The COVID-19 pandemic has sent us all scrambling to ensure we protect our most valuable assets which includes ourselves, our families and our team members. By now most organizations have dusted off their business continuity plans (BCP) and have started execution. Others are trying to update their plan; still some are just trying to create one. Given the many precautions relating to COVID-19 the possibility of some countries declaring a national disaster and prohibiting people movement, many employers are now contemplating how they can effectively facilitate their employees working remotely (work from home).
Understanding the Risks
While it is important to continue to turn the wheels of productivity, businesses have an obligation, especially in a time of crisis, to do so responsibly. It is important therefore that businesses be prudent in their decision-making processes and assess the implications of any change in strategy. Before implementing a strategy for employees to work remotely, businesses should consider the following:
What are the services that are critical to your operations?
What processes are important for the services to be effective?
Who are the people that are important to the process and service?
Can the services be offered remotely? (Cloud, VPN, Terminal Services, etc.)
Do the employees have devices to access the services remotely and are these company owned or personal devices?
If they are personal devices, do they meet your organization’s minimum-security requirements?
Do the employees have adequate Internet access?
If services are not in the cloud can your infrastructure support remote connections?
If remote services are new to your organization have you taken precautions to ensure that your implementation does not expose your organization and its information assets?
Mitigating the Risk
Ensure that you understand the risks involved and be prepared to mitigate, transfer or accept the risks.
Use qualified practitioners to assist, and while it may have cost implications it may save you in the long run.
Develop a change management strategy with adequate what if scenarios.
Identify a “what if” role, that person who will always challenge the strategy, the fact that all persons are saying yes may not always be good as it could lead to blind spots.
Test remote connections to ensure only what you plan to expose is exposed.
Ensure your Internet bandwidth and speed is adequate for the services.
Implement a “Defense-in-Depth” strategy – as this provides another layer in the control chain should the previous layer be compromised.
Ensure that you consider controls relating to privacy (protection of personally identifiable information).
Protect confidentiality and integrity of the information being offered through the remote services.
Implement a communication and collaboration strategy between team members.
Despite best efforts, controls can and will fail due to errors and other security incidents; ensure that you have a response strategy and plan.
I hope that you find these questions and tips helpful and a good start to your business continuity planning. In the end however, it is important to remember that while our information assets are important, human lives are more valuable. Let us ensure that we first and foremost secure the health and well-being of our people. Please stay safe and keep others safe by practicing good personal hygiene.
Andrew is a Director with Symptai Consulting Limited, a leader in information security assurance and advisory services. Andrew’s has responsibility for Efficiency, Growth, Innovation and Disruption. He has over twenty-five (25) years of experience in information systems administration, audit and security assessments.