Every security operation should be asking whether they are prepared for a pandemic in the wake of the coronavirus (COVID-19) outbreak. Start by focusing on these areas.
The ongoing worldwide outbreak of coronavirus disease (COVID-19), which originated in Wuhan, China, in December 2019, continues to grab headlines. As of mid-February 2020, more than 70,000 cases had been confirmed. The World Health Organization (WHO) has declared the outbreak a public health emergency of international concern, and health authorities continue to work to contain the spread of the disease.As with other health crises, organizations need to evaluate the potential impact on their operations and prepare for dealing with a pandemic. “When looking at the threat posed by COVID-19, there are still many uncertainties,” says Mark Womble, a principal in the Crisis & Security Consulting practice at Control Risks, an international business risk consultancy. “What is certain, however, is that the world has changed in a number of key ways since previous outbreaks, most notably SARS back in 2003.”
For one thing, “We’ve become significantly more interconnected,” Womble says. “Global supply chains are the norm, with China playing a key role. Tremendous population migration and urbanization, and the resultant megacities those trends have induced, have placed a higher percentage of the world’s population in closer proximity to one another.”
This increased interconnectedness heightens the risk of a pandemic, Womble says, and increases the potential for serious business disruption if supply chains and travel must be curtailed.
In addition, the rise of social media has had a tremendous impact, not just on how people communicate with one another but on how and where individuals get their news. “This can have both positive and negative effects, as social media can rightfully be credited with spreading awareness but can also easily tip over at times into rumor and hysteria,” Womble says.
Whereas business leaders in 2003 would likely have expressed frustration at a lack of information, “Today’s leaders are charged with distilling what can at times feel like an overwhelming ‘fire hose’ of information,” Womble says. “Today’s information challenge is thus more acutely about sourcing, vetting and confirming factual information to baseline the challenge, make decisions and then communicate with employees, vendors, supply chains and the public.”
With that in mind, consider these suggested best practices for corporate pandemic planning from a security standpoint.
1. Start preparing for a pandemic early
Organizations early on should review their existing business continuity, emergency management and risk communications plans, says Nitin Natarajan, principal at Cadmus, a domestic preparedness advisory firm. That includes evaluating the impacts from a temporary reduction in workforce or a higher-than-average number of employees working remotely.
“Assess risks and vulnerabilities to physical and cyber systems from a reduction in staff, both internally and among key organizational interdependences,” such as supply chain partners or service providers, Natarajan says. “Communicate early and regularly, internally and externally, since information voids will often be filled with incorrect information.”
Security and IT executives need to brief senior leadership regularly and ensure there is a clear understanding of leadership’s expectations and their true level of risk acceptance, Natarajan says.
2. Establish an “intelligence baseline”
Going on a quest for perfect information about a widespread health concern is unreasonable, Womble says, and will exacerbate the level of frustration security executives might already feel. “Instead, determine which trusted sources of information you’re going to rely on,” he says. Good examples include WHO, the Centers for Disease Control, or a contracted medical response provider.
Leveraging these sources, companies can gain an understanding as soon as possible. “Focus your awareness campaign on those sources, unless gaps emerge that must be addressed,” Womble says. “Sticking with select sources allows you to conduct trend analysis on how the situation is evolving.”
3. Identify potential triggers, risk tolerances and responses
All crises are fluid, but emergent medical issues tend to be even more so, Womble says. “A trigger-based escalation matrix can be an incredibly powerful tool to help you respond more confidently,” he says.
When new information comes in, it’s important to validate it as soon as possible and discern which escalation plans or other pre-vetted decision trees might need to be recalibrated. “Accept that the ‘facts’ as you know them are likely to change,” Womble says. “Be prepared to re-evaluate your assumptions vis-à-vis those so-called facts and then adjust your action plans based on new information or emerging trends.”
4. Ensure a coordinated response
Organizations must ensure a strong, coordinated response that integrates cybersecurity, emergency management and risk communications staff, Natarajan says. “Utilize your organization’s emergency operations center, if you have one established,” he says. “Ensure consistent and frequent communications to your staff and external stakeholders.” In addition, companies should collaborate with state and local public health organizations.
5. Think globally
The term pandemic refers to a disease that has spread across a large region such as multiple continents. When evaluating security risks or preparing business continuity plans, companies need to be prepared for potential impacts on a worldwide scale.
“Ensure all plans have factored in worldwide aspects of your business, including supply chain, customers and service providers,” says Pete Lindstrom, vice president of security strategies at research firm International Data Corp. (IDC). “Something like a coronavirus is not like a natural disaster that may be geographically isolated.”
Keep in mind that many suppliers and business partners are in different parts of the world. “Contact business partners—especially supply chain—to confirm instructions for requests, orders, shipments, receipts, payment, etc.,” about any possible security issues, Lindstrom says.
6. Stress test all facets of the remote work capability
Estimates of the peak impact of COVID-19 vary widely and likely will continue to vary for some time, Womble says. What’s clear is that the business impacts are not going away anytime soon and may well increase before they begin to dissipate, he says.
“Remote work—whether by choice or out of necessity—will likely have to play a significant role in your business continuity planning,” Womble says. “Stress test every facet of your infrastructure now.”
An IT backbone intended to remotely support perhaps 10% to 20% of the workforce might struggle under the weight of the current challenge. “The earlier you understand the weak points in your system, the more time you’ll have to problem solve, or prioritize who should have access to your systems,” Womble says
7. Be transparent in sharing updates
Even the best business continuity plan is likely to be significantly challenged without dedicated employees willing and able to go above and beyond their normal responsibilities to help navigate the unique challenges a medical crisis can pose.
“Ensure those employees’ efforts are recognized and appreciated,” Womble says. “By removing—or simply reducing—your employees’ burden of sifting through an overwhelming and contradictory mountain of ‘intelligence,’ you enable them to focus on their roles and free them up to help meet the challenges to the organization.”
Companies have a duty of care to their employees as well as a broader responsibility to their business partners and communities, Womble adds. “The flip side to any crisis is opportunity, and organizations will rarely have a better opportunity to build trust and prove themselves than in the midst of a crisis that directly impacts individuals as well as business outcomes,” he says.