COVID-19, aka the Coronavirus, is really starting to worry people. It’s an unfamiliar, seemingly unnatural new threat dragging a lot of uncertain baggage with it. It has already caused global disruptions on both the macro- and micro-scale.1 All over the world, organizations and individuals are mobilizing response plans, and that’s a good thing. The U.S. Center for Disease Control (CDC) is now telling Americans to prepare for an outbreak in the United States.2
As we wrote about in February, we should not have expected containment to hold COVID-19 back. The World Health Organization is reporting that more cases are emerging outside of China than within it.3 Containment, like network firewalls, are more about slowing down and funneling the threat than creating a hermetic seal. They buy us time so that the threat doesn’t hit everything at once and overwhelm all our other defenses. We need to assume breach and look at how we can best react if the pandemic touches down in our organizations and hometowns. Our efforts to contain COVID-19 have bought us time, but how can we effectively make the best of it?
Understand How the Most Likely Worst-Case Scenario Will Play Out
We should expect reasonable travel restrictions, overloaded medical resources, work slowdowns, and general shortages. We can also expect that COVID-19 will directly affect our workforce, which means a lot of staff will either be working remote or not working at all because they or their family have fallen ill.
Understand What You’ve Got to Work With
As we often say, one of the key operational controls is accurate and timely inventory. This should include all critical applications, especially with an eye towards what environments they run on (to ensure uptime), who accesses them (to measure capacity), and how they are accessed (to measure remote access resources). If many of your key applications are not remotely accessible or require key personnel to remain operational, then you may have a problem. Key questions to think about:
- What happens when the one administrator who knows a key system is out sick?
- What work can’t be done remote and who will do it?
- Is there enough network bandwidth, VPN capacity, laptops, and IP addressing for your remote access solution to handle everyone at once?5
- What happens if you’re only licensed for 25% concurrent user capacity over remote access and 40% of your staff needs to work remote?
- If the IT system can’t support full remote capacity, is there a priority system in place to determine who is allowed in and when?
- If full remote services are unavailable, what partial services are available? Web mail? Timecard reporting? Sales automation? Video conferencing?
- What if an entire office needs to be closed?
- Do we have sufficient authentication solutions in place to reasonably trust remote workers to access critical applications and data?
- What support resources are available when remote workers have technical problems?
- Are the mechanisms in place for employees to set up their own remote access connections if they don’t already have them set up?
- Are there reliable mechanisms in place to maintain contact with employees and contractors when they’re all out of office?
- Who will handle communication with customers, third parties, business partners, vendors, and suppliers about the crisis? What should that communication look like?
- What travel restrictions should be put in place and will this affect remote office operations?
Answers to these questions are critical to forming your response strategy as well as full management understanding of the implications.
Building a Response Strategy
Given the amount of unease (to put it mildly) regarding COVID-19, messaging your employees is a critical part of response. A useful thing to do is tell them that if they or their family members have symptoms, they should stay home. There are also great resources to point them to, such as NPR’s guide to preparing your home for coronavirus.6 There is even an all-ages Pandemic awareness comic book from Seattle’s King County Public Health.7 The basics should also be stressed: Wash your hands frequently, contain coughs, have sufficient nonperishable foods to last two weeks, and keep a good supply of prescription medicine and over-the-counter fever medicines.
It’s an easy assumption that a substantial number of users will need to work remote during the pandemic. The CDC warns organizations that up to “40 percent of their staff may be absent for periods of about 2 weeks at the height of a pandemic wave, with lower levels of staff absent for a few weeks on either side of the peak.”8
In addition to making sure your remote access systems can handle the load, key staff cross-training needs to be in place. Do not let one person’s absence derail your organization’s ability to function. To avoid this problem, you may need to look at offshore backup personnel or having contractors ready to go to take over functions. Now is the time to prepare instead of when they’re out.
Watch Out for Additional Cyber Threats
As if the disease itself weren’t bad enough, cybercriminals have already begun usual greedy predation. Cybercriminals know that VPNs are in high usage, so you need to ensure they are patched up and hardened. We are seeing an uptick of malware and phishing attempts using Coronavirus scare tactics.9 They are spoofing the CDC and other reputable organizations10 to trick folks into clicking on malware or sending in money or information for a scam. Just a reminder, a majority of phishing sites are now using secure HTTPS connections to both appear legitimate and also hide their activity from security filters. Again, this is where sending a user warning about these new tactics can be helpful as training employees can reduce their susceptibility to phishing from 33% to 13%.
Monitor and Adapt
It’s a good idea to form a pandemic response team, which would include representatives from human resources, Legal, IT, Executive Management and customer relations. Many organizations have already preselected a team like this as part of their disaster recovery plan. This team’s responsibility is to be both the clearinghouse for information on the pandemic as well as the primary lead for response activities. They should monitor status of the pandemic with respect to employees, vital suppliers, partners, and even key customers. They should also keep an eye on resources to anticipate needs and issue communications as needed. By the way, if you’re looking for something cool to put on the screen in the COVID-19 war room, might I suggest the John Hopkins coronavirus tracker11 or the Ncov2019.live dashboard.12
We need to use this time wisely before things evolve into an actual crisis at our organizations. The quarantines have given us all the chance to prepare if things get worse. It’s time for us to step up, ready ourselves, and ask, “How can we help?”