Security Think Tank: To tackle Covid-19, be prepared, flexible and resilient

In our globalised world, high-profile events such as Covid-19 have huge business impacts, some of which may be felt by CISOs. What responsibilities do security professionals have in such circumstances?

The coronavirus pandemic is now nothing short of a humanitarian crisis. Healthcare systems are buckling as thousands more people become infected, governments and policy-makers rush to respond, and world trade comes to a grinding halt.

The impact and disruption the virus is having on businesses is unprecedented, creating significant challenges for supply chain management, business continuity and risk management. In the face of the worst global crisis in recent memory, security professionals need to be proactive.

A flexible, prepared and resilient security function, like other elements of the business, will be required to withstand the stress the coronavirus is causing. The security function must take the following actions:

Scenario plan, threat model and run exercises

“Pure risk” or force majeure events divide security professionals. Is a pandemic an information or cyber risk? In short, yes. If the availability of information is threatened then security professionals need to prepare.

Organisations that scenario plan, threat model and understand their risk landscape will be better prepared for the impact of a pandemic. Those that run table-top exercises to formulate response plans, business continuity arrangements and crisis management procedures will be in a stronger position.

Work closely with HR and comms to manage panic and risk tolerance

The stress induced during times of crisis can compel individuals to act differently, causing them to take risks they wouldn’t normally or disregard security risks. Coupled with misinformation spreading online, the panic induced by the coronavirus will have a significant impact on personal lives, disrupting schools, travel arrangements and holidays.

Risk perception of traditional security threats will be devalued in the face of a real threat to life, meaning that organisations are likely to experience a number of security incidents from their employees making more mistakes, trusting phishing emails or being less aware of other threats.

Update security awareness campaigns to reflect the impending threat from scammers

Opportunistic attackers are posing as health professionals in phishing attacks, and healthcare and travel websites are experiencing watering-hole attacks. To mitigate the damage of these attacks, security awareness campaigns will need to move swiftly by creating short, digestible, contextualised content.

Upskill and empower your employees and, if suitable, adopt flexible working arrangements

Governments are enforcing measures to prevent the spread of the virus and many individuals are being advised to self-isolate. To navigate this turbulent time, employees must be empowered to work flexibly. Technical solutions such as cloud storage, virtual private network (VPN) access and online meeting facilities must be tested and implemented. Organisations must move to cross-pollinate employee skillsets, so the security workforce is agile and resilient.

In the midst of chaos, organisations have an opportunity to proactively improve security. Although the challenges are far-reaching, concerted innovation and agile security solutions may make the difference between an organisation failing or succeeding.

Dan Norman is an analyst at the Information Security Forum, the leading authority on cyber, information security and risk management. He is the project lead on the Human-Centred Security research series and author of the Threat Horizon series, which forecasts future threats to information security.

Next Steps

How Storage Professionals Should Respond to COVID-19

Read more on Business continuity planning