Thank you for your interest in this white paper and allowing InfoSec Advisory to provide guidance and recommendations regarding business resilience during a worldwide pandemic. I trust this document will guide business leaders when developing a much needed tactical business resilience program. The goal is to help ensure the health and safety of all personnel while preserving revenue integrity. Please be advised this brief white paper is a sub-set of a business-wide contingency plan.
It’s impossible to pre-plan for all possibilities of human, natural and technically created business interruption events. However, within each business the leadership can provide “realistic” guidance to help ensure the integrity and continuity of people, process, and technology. During an unplanned business crisis focus must be given to people, process, and technology – preferably in this order.
People Actions Now
The current COVID-19 viral pandemic has created massive amounts of Fear, Uncertainty and Doubt (FUD) across many people and business sectors. The health and welfare of people are the heartbeat of each business and must be given leadership focus. As leaders, maintaining engagement with a Positive Mental Attitude (PMA) is vital when supporting business integrity. With a few edits, here is information taken from a current Harvard Business Review article:
“We are dealing with two contagions — the virus itself and the emotions it generates. Negative emotions are every bit as contagious as the virus, and they’re also toxic. Fatigue, fear, and panic undermine human’s ability to think clearly and creatively, manage our relationships effectively, focus attention on the right priorities, and make smart, informed choices.”
On top of the prevalent COVID-19 FUD throughout the United States, consider these January, 2020 data points:
- 71% of executives say that employee engagement is critical to their company’s success
- 63.3% of companies say retaining employees is actually harder than hiring them
- 69% of employees say they’d work harder if they were better appreciated
People Actions Now
Executive teams and their leadership must ensure the health and safety of themselves. This does not constitute being narcissistic in behavior. If leaders don’t take care of themselves first, they significantly diminish their ability to effectively lead and care for their employees and adjoining third party individuals. Do not assume employees, contractors, vendors, customers and investors are receiving or have knowledge of the same information throughout a pandemic crisis. Mitigate this problem and minimize the FUD by doing the following:
When providing pandemic guidance to employees, contractors, vendors, customers and investors ensure the content comes from trusted and pre-validated sources. Such as https://www.CDC.gov.
- Provide on-going business management updates to people whenever there are well-defined changes in work flows, job retention’s, leadership changes, or risk mitigation requirements.
- Use whatever multi-media technologies available to communicate updates. There are no set rules which technology is used as all businesses are different.
- Updates must be given by an individual on the executive team who is accountable and responsible to the position. Preference should be given to an executive who has wide operational knowledge of the business.
- When presenting company updates via video, audio, or both, the leader giving the update should have a well written script and pre-practiced prior to “go time.”
- The scripted update is a “live document” and will always change. Be prepared to make changes accordingly.
- Keep content open, honest and trusting. This will be appreciated by all stakeholders.
- On a regional and/or local basis, identify those healthcare providers that support mental and physical services. Call on them as needed.
- Note* It costs more money to hire new employees than retaining existing employees. Be a hero to your people, make the tough decisions and keep the needle moving forward!
Business Actions Now
- Assume 80% of revenues come from 20% of customers. Identify who these customers are and maintain focus with communications as sated above.
- Identify all Key Decision Makers (KDM’s) in the business. Ensure each KDM has a backup person that can assume the role with full accountability and responsibility.
- Identify the most vital business processes that maintain customer service integrity.
- Identify and ensure there are adequate human and technical resources (KDM’s) to support vital business processes.
- Identify the most vital business technologies that support the top 20% of customers.
- Identify and ensure there are adequate human and technical resources (KDM’s) to support these technologies.
- Today’s gold rush is the theft of business data and Intellectual Property (IP). Identify where the business’s most vital data and/or intellectual property resides within your business’s infrastructure.
- Identify and ensure the businesses “gold mine of data” is securely accessed and managed by an assigned KDM.
- Review all customer focused third party contracts and Service Level Agreements (SLA’s) for possible legal ramifications.
All businesses provide a product, a service, or both to key customers. When these products and/or services become unavailable to the customer base, they can have an immediate and direct impact on customers’ financials. If the product/service company has done very little or nothing to prepare for a business impacting event, customers may leverage existing contracts and/or SLA agreements to re-coup financial losses. This business interaction increases out of pocket legal expenses including any and all possible financial reparations back to the customer base.
