EisnerAmper Q&A with John Corrado, Senior Director of Information Technology, Ovid Therapeutics Inc.

September 02, 2020

By Brian Ferrara and Tyler Dwyer

download button.jpg

Ovid Therapeutics is a biopharmaceutical development company based in New York.  It develops medicines to transform the lives of patients with rare neurological disorders with a broad pipeline of potential first-in-class medicines. EisnerAmper sat down with John Corrado, Senior Director of Information Technology at Ovid Therapeutics, to talk about how moving to a primarily remote workforce has affected his organization from a technical and security perspective, the difficulties that come with making this transition, and how his job has changed overall.

EISNERAMPER:

What are some of the greatest challenges you have faced from a security perspective when moving to a remote workforce?

CORRADO:

We face many of the same challenges we had faced before; however there does appear to be a much larger number of phishing and spear-phishing campaigns aimed at higher-ranking individuals in our organization.  We have dealt with plenty of phishing attempts in the past and, coupled with our ongoing security awareness trainings, our employees know what to look out for and what to expect.  Another challenge is the human element, that is, a person’s actions such as what they are leaving open on their desktop with others around or if their home network is secure and protected.  There is always some inherent risk there.

EISNERAMPER:

In what ways has your position evolved to support a workforce that now works remotely across a number of state lines?  Have there been many changes at all?

CORRADO:

The biggest change was that our center of operations was moved from our office in New York to my home office.  As I am the only IT person at Ovid, outside of our outsourced IT service provider, a big change is being unable to troubleshoot user issues in person and dealing with the challenges that come with doing this remotely.  I am also responsible for providing hardware to our employees' homes so they can perform their duties, as well as shipping and receiving all Ovid-owned assets as it relates to employee onboarding and offboarding.

EISNERAMPER:

Are there any IT or security initiatives that you and your organization had plans to implement, but were rushed or delayed due to the pandemic?

CORRADO:

Our user-security awareness training program was on the docket for implementation and was something that we were going to finalize later in the year; however knowing we were moving into a long-term remote workforce situation, we pushed this project forward.  We saw that there was a very large benefit to continuous training and awareness especially with moving to a remote environment, as well as developing a formalized training plan, so this project was prioritized.  Both our single sign-on and multi-factor authentication projects were started before the pandemic, but because word of moving remote was discussed leading into March, these projects were finished with priority intent as well.

EISNERAMPER:

Were there any difficulties among the workforce in setting up the VPN or other secure ways to perform their assigned duties?

CORRADO:

There is always cause for a bit of concern in seeing how certain employees deal with moving to a remote capacity, whether it be connecting to the VPN for the first time, or seeing how they balance home and work life in a less structured environment.  There are those who are able to rise to the occasion and those who have a more difficult time adjusting, such as setting up office hardware needed to perform their jobs from home, dealing with at home Wi-Fi issues, and things like that.  For those users, I act as a resource for advice and try to walk them through what I would do given their at-home hardware and resources.

EISNERAMPER:

Are there any operational areas which you focus more on due to the remote nature of your work (e.g., special attention to backups, more frequent checks of event logs, etc.)?

CORRADO:

Not too much has changed in regards to daily operations from my end; we have maintained looking at all of our security logs, backup jobs, and continuous events data to the same degree as we have in the past.  We are still ensuring that the appropriate backups and updates are occurring, all schedules are consistent, and monitoring is continuous to ensure machines are protected and up-to-date.  We have pretty much maintained the status quo from this perspective.  The quantity of end-user feedback has increased, so we spend more time looking into this due to the nature of how employees operate daily now.

EISNERAMPER:

Were there any concerns or difficulties in scaling remote working capabilities, such as infrastructure restrictions of VPNs, multi-factor or single sign-on issues, etc.?

CORRADO:

From an IT perspective, our footprint is very light, which has played to our advantage in moving to a more remote capability and there is so little required physically on a person’s machine.  Everything is already cloud-based, so there isn't much more that needs to be changed or pivoted; we don’t have to load up images or worry about migrating data; the only thing required is a good internet connection.  Some difficulties I see from most people at home is their personal bandwidth, which is something we cannot directly help with.  I have spoken with these employees to walk them through how they should consult their Internet service provider or given advice on how to switch up their home office setup to allow for faster connectivity and more efficient operations, but there is only so much I am able to do for them. 

EISNERAMPER:

Was there a focus on how all employees would be able to interact or collaborate with external stakeholders in a secure way?  Any additional focus on security for external sharing solutions?

CORRADO:

Fortunately for us, we have not experienced many issues in dealing with external stakeholders as this is pretty much the same as before we went remote.  We utilize our secure file sharing sites and email encryption, so by design we have not had to change much.  It's one of the perks of being a primarily cloud-based IT environment.

EISNERAMPER:

Have you developed a security training plan for existing users to discuss the risks of remote employment?  If so, is there a requirement to perform a certain amount of trainings per month, quarter, or year?

CORRADO:

The implementation of KnowBe4, a provider for security awareness training, and the performance of more frequent phishing campaigns was a project that we prioritized at the start of the pandemic.  We produce campaigns that detail “tips of the week” as well as “scams of the week” to continue to expose our users to this information, providing a constant flow of knowledge and education to promote a more security-centric culture.  Our trainings and campaigns are ongoing and will be additive; we will take a look at the overall threat landscape and based on the results of our phishing tests and training courses, we will continuously look for new programs and adjust.

EISNERAMPER:

How does the process of onboarding and offboarding user access differ while working in your home office?  What security precautions are taken to provide new employees with corporate assets, such as laptops, to ensure they are not stolen or compromised?

CORRADO:

Our employee onboarding and offboarding process has been one of the biggest changes for me.  There are a lot of logistics involved in the set up and retrieval of IT assets for both new hires and terminated users, including shipping and receiving of company hardware and coordinating with human resources.  Our basic onboarding process for new users can include ordering a computer from our hardware provider, having it shipped to me, opening and installing software, reaching out to our outsourced IT provider to have them remote in and configure as needed, go back and forth with updating configurations and permissions sets, just to box it back up and send out to the user.  This is a business I do not want to be in and I think we should be working with a service to perform most of that provisioning at time of equipment purchase and avoid all of that middle ground action.

EISNERAMPER:

After adjusting to a remote working capacity, are there any processes that you look back and think you and your organization would improve upon, or do you have any lessons learned regarding business continuity and adjusting to a primarily remote workforce?

CORRADO:

I think it’s really important to be looking at processes and finding ways to be able to improve on them.  For us, there is work to do on the onboarding and offboarding processes with new hires and terminations, ongoing employee management, information management, and technology management.  I mentioned the difficulties we are having with the equipment setup and retrieval for new and leaving users, so we are planning to adjust those processes for a more streamlined approach.  On top of that, because of our light footprint with many cloud-based systems, we are fortunate that our remote transition was very smooth which further reassured our position in having a primarily cloud-based environment.  We are continuing to look at our daily processes to find areas of optimization, so our lessons learned will truly be an ongoing process, as is probably the same for most other organizations.


PRTS Intelligence Newsletter - Q3 2020

About Brian Ferrara

Brian Ferrara is a Senior Manager with over 15 years of experience in Sarbanes Oxley, internal auditing, process improvement, risk management, compliance and IT controls.

About Tyler Dwyer

Tyler focuses on SOX compliance efforts, and performing audits of internal control over financial reporting. He has experience in data analytics and information technology, especially their applications to financial services sector.

Have Questions or Comments?

If you have any questions, we'd like to hear from you.