By Mark Lanterman
As I write in early March, coronavirus outbreaks across the globe are sparking growing concerns for the health and safety of our families, friends, and colleagues. With each new case, organizations are faced with the prospect of decreased personnel due to illness, disruptions to supply chains, and an inability to carry on business operations as usual. As with any potential risk management issue, establishing a framework that can adapt to emerging threats, circumstances and information is critical in ensuring the best possible outcomes in the novel coronavirus pandemic. Because we cannot control the 24/7 news cycle and the ongoing reporting of this new virus, we cannot control the perceptions and reactions of society and the relative calm or panic with which organizations will react to this continuing crisis.
In this article, I will lay out a basic framework for managing the risks to business continuity in partnership with Mike Olson CEO of 360 Security Services, a joint company to Computer Forensic Services that offers enterprise security risk management and investigation services. Even if your organization lacks a robust business continuity or continuity of operations plan, following some of these steps should help you get started. You will want to consider your people, processes, and technology in these steps. Doing something in preparation is better than doing nothing.
Establishing a team
The first step to enacting a pandemic escalation tier system is the establishment of a dedicated team responsible for coordination of processes and technology, communication, monitoring, and de-escalation to normal activities. Creating a group of key personnel (i.e., with members from security, IT, human resources, legal, operations, etc.) with one project leader (to avoid communication overlap) is critical to ensuring clear information is being shared within the organization regarding expectations and the implementation of the tier system and subsequent processes and procedures to be implemented. Planning activities within the group require a baseline understanding of critical business systems and assets in addition to the identification of key personnel (and backups in the event of illness). By monitoring media and government reports, the planning team is responsible for highlighting potential scenarios in the event of an increase in cases and to enact emergency procedures and protocols should the need arise. Purchasing supplies, such as gloves, masks, and hand sanitizer, creating guidelines for self-reporting, communicating CDC guidelines for basic safety and health,1 and organizing backup means for communication are all ongoing tasks for this team.
Tier 1
If we define Tier 0 as “business as usual,” Tier 1 is the first of four response stages. Escalation to this tier is appropriate in response to regional reports within surrounding states. Disseminating or publicly posting CDC health guidelines is a component of this stage, as is ensuring that your organization or firm is prepared to work remotely and is trained on remote access, communications, and associated policies and procedures. Mike Olson stresses the need for a business continuity plan to ensure that basic infrastructure is in place to allow employees to safely remote in and continue work: “Now is the time to plan and ensure your IT environment is ready for remote work if you are not sure of your capabilities. Ensure your policies are updated and consistent with the current threat. Ensure IT and security departments conduct security training for employees as soon as possible and in preparation for what is likely to be a matter of when, not if, remote work is necessary to support company operations.” This should include best practices for remote working, (i.e., use of VPNs, avoidance of open wifi networks, securing endpoints, encrypting critical emails, phishing awareness, etc.). Remember, humans are the weakest link in your cybersecurity environment.
This step also requires testing any remote access technologies and providing support, education, and any necessary equipment to employees. Tier 1 also necessitates identifying the supply chain on which your organization relies, one example being shipping companies. Accounting for your organization’s shipping needs is critical; key vendors’ plans for business continuity should be researched and documented. If your organization shuts down to allow employees to work from home, who will receive your packages or mail if those companies continue to deliver, or will you ensure a plan is in place to hold those items?
Tier 2
As of early March, all Minnesota organizations following this framework would be at the Tier 2 response level. Escalation to this tier is appropriate when immediate-area cases have been confirmed within the state. Careful monitoring of the spread of coronavirus to be communicated by the planning team is especially critical at this stage, as escalation to Tier 3 may be imminent. Self-reporting of symptoms and potential sources of exposure is mandatory and requires that any potentially ill employees work from home for an extended period of at least two weeks, though it should be made abundantly clear that this procedure is not punitive but merely to protect the health and wellbeing of both the affected individual, their families at home, and the organization as a whole. At this tier level, reduced staffing may be a necessity as well as a rotation plan for employees to maintain the bare minimum for basic critical operations if remote work is not completely viable for certain tasks. The need to limit travel, especially to current “hot spots,” should also be communicated by the planning team and strongly considered despite the impact. Depending on reporting of cases, an increasing transition to the established remote work plan should begin as the organization approaches escalation to Tier 3.
Tier 3
Tier 3 is based on widespread confirmed reports in the immediate work or home environment of employees. This tier is characterized by a complete reliance on remote work and communication. The Tier 1 personnel backup plan should be enacted depending on the circumstances. Remember, if employees with ownership of key processes are incapacitated due to illness, back-ups must be designated. This includes senior leadership.
Tier 4
An all-clear issued from government entities including local government, WHO, FEMA, and the CDC in combination with organizational leadership, de-escalation procedures can commence under Tier 4. A gradual return of employees, with careful self-reporting of those affected and screening of employee wellness, would mark the beginning of resuming normal business operations and the return to Tier 0.
When this unique threat and challenge to our physical and cyber security environment passes, which it will, it will be important for each organization to conduct an after-action debrief with key personnel and leadership teams as part of a continual improvement process. This will be a good time to improve existing business continuity plans and/or recognize the importance of having one in place and regularly updated in the future for these types of emerging threats to your operations.
A holistic approach to security means preparing for the worst along with understanding the potential impact to the critical areas of your business. The recent coronavirus spread has many organizations questioning how they would continue to operate and maintain a degree of efficiency while doing so if employees are unable to work. Establishing a team of responsible personnel to enact the steps of this framework is essential in maintaining business operations, but most importantly, it is essential in supporting the health and wellbeing of coworkers, colleagues, and employees.
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
[1] https://www.cdc.gov/coronavirus/2019-ncov/about/prevention-treatment.html