What your business can do about the coronavirus … right now

Credit to Author: Mike Elgan| Date: Fri, 13 Mar 2020 11:14:00 -0700

If you watch the news, you can be forgiven for feeling like the coronavirus pandemic is more or less a zombie apocalypse event — or about hoarding toilet paper.

Reality check: You, personally, will probably get the coronavirus at some point in your life, possibly this year. Probability is on your side: For most healthy adults under 60, the experience of getting Covid-19 is not that bad, doesn’t last that long and ends in full recovery.

Unfortunately, the prognosis for your organization is not so rosy. Unless you take action right now, your company is the walking dead.

I told you last week what you need to do now to protect your organization from catastrophe resulting from the coronavirus, officially called Covid-19.

In this fast-moving story, new facts have come to light which inform your organizational and professional response to the crisis.

The World Health Organization has declared Covid-19 a full-blown pandemic, which means it’s a crisis-level disease outbreak in multiple countries. In fact, it’s a “black swan” event, an extremely rare and unexpected occurrence that has major consequences for just about everybody.

Covid-19 is similar to past zoonotic coronaviruses, including SARS. It’s less lethal than SARS, but spreads more easily. The death rate is under 2 percent, and for people under the age of 60 under 1 percent.

The coronavirus will probably be with us for many years or decades, and will become seasonally cyclical, with the number of cases rising in winter each year.

The main reason for the widely applied containment strategies of canceling flights, closing borders and postponing or virtualizing conferences, is to slow the rate at which people contract it to avoid overtaxing hospitals. At some point, most people will get the coronavirus and recover from it, as they do with the flu. The potential disaster everyone is trying to avoid is for everybody to get it at the same time.

Because an expected mismatch between the possible number of patients and the actual number of hospital beds, markets are crashing, events and business trips are being canceled and the economy is probably going into recession.

To slow the contagion, we’re told, the remedy is containment and social distancing — basically keeping people away from each other (as well as avoiding human physical contact and washing hands).

And that’s a business problem. Business is usually conducted by bringing people together, not keeping them apart. People come to work, have meetings, travel to meet with clients, attend trade conferences and purposefully interact with each other to forward the interests of the organization.

So there’s your number-one priority in the foreseeable future: Keep your business alive while keeping your people apart.

But how?

Data security is going to get harder before it gets easier. The coronavirus crisis impacts organizational security in three ways, one good and two bad:

Cybercriminals are seizing the opportunity to exploit nervous victims during the crisis. New coronavirus-related phishing attacks and other social engineering attacks have sprung up overnight.

Reason Labs, for example, has discovered malware that offers a “Coronavirus map,” which arrives in the form of a malicious application that does display a convincing map, but also installs a binary called “AZORult” that steals cookies, passwords and other data, and can also download other malware. This is just one early example. There will be many more.

When we think about enterprise risk management (ERM) — which is the planning ahead part — or enterprise crisis management — the actions you take during a crisis — we assume a unique crisis — something that affects our own organization or region, such as a catastrophic breech, ransomware attack or natural disaster.

What’s different about the coronavirus crisis is that it’s affecting all organizations. Why does that matter? Mainly, it adds additional unpredictability that you may not have accounted for in your ERM planning.

How will pressure on investors affect executive decision-making? How will recession-driven layoffs affect your ability to execute? How will changes or problems among suppliers and the supply chain affect your business. What is the impact among employees and contractors who cannot work remotely?

The essential character of this crisis is: unpredictability.

Here are the absolute minimum steps you and your organization need to take immediately to manage this massively unpredictable crisis:

Your crisis management response must take priority and be tackled immediately.

One unfortunate and inevitable sideshow in the crisis is disinformation. State-sponsored disinformation campaigns from the Chinese and Russian governments are already trying to cast doubt or blame for the origins of the virus. (The origins are rural wet markets in China where live wild animals and domesticated animals share pathogens in unsanitary conditions; the leading state-sponsored disinformation falsely says the U.S .government created the coronavirus in a military lab. And, of course, there are many other false narratives.)

The more immediately damaging disinformation is hoaxes and social engineering hacks that try to lure people into clicking or downloading malicious payloads. Mass emails promising coronavirus cures or coronavirus tax breaks and other financial relief are circulating. Other malicious emails claim to come from the World Health Organization or the U.S. Centres for Disease Control and Prevention offering either cures or asking for donations have also emerged.

It’s important to send out frequent, or even daily, messages exposing these frauds and reminding employees about the nature of email phishing attacks.

The biggest mistake for remote work policies is failing to create a formal agreement with stay-at-home employees. This is the only lever organizations have over the behavioral part of the remote-work equation.

The policy should cover eligibility, the approval process, the conditions for termination of the agreement, description or list of the required tools for communication (include who, specifically, owns each tool) and other aspects of work, performance metrics, schedule expectations, sick-leave and vacation limitations and rules, allowable expenses, security, privacy and confidentiality practices, liability for injury or equipment damage, tech support and troubleshooting procedures, points of contact for management, tech support, security and other issues as well as a complete set of applicable laws, legal assurances and regulatory compliance requirements.

The communication around remote work should begin with a well-crafted and comprehensive remote work policy and agreement, with frequent updates and reminders based on what happens in real life as large numbers of employees work remotely full time.

If you take anything from this column, please take this: Speed is everything. Act now. Get buy-in from your organization’s leadership. Over-communicate. And make sure your related policies are air-tight and comprehensive.

In the long run, the public, the government, the economy and you, personally, will almost certainly be fine. But your organization’s survival depends on what you and your colleagues do in the coming days and weeks.

