Security and Privacy are opportunities in the digital by default world

We sat down with EY’s Carlos Chalico and Brett Cranston to talk about security, privacy, and why the “new normal” presents an array of challenges and opportunities for businesses today and beyond.

Our collective shift to digital by default has been swift and its effects are still shaking out in businesses across Canada and here at the David Johnston Research + Technology Park. 

Human Resource teams have been focused on the psychosocial and emotional effects of managing working from home. Facilities teams have been redesigning workspaces for physical distancing and updating filtration and cleaning protocols to enable a return to the office where needed. Behind all of this, IT and security teams have been working around the clock to keep a remote workforce connected – and to make sure that these remote connections are secure.

The massive shift to digital by default has caused several new concerns regarding cybersecurity and privacy. Not just at the company level, but for consumers, governments, hospitals, and more. Just last week, the Canadian Revenue Agency announced that it had suffered a cybersecurity event exposing the accounts of over 5,000 individuals and businesses.

What areas should companies be looking at to ensure they’re protecting their businesses from hackers and cyber-attacks? We spoke with Carlos Chalico, Senior Manager – Cybersecurity and Brett Cranston, Senior Manager – Business Consulting at EY Canada to find out more.

“When it comes to cybersecurity and privacy, we divide it into three phases – the now, the next, and the beyond,” said Chalico. 

The “now” was the phase at the start of the COVID-19 pandemic and office closures. During this time, businesses were focused on supporting and facilitating remote work. Chalico said most organizations didn’t have the time to reassess the risks to their businesses and data as they rapidly rolled out new tools to enable working from home. “Unfortunately, because of the pace needed to deliver these tools, companies didn’t have the time to properly verify if these new tools met privacy and security considerations. You need to devote time to address risks,” said Chalico.

The “next” phase is happening now as we begin to slowly reopen offices to a limited number of employees, vendors, and customers. “What percentage of employees are going back? What considerations for security in the office have to be adjusted,” asked Chalico. Just as the move to work from home opened up potential security issues, moving to a mixed home and office model could present new threats as organizations share additional information with third parties or even introduce additional software to manage both groups of employees. 

RELATED: Waterloo Co-operative Education provides stability to companies during uncertain times

When EY works with its clients to look at the “beyond” phase, it’s a deep look at how cybersecurity has to evolve and be shaped. “On this transformation, companies need to understand that the physical space is different — and how to use things like new public cloud tools and software to help identify the risks and prepare a response plan in case an event occurs.”

Security and privacy go hand in hand — whether that’s internal data or customer information. Chalico and Cranston both recommend updating your documentation on how customer data is being used and how it flows through your processes with the introduction of new tools for working from home. “You must identify new risks and make sure you have the proper controls to mitigate these risks,” added Chalico. 

“The pandemic changed how data flows in and out of offices,” said Cranston. “One thing that was quickly apparent is that many companies didn’t have enough bandwidth and VPN access to enable their people to work from home,” Cranston noted that some companies even moved to a shift work system to be able to have teams access internal resources securely. “This has been a paradigm shift in the way we do business with each other.”

It’s not just securely connecting to the office that’s been a problem. Bring your own device (BYOD) used to mean personal mobile phones. But during the rush to work from home, the definition expanded to include personal computers used for work, too. “There are instances where the work-issue computer isn’t working or they need to use unapproved software, so they use a personal computer at home,” said Chalico. 

Employees using their own devices to stay connected exposes security and privacy processes to different challenges. “It’s an entirely different mixed environment now,” added Chalico. “Employees use work-issued devices to connect to social media or give them to kids to play games and, vice versa, they use personal devices for corporate matters. It’s just more risk.”

The new challenges caused by working from home aren’t the only risks. Chalico pointed out that people are still the weakest link in the cybersecurity chain. “Businesses need to talk to their people and educate them about the risks they’re potentially exposing,” Chalico said.

EY encourages organizations to tackle cybersecurity and privacy with a Trust By Design approach. “It’s about having multiple lines of defense and embedding a risk mindset at the outset of any product or service,” said Cranston. “If you’re a bank, for example, you have to identify what risks affect the branches, what risks affect the corporation, what risks affect the customer. If a company can demonstrate this, it will be a differentiator in the market.”

“It’s about having multiple lines of defense and embedding a risk mindset at the outset of any product or service”

Brett Cranston

Chalico sees this as a part of cultural transformation within an organization. “We need to get people thinking about risk. Getting them to put risk top of mind and identifying all the potential implications of doing something. To make that change, IT and security need to work with HR or People teams to make it part of the culture.”

With work from home, the need to have security and privacy top of mind is even more important. Think about your home network for a moment. When you received the router or modem from your provider, did you change the admin password on it? “Not a lot of people do,” said Cranston. “Anyone who asks you for access to WiFi can do whatever they want on your network. A lot of people haven’t thought of that.” Both Chalico and Cranston said that we need to look at our home network as an extension of our office network. “Create a guest login, a place where people can have limited access,” added Chalico.

Chalico urges us to think of cybersecurity as a challenge. “The better we are prepared for it, the better we will react,” added Chalico.

The move to digital by default happened faster than we all expected it to, but Cranston said this created a new opportunity for businesses to promote themselves as being digitally trusted. “It’s the only way businesses are going to maintain customer confidence in their services,” Cranston said. “It doesn’t matter if you’re a mom and pop operation or a global enterprise – security and privacy have to become baked into the core of your organization.”

“The better we are prepared for it, the better we will react.”

Carlo Chalico