In the push to be able to conduct business during the pandemic, companies sought out new technology to improve their digital capabilities for both internal employee and external customer-facing work. There was a noted rush to select, implement and integrate new technology into the existing infrastructure to keep business moving along. For the most part, the purchase decision was compressed and triggered by the immediate need. As such, there are some decisions in hindsight that may cause regret and others whose terms are not as attractive as expected for a long-term relationship. Also, the selected technology could be a perfect fit, but the implementation may have taken shortcuts in the rush to deliver, and additional work may be desired to further refine the integration or customization to better meet the business needs. Even if no new technology was introduced, regular maintenance tasks were postponed during the pandemic, and training sessions canceled that were needed then but are imperative now.
As we move to the next stage of the pandemic, defining the work arrangements, returning in some way to a physical office location or just settling into a long-term remote work arrangement, it is a good time to take a breath and assess where your applications and infrastructure are today, and take a step back to prioritize key projects and next steps to move forward in whatever the new “normal” may be.
Vendor Management
Starting with vendor management and contract review, most organizations do a great job of vetting vendors during the purchase/selection process but fail to follow up on a regular basis to ensure the vendor and its practices maintain the necessary controls to keep their systems supported and your data protected. Given that your vendors had similar stressors maintaining business practices through the pandemic, it is a good time to re-assess their activities to ensure the expected levels of control and security are still in place.
This is also a great time to review your contractual agreements. Identify any agreements that will expire in the near term and start planning for the next steps which could be a replacement or re-negotiation for renewal. Identify any contractual terms that no longer meet your needs, e.g., on-site support with a remote workforce, and layout a new path and desired outcome before approaching your vendors. Ensure any needed or expected vendor certification/licensing is also up-to-date during your review process.
Infrastructure
Your infrastructure and its support should be assessed to ensure it is protected, sized, and supporting the organization. Are both hardware and software patches being applied timely? Are there are any components that need to be retired or are no longer supported? Assess whether changes are needed for growth or contraction. Are controls in place to ensure a secure environment for the data and organization? What has changed during COVID-19, and how has that impacted the operation?
There has been a move towards the cloud for a number of years, but the pandemic brought that shift to the forefront for many organizations. Questions to ask include: Is your selected cloud provider providing the service and support you and your organization expect and need? If outsourced, are you getting regular (and useful) reports about the health and security of the environment? Are any identified or contractual service-level agreements (SLAs) being met? Are there SLAs that weren’t defined but should be? Address deficiencies with your internal/external vendors or select new ones, as appropriate.
Software Technology and Documentation
Your software technology is critical to your success. During COVID-19, a lot of projects were put aside for more immediate “keep the lights on” activities. A review of what is listed in your backlog is needed to identify where (and if) issues with key functionality exist. Points of integration should be reviewed to ensure the exchange of data is being completed in a secure manner, seamless to the end-user. In general, complete an assessment to ensure you have the best combination of systems supporting your business operation. This process will ensure awareness of not only immediate needs but those that are just over the horizon. If software was selected in a rush during COVID-19, it’s a good time to look at the industry for alternatives to identify a better fitting solution or to identify enhancements to request of your vendor.
Documentation is an area that was frequently ignored during the pandemic (and other times). There is value to the organization maintaining documentation of your systems and practices. The application architecture diagram is a simpler diagram to create, but is critical to understanding the systems in (and out of) your environment and their interactions. Many organizations have graphical representations of their network, but not of their applications, interactions, and uses. The application architecture and other documentation facilitates communication and understanding within the organization and with your vendors.
Security
The last area that needs attention is one that should be foremost in everyone’s mind and that is security. Security encompasses people, processes, and technology. Attacks can come through any of these areas and vigilance is needed to stay protected. For people, it is important that any training sessions that were postponed during COVID-19 be re-scheduled to educate employees on such things as identifying spam emails and phishing schemes. Processes should be reviewed to ensure that information is being properly protected whether it is paper or digital throughout the process, and only appropriate data is being shared. Finally, the technology needs to be assessed. This can include a review of users and the level of access granted, ensure that anyone that has left the company has had their access revoked, that security levels are commensurate with the roles, etc. Identify any users that haven’t logged in for extended periods and determine if their access is required. Security surrounding applications should be reviewed to ensure that the current protocols are being followed, the complexity of passwords, the number of days between password changes, etc. Administration passwords should also be updated on a regular basis.
While all of the above would normally be considered business as usual, COVID-19 has irreparably changed what normal is. Work that has been postponed, canceled, or set aside should be revisited to identify what is still applicable to maintain a secure and functional operation for the organization and its user community.