If you watch the news, you can be forgiven for feeling like the coronavirus pandemic is more or less a zombie apocalypse event — or about hoarding toilet paper.

Reality check: You, personally, will probably get the coronavirus at some point in your life, possibly this year. Probability is on your side: For most healthy adults under 60, the experience of getting Covid-19 is not that bad, doesn’t last that long and ends in full recovery.

Unfortunately, the prognosis for your organization is not so rosy. Unless you take action right now, your company is the walking dead.

I told you last week what you need to do now to protect your organization from catastrophe resulting from the coronavirus, officially called Covid-19.

In this fast-moving story, new facts have come to light which inform your organizational and professional response to the crisis.

The World Health Organization has declared Covid-19 a full-blown pandemic, which means it’s a crisis-level disease outbreak in multiple countries. In fact, it’s a “black swan” event, an extremely rare and unexpected occurrence that has major consequences for just about everybody.

Covid-19 is similar to past zoonotic coronaviruses, including SARS. It’s less lethal than SARS, but spreads more easily. The death rate is under 2 percent, and for people under the age of 60 under 1 percent.

The coronavirus will probably be with us for many years or decades, and will become seasonally cyclical, with the number of cases rising in winter each year.

The main reason for the widely applied containment strategies of canceling flights, closing borders and postponing or virtualizing conferences, is to slow the rate at which people contract it to avoid overtaxing hospitals. At some point, most people will get the coronavirus and recover from it, as they do with the flu. The potential disaster everyone is trying to avoid is for everybody to get it at the same time.

Because an expected mismatch between the possible number of patients and the actual number of hospital beds, markets are crashing, events and business trips are being canceled and the economy is probably going into recession.

To slow the contagion, we’re told, the remedy is containment and social distancing — basically keeping people away from each other (as well as avoiding human physical contact and washing hands).

And that’s a business problem. Business is usually conducted by bringing people together, not keeping them apart. People come to work, have meetings, travel to meet with clients, attend trade conferences and purposefully interact with each other to forward the interests of the organization.

So there’s your number-one priority in the foreseeable future: Keep your business alive while keeping your people apart.

But how?

Data security is going to get harder before it gets easier. The coronavirus crisis impacts organizational security in three ways, one good and two bad:

Cybercriminals are seizing the opportunity to exploit nervous victims during the crisis. New coronavirus-related phishing attacks and other social engineering attacks have sprung up overnight.

Reason Labs, for example, has discovered malware that offers a “Coronavirus map,” which arrives in the form of a malicious application that does display a convincing map, but also installs a binary called “AZORult” that steals cookies, passwords and other data, and can also download other malware. This is just one early example. There will be many more.

When we think about enterprise risk management (ERM) — which is the planning ahead part — or enterprise crisis management — the actions you take during a crisis — we assume a unique crisis — something that affects our own organization or region, such as a catastrophic breech, ransomware attack or natural disaster.

What’s different about the coronavirus crisis is that it’s affecting all organizations. Why does that matter? Mainly, it adds additional unpredictability that you may not have accounted for in your ERM planning.

How will pressure on investors affect executive decision-making? How will recession-driven layoffs affect your ability to execute? How will changes or problems among suppliers and the supply chain affect your business. What is the impact among employees and contractors who cannot work remotely?

The essential character of this crisis is: unpredictability.

Here are the absolute minimum steps you and your organization need to take immediately to manage this massively unpredictable crisis:

Your crisis management response must take priority and be tackled immediately.

One unfortunate and inevitable sideshow in the crisis is disinformation. State-sponsored disinformation campaigns from the Chinese and Russian governments are already trying to cast doubt or blame for the origins of the virus. (The origins are rural wet markets in China where live wild animals and domesticated animals share pathogens in unsanitary conditions; the leading state-sponsored disinformation falsely says the U.S .government created the coronavirus in a military lab. And, of course, there are many other false narratives.)

The more immediately damaging disinformation is hoaxes and social engineering hacks that try to lure people into clicking or downloading malicious payloads. Mass emails promising coronavirus cures or coronavirus tax breaks and other financial relief are circulating. Other malicious emails claim to come from the World Health Organization or the U.S. Centres for Disease Control and Prevention offering either cures or asking for donations have also emerged.

It’s important to send out frequent, or even daily, messages exposing these frauds and reminding employees about the nature of email phishing attacks.

The biggest mistake for remote work policies is failing to create a formal agreement with stay-at-home employees. This is the only lever organizations have over the behavioral part of the remote-work equation.

The policy should cover eligibility, the approval process, the conditions for termination of the agreement, description or list of the required tools for communication (include who, specifically, owns each tool) and other aspects of work, performance metrics, schedule expectations, sick-leave and vacation limitations and rules, allowable expenses, security, privacy and confidentiality practices, liability for injury or equipment damage, tech support and troubleshooting procedures, points of contact for management, tech support, security and other issues as well as a complete set of applicable laws, legal assurances and regulatory compliance requirements.

The communication around remote work should begin with a well-crafted and comprehensive remote work policy and agreement, with frequent updates and reminders based on what happens in real life as large numbers of employees work remotely full time.

If you take anything from this column, please take this: Speed is everything. Act now. Get buy-in from your organization’s leadership. Over-communicate. And make sure your related policies are air-tight and comprehensive.

In the long run, the public, the government, the economy and you, personally, will almost certainly be fine. But your organization’s survival depends on what you and your colleagues do in the coming days and weeks.

http://www.computerworld.com/category/security/index.rss

Leave a Reply