from this baseline will help you proactively mitigate risk. By aggregating all company files and content into a single source, you can leverage automation to more easily identify who is accessing and interacting which assets, how they’re being stored, etc., and can manage the resulting outcomes.

Content is the lifeblood of all digital businesses today, and any lapses in its management can result in costly security and compliance risks. Gone are the days when you could rely on a basic pass/fail report to identify and manage compliance gaps. The rise of remote work, digital transformation and worldwide focus on privacy and security has made adherence to compliance standards more complex and challenging than ever before. While the world is still trying to find its footing in the midst of the pandemic, expectations from compliance regulators haven’t faltered or softened in the least. The good news is that automation can dramatically streamline compliance management to help you more intelligently and efficiently minimize risk. Now is the time to reassess your compliance strategy to ensure it’s up to the task.

Jeff Sizemore, Vice President of Governance and Compliance at Egnyte, is responsible for the strategy and execution of the Egnyte Protect content governance solution. Jeff has an extensive background in data protection, specifically in encryption, key management, data loss prevention, and identity and access management. Jeff has helped define the market by contributing to several start-ups, including PGP (now part of Symantec), Ionic Security, and Port Authority (now ForcePoint DLP).

You must login or register in order to post a comment.

ON DEMAND: DevSecOps creates an environment of shared responsibility for security, where AppSec and development teams become more collaborative. With the right training and tools, developers can become more hands-on with security and, with that upskilling, stand out among their peers... however, they need the security specialists on-side, factoring them into securing code from the start and championing this mindset across the company.

ON DEMAND: The insider threat—consisting of scores of different types of crimes and incidents—is a scourge even during the best of times. But the chaos, instability and desperation that characterize crises also catalyze both intentional and unwitting insider attacks. Learn how your workers, contractors, volunteers and partners are exploiting the dislocation caused by today's climate of Coronavirus, unemployment, disinformation and social unrest.

Security Magazine

2020 October

This month in Security magazine, we explore how Corning's global security group ensured business continuity and employee safety during the global COVID-19 pandemic. Also, we highlight the global security team at Uber and their recent security programs and initiatives. Industry experts discuss travel safety programs, career hackers, working for terrible bosses, group attribution error and more.

View More Create Account

Compliance regulators don’t stop working when companies go remote

Compliance must scale and evolve

The role of automation in modern compliance management

Related Articles

Report Abusive Comment