On 26th Feb the WHO published guidance for organisations around the SARS-CoV-2 virus (Coronavirus), primarily focussed on reducing the disruption to services from staff getting sick. The guidance seems to apply to all organisations; there’s no note in there about “only for affected areas”. It does seem that we are entering into a phase where organisations / businesses might benefit from having the conversation around proactive preventative measures focussed on mitigating disruption to their key services.
Following further research (and not just from Karen with her essentials oils from Facebook), and other publications from Johns Hopkins, it seems like there is some fairly uncontroversial guidance that you should give serious consideration for adopting.
All this is available in more comprehensive forms, but summarising below;
- Personal hygiene information in the office; posters showing how to clean hands, when to clean hands, and avoiding touching faces etc. Hand sanitiser available throughout the office to support this
- Social distancing at a range of levels of control;
- Promotion of phone calls and remote meetings wherever possible
- Promotion of remote working. This could be considered in stages such as applying only to high risk staff (60+, diabetes, heart or lung disease, immune compromised), staff who are unable to avoid public transport, or critical roles
- Consider promoting staggered arrival times so that higher risk staff can avoid the busiest periods if they do use public transport
- Requiring high risk or critical staff to remain at home or only use private transport
- Promoting awareness amongst critical staff or high risk staff around the potential for disruption; primarily this means ensuring staff with important medication have a couple months’ supply in case of disruption, but could cover other areas too
Obviously the referenced documents go into much more detail I’ve just aimed to provide a useful distillation above.
SARS-CoV-2 (Coronavirus) has been exponentially spreading within the global community and the effects of the virus and its attendant disease (COVID-19) are rapidly causing shocks within the global community. The affects of a potential pandemic are far reaching, producing strain on the global supply chain as China fell into the height of the outbreak with supply chains being diminished or dissolved outright. As such, as the virus spreads, it is important to consider the threat space to the security and function of your organisation due to loss of these supply chains as well as work forces within and without. As the spread of this disease continues, expect more supply chain degradation if not complete failures for some amount of time as the quarantines commence and play out.Threat Intel Briefing : SARS-CoV-2 – Coronavirus
As such, here are some basic questions to consider for your organisations security and continuity both as a whole and as separate functions such as the security of your networks.
Use this content to spark discussions around the security response as well as the larger continuity and integrity of the ‘business as a whole’ . The following scenarios may not actually come to pass, but, as a security body, it is your job to forecast eventualities and the responses to them that might be needed to continue the function of the organisation.
With the outbreak of Coronavirus and it’s resultant COVID-19 (syndrome from infection) we have been seeing the arc of this outbreak becoming a potential global pandemic. With that in mind, it is advantageous to start planning for the effects from for a pandemic with the businesses that you are responsible for.
Perform an assessment looking primarily at the CIA Triad of the response, not just on a data security level, but, at an expanded outlook on the security, continuity, and supply chains that make up the the CIA triad. All of these affect the security of your organisations as well as the basic functionality of your business.
With this in mind, it is important to look to the effects of a pandemic projecting out from initial outbreak to pandemic globally and how that will affect your business. Primarily the effects can be broken down into these discreet areas of concern:
1.) Supply chains
- What supply chains will be affected that will impact your business model?
- Human capital, how many people does it take to function properly if the work force is down from COVID-19
- What are your tolerances on head count?
- What contingencies do you have if work force is depleted due to sickness and quarantine?
- Where are your single points of failure in the knowledge base were these assets to be sick and quarantined?
- Supplies on demand that go into making your product; How much tolerance do you have for supply chains breaking?
- What regions do your supplies come from?
- Are they affected now?
- Plan for pandemic loss of work forces and how long you can function without supplies or with less
2.) Infrastructure Capacities:
- What tolerance does your network have to expanded remote working capabilities?
- With a workforce that may be in social isolation mode, what is the capacity for your company to allow people to work from home?
- People will self quarantine if they become ill
- Children may be home as schools and day care shut down in order to prevent spread of disease
- The local authority or central government may recommend that people stay home and isolate to stop spread
- In a protracted scenario of isolation and potential re-infection, what are your projections on your organisations ability to function?
3.) Information Security Events and Response:
- With a global pandemic, the same draw down on work forces will also apply to security operations function as well.
- Even with automation with your security operations toolbox, there is always a need for human intervention, who will handle your response?
- During the time of pandemic and response, if your team is depleted due to sickness or quarantine procedures, what is your contingency for response?
- During the time of pandemic and response, the same applies to your security toolbox solutions that you pay for if you do not have it in house, what is their contingency?
- If you have a true incident in your environment, how will you handle it if the primary incident handlers are unavailable?
- Do you have a service you work with?
It is recommended that the executive suite be briefed on these questions and assure that these possible eventualities can be answered by the organisation to insure the continuity of your business.
Key take home
Understanding this research, what the coronavirus is and implementing some preventative steps that will could impact your current “Business as Usual’ activities should be valuable in terms of mitigating the potential for a wider or more sudden impact.
Obviously this is being provided as opinion, an interpretation of the material provided in the links above.As such, use this blog post accordingly.
Hue, Pugh, Barney McGrew, Cuthbert, Dibble, Grubb
On 26th Feb the WHO published guidance for organisations around the SARS-CoV-2 virus...