As the novel coronavirus (which causes COVID-19) continues to spread around the world, businesses must do what they can to prepare for absent staff and possible periods of enforced closure.
In general, it’s vital that companies of all sizes and types draft a distinct crisis response plan because existing disaster recovery plans or business continuity plans might not suffice.
The Centers for Disease Control (CDC) offers various resources to help businesses and employers plan responses to a pandemic of any kind, and the World Health Organization (WHO) publishes daily situation reports on the novel coronavirus detailing its global impact by nation.
However, crafting an effective strategy when it comes to crisis response means also thinking about IT infrastructure, secure remote working and clear communication to ensure everyone is kept abreast of the latest developments. Staff must be trained, and the groundwork must be laid quickly to ensure the best chance of mitigating the impact.
As a veteran of IT consultancy with more than two decades of experience advising companies on effective cybersecurity strategies and how to assess different technologies, I know how important it is to create a thorough plan. Here are some practical tips on drawing up your own crisis response plan.
The first thing you need to do is to pick a small team to be responsible for crafting your plan and keeping it up to date.
You’ll want department heads to be involved alongside representatives from each corner of your business, from HR to finance. Technical questions are sure to arise, so be sure to include IT and other technical experts.
Leadership should consult with all key stakeholders in the business and work closely with information security professionals to develop policies that minimize disruption but ensure data security is maintained and regulatory requirements are observed.
Depending on the nature of your business, leaders may also need to consult contractors and other third-parties essential to the smooth running of your company. Make the provision for alternates in case leaders fall ill or are otherwise unable to carry out their roles.
When drawing up policies to cope with a crisis and the different levels of response that may be required, planners should consider how to keep critical company functions going. What’s considered critical may differ from business to business, but some questions are universal:
It’s important to work out contingencies for different scenarios. If people are going to be absent for long periods and unable to work, will the government assist with paid sick leave? If people are at home but able to work, they’ll need the right equipment and secure access via a virtual private network (VPN) or zero trust remote access. With workspaces and applications moving to the cloud, desktop virtualization (VDI) is poised to become a strategic initiative in the workspace.
Make provisions to protect employees who must come into work for critical tasks, and work out what you can afford to discontinue. Ensure endpoint licenses cover employees both as on-site and remote workers (i.e., endpoint security, encryption, filtering, etc.).
Communication channels are paramount here, so establish a system to disseminate the latest information. A central webpage with the latest news, regular emails and text messages, and a clear list of contacts is a solid foundation, but you may also want to consider a crisis management mobile app that has gone through rigorous vulnerability testing. For customer-facing businesses, social media channels are a good way to keep customers informed.
Understanding key personnel for every business-critical function and ensuring their usual responsibilities can be taken on by replacements is very important. This may require significant training and documentation.
Having a clear plan with step-by-step instructions they can refer to in different situations is a great way to reduce stress for your employees. It’s also vital to maintain your usual cybersecurity hygiene. Remind your employees that everyone is part of the cybersecurity team and that no one is immune to attacks (e.g., vishing, phishing and possibly smishing).
You’ll need to make time to allow employees to train up for role cover and to familiarize themselves with the procedures should the worst happen. While it’s not practical to ensure they are versed in the details of every plan, they must be clear on where to turn for instructions and real-time information.
Thankfully, it’s relatively easy nowadays to facilitate telecommuting for many roles. Consider how to secure remote workers with VPN services or zero trust remote access. Plan for the increased demand on bandwidth, and make sure employees have the hardware they need at home in terms of laptops, desktops and the necessary software. Switch to video conferencing for meetings whenever possible, and make sure you have tools for easy document sharing and communication online.
In setting up remote working capability where possible, you should also identify the tasks that cannot be completed remotely and prioritize them so that whatever staff is available on-site can focus on the most important things.
No plan is truly trustworthy until you test it. Create exercises suitable for testing out your processes, and identify any problem areas that require further thought. Build in a regular review process so that your plan is continually updated to account for changes in personnel and business systems. It may also be necessary to create a process for assessing and allowing exceptions to your plan in certain circumstances.
Crises are inevitable, so planning for the worst is a sensible precaution to take to reduce the potential negative impact on your business.