Despite the operational challenges resulting from COVID-19, information security’s prime objective remains enabling an organization to achieve its goals within its risk appetite. Today, organizations of all types are reconfiguring their service and product delivery strategies to both serve customers safely and obtain cost savings. Through this transition, SMEs must continue to mitigate the risks that existed before the arrival of COVID-19. For SMEs in regulated industries, this also includes the continued adherence to regulatory requirements. Those organizations accepting electronic payments, including credit cards, must also comply with applicable rules, including the Payment Card Industry Standard.

盡管新冠疫情為世界帶來了運營挑戰，但信息安全的首要任務仍然是使組織能夠在其風險承受能力范圍內實現其目標。今天，各種類型的組織都在重新配置他們的服務和產品交付策略，既能安全地為客戶服務，又能節省成本。通過這一轉變，中小企業必須繼續減輕在新冠疫情到來之前存在的風險。對于受管制行業的中小企業來說，這還包括繼續遵守監管要求。接受電子支付（包括信用卡）的組織也必須遵守適用的規則，包括支付卡行業標準。

To survive, many organizations will need to alter their methodologies. Many SMEs already faced challenges in responding to the increasing use of emerging technologies confronting traditional business models and services. These developments impacted the expectations of employees, customers, and suppliers. Unfortunately, they will need to adopt emerging technologies and change their service models more rapidly. At a minimum, this would include reconsidering the effectiveness of existing technology investments and the ability of stakeholders to use existing assets to drive value for the organization.

為了生存，許多組織需要改變他們的方法。許多中小企業在應對傳統商業模式和服務日益增加的新興技術使用方面已經面臨挑戰。這些發展影響了員工、客戶和供應商的期望。不幸的是，他們將需要采用新興技術并更快地改變服務模式。至少，這將包括重新考慮現有技術投資的有效性以及利益相關者利用現有資產為本組織創造價值的能力。

These developments necessitate the calibration of risk strategies and even risk tolerances with the reality of different customer expectations in the new environment. For example, consumers prize and appreciate electronic-based transactions rather than in-person transactions. When in-person interaction is required, video and other electronic modes of communication will be favored. Yet many SMEs, even if they did have an information security program, did not consider the relevant threats that have resulted from COVID-19. Although many SME executives recognize the privacy implications of maintaining and transacting data, they may not realize the need to protect the ever-growing storage of video-based information. SMEs will face additional technology risk as remote solutions for workers and vendors become part of the new mode of operation.

這些發展需要校準風險策略，甚至風險容忍度，以適應新環境中不同的客戶期望值。例如，消費者喜歡和欣賞基于電子的交易，而不是親自交易。當需要交流時，視頻和其他電子通信方式將受到青睞。然而，許多中小企業，即使他們有信息安全計劃，也沒有考慮到新冠疫情造成的相關威脅。盡管許多中小企業高管認識到維護和處理數據所涉及的隱私問題，但他們可能沒有意識到需要保護基于視頻的信息不斷增長的存儲量。隨著面向工人和供應商的遠程解決方案成為新運營模式的一部分，中小企業將面臨額外的技術風險。

The new environment requires that SMEs strengthen and change their information security management programs to enhance the organization’s resiliency yet protect the assets entrusted to it. These asset protection strategies should include both electronic and physical protection of their people, processes, and technologies. The organization’s viability will significantly rely on the program’s ability to adapt to changing conditions and its effectiveness in helping it achieve desired objectives. That is why, as part of their COVID-19 recovery strategies, many SMEs are revisiting their Information Security Programs, emphasizing both resiliency and facilitation.

新環境要求中小企業加強和改變其信息安全管理計劃，以增強組織的彈性，同時保護委托給它的資產。這些資產保護策略應包括對其人員、流程和技術的電子和實物保護。組織的生存能力在很大程度上取決于項目適應不斷變化的條件的能力及其幫助實現預期目標的有效性。這就是為什么，作為新冠疫情恢復策略的一部分，許多中小企業正在重新審視其信息安全計劃，強調彈性和便利性。

The program should address efforts to learn where sensitive data exists, where it flows, and with whom it is shared. Unknown data is unprotected data. The potential for regulatory sanction is high, regardless of industry, as regulators can interrupt a business’s operations or halt its growth. Financial professionals should evaluate critical business partners who represent risk and may incur liability or reputational damage.

該計劃應致力于了解敏感數據在哪里存在、在哪里流動以及與誰共享。未知數據是未受保護的數據。無論行業如何，監管制裁的可能性都很大，監管機構可以中斷企業的運營或阻止其增長。金融專業人士應評估代表風險并可能招致責任或聲譽損害的關鍵業務合作伙伴。

For an SME to get the most value from investments in security tools, it is vital that any metrics it develops are actionable and provide guidance for investigating and mitigating any identified anomalies. It is also helpful to implement an automated Security Incident Event Monitor (SIEM) to capture and triage the large volume of alerts. Monitoring through SIEM is often outsourced to specialized Managed Security Service Providers (MSSP) who specialize in this area. The MSSP often uses artificial intelligence to learn an organization’s network topology and correctly identify anomalous traffic. Should an SME identify or suspect a potential cyber-incident, the U.S. Department of Justice’s “Best Practices for Victim Response and Reporting of Cyber-Incidents” provides best practices and an incident preparedness checklist to help the SME navigate these problems should they occur.

為了讓中小企業從安全工具的投資中獲得#大價值，至關重要的是開發的度量標準是否都是可操作的，是否能為調查和緩解任何已識別的異常現象提供指導。同時需要有助于實現自動安全事件監視程序（Security Incident Event Monitor, SIEM），以捕獲和分類大量警報。通過SIEM進行的監控通常外包給專門從事此領域的專業托管安全服務提供商（Managed Security Service Providers, MSSP）。MSSP通常使用人工智能來學習組織的網絡拓撲結構，并正確識別異常流量。如果中小企業發現或懷疑潛在的網絡事件，美國司法部的“網絡事件受害者響應和報告#佳方式 （Best Practices for Victim Response and Reporting of Cyber-Incidents）”提供了#佳方法和事件準備清單，以幫助中小企業在這些問題發生時應對這些問題。

【AACA協會國際注冊會計師ICPA雇主直聘平臺】

響應國家戰略

搭建企業國際化高端會計人才隊伍

加快財會隊伍建設與人才轉型

近三百家中國知名企業加入AACA認可雇主計劃

（國際注冊會計師ICPA證書樣本）

原創編輯：ICPA中國辦事處