Review and identify all products and services from third party vendors that are vital to maintaining day-to-day operations. Ensure these vendors can supply the business with needed products and services for up to a minimum of sixty (60) business days.
About Internal Business Risk
From a business risk mitigation perspective, three are three (3) types of business risk. They are:
- Inherent risk is risk that resides within the business from existing business processes, implementation of various technologies, or a combination of the two that supports operations. Inherent risk can also be incurred through a Merger & Acquisition (M&A) process. This type of risk could be known or unknown to individuals. The ability to alter or mitigate inherent risk begins with an enterprise-wide business risk assessment.
- Residual risk is risk that is known within the business post an enterprise-wide business risk assessment. Depending upon the risk culture within the business, plus the financial cost to mitigate the known risk, residual risk is the type and amount risk accepted within business operations.
- Transferred risk is risk that is transferred to a third party outside the operational boundaries of the business. This risk is usually created through third party contracts. An example of transferred risk is cyber security insurance, or business liability insurance.
Businesses normally have a mixed risk combination. How this is managed internally depends upon the level and acceptance of risk and if the company culture is more or less risk averse or risk diverse.
Cyber Security Actions Now
First and foremost, a cyber security program in today’s business environment must be accepted as a strategic business deliverable. Developing the business’s cyber security program from a top-down approach is highly recommended.
Business owners today are quickly realizing that COVID-19 has no boundaries and affects all people and markets on a global scale. Just as COVID-19 gains traction through community spread, so does digital information transmitted around the global Internet through interconnected societies.
People have become connected through digital devices on a per Internet address basis. Today there are at least 4.3 billion internet addresses being used to connect people and businesses. Expect this number to become ten-fold with the acceptance of Internet of Things (IoT). These technical connections allow multi-media communications to take place anywhere, any place, at any time. For every assigned Internet address, assume a hacker has interest with attacking these addresses to gain access into key company systems. Meaning, increasing the number of internet addresses to the business also increases the chances of getting hacked from the outside/in.
The COVID-19 pandemic is prime time for hackers to catch business owners and their employees off guard. With significant focus on financially surviving the pandemic, hackers know business resources are being diminished while security takes a back seat to “other” pressing issues. Now is the time for business owners to not let their cybersecurity guard down!
At a minimum each business must perform the identification work effort to support cyber security initiatives. Specific personnel must have internal knowledge about the following:
- Who are the most vital people required to support vital products and/or services for customers?
- Who are the most vital people required to secure the enterprise-wide infrastructure?
- What are the most vital business processes that support key revenues?
- What are the most vital products and/or services that drive key revenues?
- What are the most vital technologies that support key revenues?
A primary objective with securing the business is to not allow hackers to penetrate vital systems and processes through phishing attacks, Spam email, cross site injections, brute force methods, or social engineering. All individuals associated with the business including physical and virtual internet addresses are considered a target. Once the business has performed the work to identify everything listed above, then it’s time to learn the following:
- Who has full accountability and responsibility to the “keys to the kingdom?” Meaning, who inside the business has direct access to vital business data and IP?
- How are vital business data and IP accessed?
- How often is this data and IP accessed and why?
Line items 1 through 3 above focuses around Identify Access Management (IAM). Managing IAM is absolutely necessary when securing the business’s “digital gold.”
Business resilience and cyber security are no longer “solely” based upon the financial costs and technical capabilities of the IT department. Becoming a business resilient and cyber secure company requires a top/down business driven strategy touching all departments in the company.
As a business resilient and cyber secure company there is significant intrinsic financial value to business. Company leadership must begin viewing enterprise risk management as an investment, not a cost.
This white paper will guide those businesses searching for help and direction during and post the COVID-19 global pandemic. When the light appears at the end of this COVID-19 pandemic tunnel, we as humans can look back and think “wow, look what we have learned.” Though this document is not all inclusive, each business leadership team can leverage this information and determine for themselves the work required to become a business resilient and cyber secure enterprise.
James M. Myers