Businesses around the world are currently engaged in the largest remote working experiment in history. While COVID-19 may have been the catalyst for the transition to remote work, it inspired some of the world's largest enterprises to make the change permanent. Although this acceptance of remote work grants employees greater flexibility, it is not without serious challenges, including how best to comply with the California Consumer Privacy Act (CCPA).
While the pandemic has led to delays in mortgage payments, taxes, and other obligations, implementation of the CCPA has continued apace. Enforcement began in July and its civil penalties run into the thousands. Unfortunately, organizations have never been less prepared to comply.
When we spoke to 100 IT decision-makers in January, nearly 70% said that their organization struggled with compliance because of fundamental weaknesses in IT operations and security. At best, those weaknesses made it challenging for organizations to report breaches within 72 hours, with just 45% saying they were completely confident that they could meet the requirement. As many as a quarter of respondents said they were unsure how much sensitive data is even stored within their estates.
The great remote work experiment has exacerbated these existing challenges and exposed new gaps. In our latest survey of 1,000 CXOs and VPs, conducted in April and May 2020, respondents said that maintaining compliance with policy requirements, like CCPA, will continue to be the biggest hurdle to supporting employees as they work from home. Existing visibility gaps, like those created by the use of personal devices on corporate networks, have widened as people work from their living rooms with their own Wi-Fi networks or on unsecured devices. All of these factors increase the risks of noncompliance.
So, in a remote work world, how can IT, security, and risk professionals ensure compliance? Strange though it may seem, there are three lessons to be learned from the challenges of the office.
1. Addressing the Root Cause
To prepare for the arrival of CCPA, business leaders told us they spent an average of $81.9 million on compliance during the last 12 months. Yet despite making investments in hiring (93%), workforce training (89%), and purchasing new software or services to ensure compliance (95%), 40% still felt unprepared for the evolving regulatory landscape. Why? Because the root causes were not addressed.
Perhaps their IT operations and security teams worked in silos, creating complexity and narrowing their visibility into their IT estates. Maybe their teams were completely unaware that other departments introduced their own software into the environment. Or more commonly, the organization used legacy tooling that wasn't plugged into the endpoint management or security systems of the IT teams. These are just some of the root causes that keep organizations in the dark and prone to exploits.
While the transition to remote work was swift, it has presented businesses with an opportunity to face these issues head-on. As workforces continue to work remotely, CISOs and CIOs now have the chance to evaluate how they effectively manage risk in the long term, which includes running continuous risk assessments and investing in solutions that deliver rapid incident response and improved decision-making. In time, they will restore fundamental IT hygiene for effective risk management and regulatory compliance.
2. Choosing Tools, Not Solutions
According to the organizations Tanium surveyed, US businesses ran an average of 38 discrete tools to manage their IT security and operations. As a new problem surfaced, a new tool was introduced to solve it. Unfortunately for most organizations, the result of so many tools isn't better visibility or better security but more confusion. When you have a problem, which solution do you turn to? When those sources present conflicting information, which one do you trust?
The reason that point tools have always failed, and are failing now, is because management, security, and compliance are all connected. Doing them well means not doing them in a vacuum. If you need to ensure compliance at the endpoint, that means implementing a comprehensive solution that addresses everything from discovery and patching to threat detection and response. That was true when the majority of employees were still working from an office, and it's even more true now that most of them are remote.
3. Ignoring the Role of IT Hygiene
Forty percent of US decision-makers we spoke to said that a lack of visibility and control of endpoints is one of the biggest barriers to maintaining compliance. But as many as 77% admitted to finding a previously unidentified endpoint on a daily or weekly basis. While there is no silver bullet for this problem, a renewed focus on IT hygiene would go a long way toward ensuring that all assets with access to the network are accounted for and that they can be monitored and remediated in real time.
That means creating a process to continuously identify assets, risks, and vulnerabilities across the computing environment and fixing them at speed and scale. Get this right and it could drive a virtuous cycle in the organization, preventing the breaches, outages, and service disruptions that affect so many organizations.
In turn, firming up IT hygiene helps bolster regulatory compliance efforts by reducing the chances of breaches and improving the organization's ability to spot and fix problems when they occur. Transparency and prompt action are looked upon favorably by regulators when assessing whether incident response processes are fit-for-purpose.
Supporting Compliance, Avoiding Disruption
More than 12 months before the pandemic hit, enterprises began preparing for CCPA and other compliance regulations by investing in talent and tools to achieve compliance. Yet poor IT hygiene and overtooling undermined their best efforts in the office. Now that they are faced with a completely decentralized workforce, the challenge is greater than ever. Satisfying the requirements of CCPA requires a strategy that authenticates the trustworthiness of devices within the network, ensures activity is monitored at all times for malicious behavior, and prioritizes complete visibility and control of all IT assets.