Security Think Tank: A guide to security best practice for pandemics

In our globalised world, high-profile events such as Covid-19 have huge business impacts, some of which may be felt by CISOs. What responsibilities do security professionals have in such circumstances?

It goes without saying that organisations operate in the real world and, as such, they will be affected by external regional, national and global events – but how do these external events affect the organisation, and in particular its IT security posture?

Agreed, it is not that easy at first glance to see how the coronavirus outbreak in China could impact on the IT security of a UK-based organisation, but when combined with the increased use of global supply chains, coupled with advances in IT and communications technology, there will inevitably be effects to be considered and mitigated against. 

Secure supply chains

The internet allows an organisation to have a global reach, enabling staff, clients, suppliers and criminals to access the organisation from remote corners of the Earth, just as easily as if they were around the corner or in the next town.

Where a supplier is globally remote, for example located in Asia, an event such as the Covid-19 crisis could leave some suppliers short of qualified IT and/or security staff.

Should this happen, and where the component supply chain relies on e-commerce for the exchange of orders, shipping manifests, invoices, and so on, it could lead to reduced security at the supplier end, which in turn could affect the organisation’s overall security posture. Understanding the security of a supply chain is an important task for the organisation’s security team.

Cloud operators, or their infrastructure suppliers, are often regional or global in nature, with multiple datacentres which move their network and datacentre operational management, such as a network operations centre, around the globe (in other words, follow the sun), and in so doing provide true 24-hour support and management coverage. This might even occur in situations where an organisation’s cloud-based IT was, by contract, restricted to datacentres in the UK or the European Union.

A global or regional event such as coronavirus could reduce the availability of qualified staff at the cloud supplier or its network infrastructure supplier, which could have an impact on the management, maintenance or availability of part of the cloud service.

Also, if contract staff were brought in to provide additional cover at the cloud or network infrastructure supplier, there is no guarantee that contractor vetting standards in such a situation would be properly maintained. Again, this is a supply chain security issue that needs to be understood.

Manage the workforce

Good business practices can help where the organisation’s staff are concerned.

For example, are there rules governing when people can take holidays, so that the security and IT teams are not left with key staff all being off at the same time? Do you have workable handover procedures for when staff members go off on or return from holiday? This is particularly important where staff are holidaying on distant shores, where an event such as the coronavirus outbreak could delay their return to work.

The same thinking should apply whenever staff are attending conferences or company meetings, particularly when managers and senior staff are involved. For example, the organisation’s headquarters should never be left without a responsible person or small team in charge. 

Test disaster recovery plans

Good practices also include the maintenance of up-to-date and tested disaster recovery and business continuity plans, covering not just the core, but also the loss or partial loss of one or more branch offices, network connectivity, cloud based-IT services, or security and IT personnel.

These plans should include call-off contracts for the supply of qualified people and services, and a public relations person or group also needs to be part of disaster recovery and business continuity planning so staff dealing with an issue can get on with their work without distraction.

The adjunct to this is that there must also be up-to-date documentation detailing the organisation’s IT in detail. This should include, for example, infrastructure cabling and devices, servers, services, software and hardware licences, users, topology, IP addressing, gold images, configuration and security rules data, copies of contracts, contacts, site address information, and so on.

There should be at least two copies of these documents, one on-site and at least one at a remote site, and it is recommended that one copy be in paper form.

The question to be asked here is, could your IT be fully reconstructed from scratch or operated and managed by skilled people not from the organisation but using the available documentation?

The security team needs to ensure that security is not reduced or compromised in any way when a disaster recovery or business continuity plan comes into play, including the non-availability of key staff or where there is a significant increase in staff accessing from home or other remote locations and probably using their own devices.

Ideally, security needs to be heightened as major events such as the coronavirus outbreak are likely to be used by criminals as cover for the penetration of a company’s infrastructure.

The security team should also maintain intelligence on the latest security threats and maintain or enhance security testing and staff education.

One last thought, in the process of disaster recovery and business continuity planning, do ensure that due consideration has been made for maintaining compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.  

Read more on Business continuity planning