Organizations that build actionable and thorough pandemic plans can help mitigate risks even after the fact.
On March 11, 2020, the World Health Organization classified the new coronavirus disease 2019 (COVID-19) outbreak as a pandemic, and on March 13, a state of emergency was declared in the United States. The pandemic is already affecting organizations and their workforces in significant ways. Because customers, suppliers, and employees must now alter their day-to-day routines, business operations for many organizations will be disrupted. Now is the time for business continuity planners to make sure that their organizations are prepared to handle the pandemic.
Organizations must take preemptive measures to prepare IT personnel and resources to maintain critical business functions, including supporting a much larger remote workforce. Those tasked with overseeing the continuity of operations and availability of critical business systems also must consider information security throughout the process.
It’s impossible for any individual or organization to insulate completely from the effects of a pandemic, but certain steps can be taken to make sure that critical business operations continue and security is maintained as necessary changes are implemented.
The first step is for the organization to put a pandemic preparedness plan into action. Any existing plans must be reviewed and refined based on real-time information available on the current threat. Implementing an effective plan requires considering the plan’s goals, asking relevant questions, testing preparedness, and communicating the plan effectively.
Review the objectives
Any solid response plan must start with intentional goals. Pandemics are different from other disasters and crises because they are human-centric events. As such, any response plan also must take a human-centric approach to be effective.
According to the Contingency Planning Guide for Federal Information Systems issued by the National Institute of Standards and Technology, the Homeland Security Council requires, in anticipation of a pandemic influenza event, that federal organizations create pandemic preparedness plans that will, among other objectives:
- “Protect employees during a pandemic”
- “Sustain essential functions during significant times of absenteeism”
- “Communicate guidance to stakeholders during a pandemic"
These same objectives – protect, sustain, and communicate – can be applied to any organization’s pandemic preparedness plan.
Ask the right questions
To protect, sustain, and communicate, business continuity planners need to consider the following questions in pandemic preparedness planning:
- What technology will the organization provide and use to facilitate remote workplaces? How will the organization secure these remotely accessible resources and remote connectivity solutions?
- Are laptops and mobile devices available? Have full-disk encryption solutions been deployed on all laptops? Is a mobile device management solution in use, and does it provide the capability to manage organizational data on portable electronics?
- What is the virtual private network (VPN) and remote access capacity? If mobile devices and remote access capability are limited, who in the organization should have access to these? Has multifactor authentication been implemented for all access to the VPN? Have access control lists been put in place to limit, where possible, access for remote personnel?
- What business functions cannot be performed remotely? Who are the essential employees who would have to work on-site, and how would those employees be protected? Can these employees instead work in smaller groups in other locations? Can steps be taken to virtually connect these teams?
- What is the succession plan if key personnel must be isolated for a period of time? Are others with the necessary knowledge and skill sets available to fill these roles? Have roles and responsibilities been clearly delineated?
- Is a certain geographic or population segment more affected by the current pandemic? How might this correlate to the organization’s workforce, and how could this alter the organization’s plan?
- Are there any single points of failure that could be affected because of an office closure?
- Have supply chain risks been identified, quantified, and preemptively addressed to mitigate business interruptions?
Even though planners might feel they are playing catch-up due to the speed of the events, organization leaders and stakeholders must test their response as soon as possible. The objective for the test should be to refine the plan based on up-to-date information and to make sure that key stakeholders are trained in their roles in the plan.
Tabletop exercises should include specific – not generic – scenarios and business processes. Leaders should ask “what-if” questions and introduce uncertainty into the exercise, a feature that undoubtedly exists in the current pandemic.
Above all, leaders should keep in mind that a pandemic is a human-centric crisis. Clear and effective communications are among the most important aspects of the overall response.
Communicating often and transparently is critical in keeping team morale up and in sustaining trust within the organization. Leaders should address rumors as early as possible and not shy away from sharing hard facts.
In addition to delivering top-down communication that is clear, concise, and accurate, organizations should make sure that technology solutions allow for business teams to continue to collaborate and execute their roles and responsibilities in an efficient manner. This means:
- Transitioning to video-based conferencing and work-from-home strategies to maintain a sense of community and collaboration
- Assessing the ability to quickly enable a remote workforce, determining laptop and internet availability, and stress-testing VPN access
- Evaluating critical third parties to understand their response and disaster recovery plans as well as their capabilities per their service-level agreements
- Determining that any resources employees require to execute their job functions are remotely available, secure, and in a stable state
However, having these technology solutions in place doesn’t mean much if an organization has not tested its scalability and load-balancing capabilities. As demand for remote access increases, technical resources will be under sustained strain. Supporting the availability of those resources will require significant efforts on the part of the asset owners or the IT department.
Support critical technology
To understand the resiliency and stability requirements that most applications will need to provide for users to facilitate their day-to-day operations under such heavy burdens, it’s important to consider different use cases for roles within each organizational unit. Doing so can help determine what the average user interaction might look like in different scenarios.
Special consideration should be given to events that will increase the demands of the user base, such as critical processing windows at month-end. Some changes might require only temporary increases in capacity, such as allowing email through Microsoft Office™ Outlook Web Access or remote VPN access.
In some cases, the organization might be able to increase capacity through adding licenses or rotating connection time frames to limit system load. In other cases, access to certain services might be allowed from the internet, but this should be very limited and allowed only in the case of highly secured services. For example, access to Microsoft Office Exchange through Outlook Mobile Access or Web Access might be allowed temporarily. However, organizations must understand that this will expose the system to risks, such as:
- Account users and passwords being guessable from the internet
- Unknown misconfigurations being exposed
- Missing patches being exploitable
Given the risks, organizations might decide to alter accessibility for a limited number of services. If so, controls should be put in place including additional monitoring, IP address limitations, and authentication requirements.
In each case, organizations should determine how best to enable their employees to reduce their risk of infection and increase social distancing while still meeting the ongoing needs of the business and maintaining the security of information systems.
As COVID-19 develops, organizations must consider how they are prepared to deal with the consequences of the pandemic. Proactive organizations will have a plan and technologies in place that they have tested and communicated. Taking the time to evaluate and build an actionable, thorough plan can help mitigate the risks of a pandemic.