Security Think Tank: To tackle Covid-19, be prepared, flexible and resilient
In our globalised world, high-profile events such as Covid-19 have huge business impacts, some of which may be felt by CISOs. What responsibilities do security professionals have in such circumstances? Written by Dan Norman, Research Analyst, ISF
The coronavirus pandemic is now nothing short of a humanitarian crisis. Healthcare systems are buckling as thousands more people become infected, governments and policy-makers rush to respond, and world trade comes to a grinding halt.
The impact and disruption the virus is having on businesses is unprecedented, creating significant challenges for supply chain management, business continuity and risk management. In the face of the worst global crisis in recent memory, security professionals need to be proactive.
A flexible, prepared and resilient security function, like other elements of the business, will be required to withstand the stress the coronavirus is causing. The security function must take the following actions:
Scenario plan, threat model and run exercises
“Pure risk” or force majeure events divide security professionals. Is a pandemic an information or cyber risk? In short, yes. If the availability of information is threatened then security professionals need to prepare.
Organisations that scenario plan, threat model and understand their risk landscape will be better prepared for the impact of a pandemic. Those that run table-top exercises to formulate response plans, business continuity arrangements and crisis management procedures will be in a stronger position.
Work closely with HR and comms to manage panic and risk tolerance
The stress induced during times of crisis can compel individuals to act differently, causing them to take risks they wouldn’t normally or disregard security risks. Coupled with misinformation spreading online, the panic induced by the coronavirus will have a significant impact on personal lives, disrupting schools, travel arrangements and holidays.
Risk perception of traditional security threats will be devalued in the face of a real threat to life, meaning that organisations are likely to experience a number of security incidents from their employees making more mistakes, trusting phishing emails or being less aware of other threats.