The realities of COVID-19, including the necessity for social distancing and an unprecedented forced move to remote work have exposed the glaring gaps in even the best business continuity plans (BCPs). To ensure organizations aren’t left flat-footed in the future, lessons learned from this current situation – including revamped communications plans, remote work policies and more – must be folded into today’s BCPs. COVID-19 caught us a bit off-guard, but now’s the time to address gaps and be better prepared next time, no matter what may come.
The security team for a financial services company has locations in three states (Kentucky, North Carolina and Georgia). Its corporate BCP was built on the assumption that half the workforce may need to work remotely, while the regional call centers would be able to failover to one another in the event of an emergency. The team never planned to shut down all offices and call centers, but COVID-19 has forced them to move everyone – including the call center staff – to remote work. Now, the team is looking to take what it’s learned and create a BCP that includes a pandemic scenario, with the goal of testing it via a tabletop exercise. Specifically, the team asks:
- What should be included in a pandemic BCP?
- What are best practices?
An Unprecedented Situation
From a business continuity standpoint, we’ve never seen the likes of this pandemic. Even in emergency situations like 9/11, Hurricane Sandy, Y2K, etc., we’ve always been able to come together – physically – when things go wrong. Until this happened, most companies had best practices to follow and could be sure they had a good BCP in place that met every contingency – that is until this pandemic exposed the glaring gaps in even the best of plans.
Now that most businesses have made a quick transition to remote work, some best practices are starting to emerge. While no plan is perfect and we are only in the transition phase of this current situation, these tips can help inform your planning.
Get an Emergency Management Committee in Place
First and foremost, a critical success factor is to put an emergency management committee in place. It should consist of key domain experts and decision-makers within the organization, and it should have the power to make quick decisions – without having to solicit input across board. Include representation from:
- Information security
- Marketing (communications)
- Facilities management
This ensures the organization can move more agilely and make changes on the fly as circumstances evolve.
Communicate Well and Often
What we’ve learned to date is that good communications within and outside the company is the most important issue. The emergency committee and leadership committee may meet every day, but everyone inside the company and outside the company must be considered in the communications plan.
Keep Leadership in the Loop
In my organization, which has offices in the U.S. and overseas, we have a call every Tuesday at 8 a.m. PT with every leader and manager in the company. Everyone provides new updates focused on three major issues:
- Helping employees
- Helping our service
- Helping our business
Ensuring we hear from all line managers across the company is important because it lets us hear about issues early and get responses and solutions in place quickly. Usually, this consists of a full business update, an HR update on the health of employees, and then separate updates on the health of the service (development), finance and sales.
It’s also important to keep the lines of communications open within your information security team. Consider choosing a partner within HR who can act as a liaison and communicate health insurance, wellness, payroll and other important information directly to your team, while providing the team with someone they can voice their pandemic-related concerns as well.
Push Info to Customers and Prospects
It’s also important to push information out to customers, prospects and partners to let them know you are thinking of them, ready to help, and most importantly, still open for business. Sales may wish to offer new promotional rates to ensure customers know the business is healthy and appreciative of their business. During a pandemic, customers may be worried about your supply chain. It’s important to let them know how your supply chain partners are faring, if there are any issues and how the issues are being addressed.
When communicating with customers, be sure to lead the discussion by asking them what their issues are and how you can help. In terms of sales-driven communications, it’s especially important to tread lightly. Always start by acknowledging the current situation and being empathetic; only when a good rapport is in place should you broach the subject of new business/renewal. It’s difficult to be empathetic in an email, so that’s where you can tap marketing or public relations with help formulating the right tone.
Push Info via Virtual Town Halls
When communicating within the business, it’s a good idea to implement some kind of virtual town hall, where all employees can be on a call and get up-to-the-minute updates from the CEO, emergency management committee and any other relevant part of the organization. Some companies use Zoom or Google Hangouts as the video conferencing platform for this, while others simply use a voice conferencing platform like Open Voice with a good old-fashioned 800 number to dial into. Some also set up webinars via GoToMeeting, etc. Whatever tool(s) the company chooses, ensure information security is included in the decision to assess the platform and specify optimal configurations to keep data secure and private.
Usually, the CEO does most of the talking in the town hall. The idea is to let everyone see the CEO’s face and hear them walk through things, starting with a focus on the health of all employees.
To ensure people can participate, consider letting them post questions via chat. This eliminates the issue of people talking over one another, but still gives everyone a chance to participate and be heard.
Provide a Way to Pull Info via Intranets/FAQ sites
Beyond interactive platforms, it’s also important to have one place where everyone in the company can go to get the latest information. Many companies document everything in a frequently-asked-questions (FAQ) intranet site that includes:
- All business continuity information, including every informative email sent to the organization.
- Work from home tips, e.g., how to exercise, virtually visit places, keep children occupied, etc.
- Health news, including how to access the latest guidance from the Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO).
- Tips to prevent opportunistic attacks. At times like the current pandemic, attackers know people are vulnerable, so it’s important to communicate that and educate people on what to watch for (for more on this, see the IANS report COVID-19 Phishing Examples and Guidance).
Also, be sure to send appreciation emails to assure people that leadership knows how hard everyone is working and how appreciative they are for everyone pulling together to make things work.
