By Paul West
Now that everyone’s approach to risk management and crisis resilience is being challenged as never before, there is still much to consider in trying to maintain any sort of business continuity for most companies where doors are closed and revenues are interrupted while expenses continue to mount. Certainly things will continue to change as this paralyzing event also comes with a fluid time element that is indeed stressful to every individual and pushes the sanity button of each while enduring a self-imposed, financial shutdown that is concern for all with its impact on the overall economy.
As we approach crisis resilience and risk management topics of all sorts during this time, we address here those few occurrences that have already tested the fortitude of business, as well as that of many individuals now working from home. In the beginning of this event, there was a challenge in the onslaught of remote users requiring access to applications and data from home which created a tremendous increase in network activity.
Despite so many businesses having already moved the bulk, if not all, applications to the cloud before this began, most faced a surge in remote operations that put a strain on IT operations and personnel in implementing a nearly 100% remote operation that for some industries meant welcoming everyone in the entire company, all at the same time. In some cases, there was also a scurry to retail purchases for appropriate equipment and resources (extra laptops, tablets, etc.) were limited by the surprising demand. This in turn further stressed IT operations to apply necessary updates to home versions of operating systems, up to date patches and other specific essentials. This should have placed an emphasis already on the notion of having proper security in place or at least raising the bar a bit more. There have been and will continue to be, rather drastic changes and adjustments for everyone; but, pursuant to this rise in home office work, it is important to remind everyone of the following:
The importance of paying attention to details and exercising heightened awareness that should be communicated to all working from home – as so many now are using home devices, in home office environments, that may offer little to no security, with open privileges, on computers lacking up to date software patches.
If anything, there should now be an even higher sense of security urgency for everyone in the form of PERSONAL VIGILANCE AND BUSINESS DUE DILIGENCE.
Guard Your Data and Systems
Needless to say, a more relaxed home attitude along with any number of personal distractions such as family members, roommates, pets, televisions, etc. could only exacerbate the situation -leading to an opportunity for that one bad actor to gain access to a remote device -which then could lead to unintentional access to important business data and/or personal information within the company network, either immediately or at a later date.
Lest we forget, the applications that may most be accessed during this time are those requiring adjustments beyond what was planned such as data within human resource, payroll and accounting systems. There are likely to be adjustments requiring access to other data and systems still (at least at the administration level), such as sales, marketing, meetings/event management and even reservations systems. Of course, payroll, HR, benefit systems may indeed prompt for the most important alertness as personal identifiable information abounds here. In any case, these systems should always be guarded with the utmost attention but now even more than ever during this event.
Embrace the Opportunity to Improve
This is a very good time also to remind everyone that there is always an opportunity available in every disaster (even during the worst periods of uncertainty) that can be embraced, cultivated and even repackaged for better business continuity and employee peace of mind. Such opportunities may then be used for improved processes and motivational purposes that can ultimately provide better overall company performance in the long run, while simultaneously offering some hope, and perhaps a rallying cry to everyone on the company team to maintain composure in the short run.
In the current situation, where so many are entangled in unfamiliar approaches to work along with a complete change in personal lifestyle, one could offer that we should be even more cognizant of our surroundings while working remotely and double down on adhering to proper security guidelines. In fact, it is never too late to begin or to update your contingency/resilience preparations -and that is because no single plan can ever be applied without issue to every possible situation. Therefore, now is as good a time as ever to develop, manage and/or update that crisis resilience/contingency plan that appears most would have put into play in some way already at both the business and individual levels.
Initiating a Response Plan
Certainly the important early stages of providing proper and direct communication; insuring transparency of information; outlining a clear chain of command; embracing plans for employee safety first; and then trying to focus on business now, while keeping an eye on business in the future, have been executed. All these initial points are paramount in a response to a pandemic like this; however, many now find themselves struggling to adjust particularly when there is additional stress of not knowing when/if they may return to work in person, if not at least even remotely. It’s important to note that not everyone working from home is accustomed to doing so, and will inevitably not always have their guard up at every moment in time.
Clearly, things are bad enough already that we do not need to add more problems to the mix such as exposed personal data, corrupted business data or potential ransomware attacks (still ranked as a number 1 threat where the cost in business interruption is often 20X more than the actual ransom request). Therefore, it should be obvious to all that there is still the potential for “infection” beyond the name-sake of this current pandemic. No better time than now to remind your remote staff to pay attention to clicking on the wrong link or opening the wrong attachment since that could not only create an issue for the individual at home; but, even if that remote user is not connected to business data at that moment, it could still become a problem for the business at a later date if that same remote device is reconnected to the company network (worse yet home passwords = work application passwords = BAD PRACTICE; THINK: VPN access credentials!). There is also expected to be an influx of COVID-19-related topics as the subject of emails that will really be the ubiquitous phishing attempt in disguise.
It is still most important for all to execute this remote working part of the plan to ensure some sort of productivity without compromise to company information or personally identifiable data while ensuring continued integrity and availability of resources for this extended period of time.
A sustained practice of diligence by every business and vendor, as well as a sustained practice of vigilance by every individual has never been more important!
Hackers Are Stepping up Attacks
We have learned that not every remote home worker actually has a secure router, with secure internet access or a VPN, with computers having applied proper privileges/controls and patches, or VOIP phone set up and/or mobile phones that will be bogged down in some areas by the volume of video traffic within both cellular and cable networks combining business and personal needs. We should also know that those nefarious actors, none of whom have been sent home to sit and wait for everything to return to normal, will take this moment to exploit not only any vulnerability in hardware/software, but also any lack of judgement or lack of attention in user actions. It would be advisable then to take this opportunity to remind those with whom you may have entrusted continued access to your company network and its data of this not so minor point. At a minimum, it may be a good idea at least to deploy a secure email option for your remote workers to use for those most important and definitely more private communications where sensitive information can be sent with verification of both the sender and the recipient, as well as confirmation of valid content.
When this event ends, every company’s newly challenged contingency preparations should at least by then include a wide ranging security review to go along with those tools and tactics that enable a remote node from home to operate in a more secure environment without sacrificing productivity. At a minimum, that ideal remote node should include security processes and procedures that are even tighter than before this event. I would suggest initiating the use of phishing tests where if the user does click on a faux malicious link, then they would be required to watch a quick video on what to watch for moving forward. This is still a very effective exercise.
Time to Rethink Your Risk Management
It is a good time to review or rethink your approach to risk management and privacy compliance processes as well as those related crisis resilience and contingency solutions. Everyone should create, engage, practice, maintain, update and repeat!
We must all continue to engage in security procedures, processes and services that are proactive, reactive, remedial, documented and ongoing in vigilance, diligence and protection -as always, this applies to every business, every vendor and now, particularly to every individual while working from home!
Finally, as there will be challenges concerning cost reduction, enhanced risk management protection and alternative revenue generating solutions to come, I hope to address those in subsequent articles or postings. For now however, I am still optimistic that business will resume again sooner rather than later; but, it will likely require some additional adjustments and social distancing that is sure to take a toll on spacing in restaurants, retail outlets, etc., that will consequently affect revenue. While we wait for the smoke to clear on this one, if there is anything to take away from my intent, then it is that we should all keep moving, utilize what is at hand efficiently; and, maintain vigilance in personal security as well as diligence in business security while we prepare for the next stages of potentially new ways to work in the future. Remain positive, be consistence in actions -and by all means, stay safe and keep others safe; but also, continue to move in a forward direction as securely and efficiently as possible until that time when we can all return again to some sort of normality in business operations as well as some sort of sanity in our own personal living.