Provide Outlets for Employees
Another key part of communications is ensuring employees can easily communicate with one another, not just about business issues, but about their lives and how they’re coping. This can be especially important for information security teams whose members may be reticent to communicate such issues in standard team meetings, but may be more comfortable opening up in less formal settings.
Some companies set up virtual happy hours, where different functional groups or divisions set up their own video conferences at the end of the week, for example, just to touch base. People put their pets on camera, photos of their workspace, etc. The point is to make it work like an actual happy hour. It’s not about work; it’s about fostering a human connection.
Practicalities to Address
In times of stress like a pandemic, most people need leadership to be as prescriptive as possible, especially about when offices need to close and also, further down the road, when they can open again. Sometimes it’s helpful to set arbitrary dates. For example, state something like: “We will continue 100 percent remote work until at least June 1, at which time we will reassess the situation and determine next steps.” People like having definitive information like that.
Other practical issues to address within your pandemic BCP include:
- Cleaning: Ensure you have some kind of deep cleaning scheduled for each location after on-site work ends and then again before it begins.
- Physical mail: Ensure there’s a method for sanitizing, collecting and forwarding it logistically.
- Equipment: Create easy-to-follow instructions for packing up workstations or other necessary equipment, transporting it home and getting it up and running on a home network.
- Printing: Determine who needs to print at home. Many times, organizations simply turn off the printing capability when sensitive information is involved.
- Cloud apps and storage: Make sure everyone knows which services are sanctioned and how to use them.
Create a Feedback Loop
When everyone is working remotely, it’s important they continue to provide feedback so that leadership can be apprised of what’s working, what’s not and what needs to change. To this end, many companies create employee surveys designed to uncover issues and ways to make the work-from-home experience better.
For example, a survey may ask:
- How are you staying connected with your work colleagues during this work-from home period?
- Are you getting the information you need to be productive during this work-from-home period? If not, what additional information is needed?
- What resources would make it easier for you be successful working from home?
- What else can I as your manager do to support you?
Feedback is also important on the technical side. Specifically within information security, be sure to track key remote work metrics (VPN usage, bandwidth/performance, busy/non-busy hours, etc.) to ensure all systems are operating as expected and to head off issues before they come to the attention of end users.
A big issue to watch for is that usually, there is a surge of excitement and productivity at the start of a remote work transition. Soon, however, the newness wears out or people start having issues with setting optimal work/life boundaries. If everyone feels responsible to work round the clock, that can quickly lead to burnout.
It’s important to send the signal that productivity is important, but it doesn’t take precedence over personal life and family. Consider instituting mandatory breaks/lunch hours, where everyone in the company blocks off an hour in the middle of the day to get away from their phone/computer, eat lunch, go for a walk or connect with their family.
Another good idea is to implement “speedy meetings,” where every meeting ends five minutes early. This gives people a much-needed break to ensure they aren’t just racing from meeting to meeting.
At this point, the engagement piece becomes even more important. Leadership should continue with its weekly virtual town halls to ensure people know their jobs are safe and everyone is in this together. This might also be a good time to talk about any charity work/philanthropy the company is doing. Ensuring everyone knows the company truly cares about the world outside the business is critical.
During a pandemic, backups and cross-training are even more critical within your BCP. From top executives to line managers, everyone needs a backup. If they get sick, who is next in line? And then, who is after that? Focus on information security, engineering and sales, which can be especially difficult.
Also, be sure to have fallbacks by office and region. If one area goes down, how can you cross-train to ensure another region can pick up the slack? And how can you cross-train when everyone is working remotely?
A large issue to address, and one that few organizations have tackled outside of China, is how to roll back everything once the mandates for social distancing and remote work are lifted. Just as the move to remote work happened in stages, the rollback to normal will also likely happen in fits and starts. True normal likely won’t happen until the world has a COVID-19 vaccine or cure in place, and that timeline is uncertain at best. Now is the time to start planning for back-to-work contingencies.
Some companies in China, for example, are already at this stage. They are experimenting with ways to bring employees back to a physical work location while keep some social distancing practices in place. For example, some are dividing their work shifts into five separate groups, with each group (one-fifth of the shift) coming to work on a specific day. Group 1 works Monday, Group 2 works Tuesday, etc. Others are installing infrared fever detectors at all physical entrances, administering on-demand virus tests and providing gloves/masks to employees who want them.
The good news here is that this move can be handled in stages as the situation on the ground warrants it, which is an easier task than the fast move to remote work most companies experienced at the outset of the pandemic.
To date, few organizations have best practices in place for creating a BCP that addresses a wide-scale pandemic like COVID-19. It’s a unique (to date) situation, and many organizations are learning on the fly. It’s critical, however, to document what works and what doesn’t, and then incorporate the best practices and processes into the BCP for the future.
There could be other black swan events (e.g., chemical warfare, cyberwarfare, etc.), and the hope is that the plan to address them can be similar. COVID-19 caught us a bit off-guard, but now’s the time to address gaps and be better prepared next time, no matter what may come. For more on this, see the IANS Black Swan Business Continuity Checklist.
Business Continuity and the Coronavirus: Know Where to Focus, March 2, 2020
Executive Communications: Update on Coronavirus Business Continuity Strategies, March 13, 2020
Remote Work and COVID-19: A Security Checklist, March 19, 2020
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.