As businesses start to re-open, they must determine which operations to keep idle, which to adjust and which new ones to introduce. At all times, the health and safety of employees and customers is paramount. Companies must proceed slowly and cautiously despite ongoing economic difficulty. This report outlines guidelines to consider and steps for how to proceed.
The security team for a technology company is planning its back-to-work strategy after the COVID-19 shutdown and wants to ensure it follows best practices. Specifically, the team asks:
- What should we take into account when developing our plan?
- What areas should be considered (physical space, IT/security support, helpdesk, etc.)?
- What sources should we look to for phased plans?
Assumptions and Disclaimers
While governmental guidance is available, it is sparse, simplistic and difficult to apply. Organizations must change their business-as-usual practices to re-open in a risk-balanced way – considering physical space, business operations and technologies. It is not possible to provide a one-size-fits-all set of advice.
Also, the following will not support a goal of maximizing profits and may incur significant disruptive costs. However, based on what we currently believe to be true about COVID-19, it’s possible to strike a reasonable balance for the near future.
What Must Change
Business practices will have to change to deal with the following:
- Asymptomatic carriers: The likelihood that transmission involves undetectable highly virulent carriers greatly changes how some organizations can be structured. Any business model that requires large numbers of people working closely together will not be sustainable. Call centers and open floor plans are just as risky as concerts and conferences.
- Transmission over time: The likelihood transmission increases when people work closely for long periods of time will force changes to many common one-on-one practices, ranging from close relationships such as pair programming and mentoring, to more mainstream small group meetings like sales, planning and board meetings.
- Surface transmission: While its applicability to COVID-19 is doubted by some researchers, we know the norovirus spreads easily through shared objects – such as utensils at a buffet, condiment containers, etc. Many organizations are considering closing all breakrooms and removing/blocking off shared objects like water coolers and soda fountains.
- Surface contamination: Workers must be trained on how to safely use existing technologies, such as elevators and doors, to avoid surface contamination. Simple measures like installing auto-openers on all doors and moving from contact-based to contactless access cards can greatly decrease potential areas of contamination. However, such changes take time and until they are ready, training users to use disposable paper towels to open doors and to press elevator keys with the sides of their access cards, in addition to over-stocking the area with hand sanitizer and the bathrooms with soap can buy the time needed to improve accessibility everywhere.
- Revised timelines and expectations: A review of past pandemics and future models strongly suggests this will not be the only re-opening we will have to deal with. As workers move between different modes of work – working from home, socially distant working, remote meetings via technology, etc. – the cost of context change will grow more than we’ve seen before. As a result, timelines will need to extend and expectations of both quality and timeliness of work will need to shift.
What Must Stop Completely
Some common practices will have to cease altogether. The following are simply untenable for the near future:
- Large conferences
- Flying on airplanes
- The use of gyms, including private office amenities
- Lunch meetings at restaurants
- After-office events at bars
- Hosting clients and prospects at sports games
New Practices/Suggestions for Re-Opening
Concrete steps companies can take to protect people and the business as a whole include:
1. Establish a Cross-Functional Re-Opening Team
Each part of the organization is impacted by the re-opening plan, so a cross-functional team to create one must include representation from each major group -- operations, finance, legal and human resources, for example.
2. Survey Workers
Employee attitudes will define morale for the organization as a whole and must be taken into account. Ensure any surveys used are confidential.
3. Plan for Testing – and Positives
Consider what your plans will be for individuals who test positive, whether you are running the tests yourselves or relying on third-party tests. It is statistically likely a significant fraction of your workforce will – at some point – test positive, so a plan must be in place to address such concerns.
4. Consider Biological Metrics
Existing thermal imaging technology does not work reliably, meaning a reliable temperature monitoring plan would also require trained staff to administer the thermometers, slowing the process and raising issues of compensating workers as they stand in line while also reducing the risk to the workers in line through complex social distancing measures.
Consider setting up a process by which medical professionals take people’s temperatures, measure their oxygen concentration levels and track the data over time by semi-anonymized worker ID. Ensure the data is well protected and the medical professionals do their screening before allowing the workers to join with others. Typically, this approach means using staggered shift start and stop times, with additional compensation being paid for 15-30 minutes of waiting time for each person on each shift.
5. Revisit Policies and Procedures
It is likely several policies and procedures do not fully consider the impact of the pandemic on the organization. This deficiency is most likely to impact your visitor management process, disaster recovery (DR), business continuity (BC) planning, worker sanctions and diversity training. Each of these will need to be adjusted to consider how individuals are to be protected from one another, what steps should be taken if someone tests positive and what to do when individuals are unavailable – in quarantine, in recovery or in the ICU.
It may also be necessary to revise your sick time policy. With COVID-19 having a poorly understood recovery trajectory, some individuals may recover in a matter of days while others can take several weeks before they are able to work again. Also, revisit any short-term disability policies you may have in place and consider unilaterally expanding them to cover the entire workforce.
6. Implement New Protection and Sanitation Procedures
While many organizations are creating mask policies, this situation requires more than a simplistic “all workers must wear masks” approach. Some workers will be at more risk than others. Other workers may be unable to wear masks due to health issues of their own. Review each job role to identify where workers may be “trapped” and unable to remain six feet away from others. Such roles may involve individuals at reception, as well as those in call centers or shared office spaces. While efforts should be taken to ensure no individuals are trapped, where it is unavoidable, additional thought should be placed around signage, additional sanitation processes, the availability of different types of masks and clear and repeated instruction about how masks are to be worn, removed, cleaned, etc.
Whether sanitation is provided directly or through a janitorial company, it is also important that high-use areas be sanitized on a regular basis – even multiple times per day – and those doing the cleaning are following the CDC’s recommendations and using EPA-approved cleaners. For example, the following may require cleaning once per hour:
- High-touch surfaces: tables, counters, desks, doorknobs, light switches and handles.
- High-touch technologies: phones, mobile phones, keyboards, mice and all touchscreens.
Hand sanitizer should also be placed in close proximity to these areas, and workers should be instructed to sanitize their hands before and after touching common surfaces.
Even though the office is open, some individuals may not feel comfortable returning. Where possible, it is best to continue remote work capabilities. Some people may have health risks they aren’t comfortable disclosing. Others may have to remain home to care for children or at-risk adults. There are numerous scenarios in which a request to continue to work remotely may be reasonable and valid.
In general, a well-designed information security program will function just as well if workers are on-site or working remotely. Whether working in a traditional model with VPNs or a modern zero-trust model, the threats, vulnerabilities, likelihoods and risks are generally comparable, so long as the processes in place continue to function. However, in a pandemic where some workers are semi-permanent remote, others are mostly in the office, and still others move between the office and home depending on circumstances, it can be hard to keep the two modes from blending. If you have one work-from-home security strategy and a different on-site security strategy, you must prepare for increased demand from remote workers for the ease of access they experience in the office. Moreover, you must prepare for increased demand from on-site workers to have tools that are as easy to use as the consumer-focused tools they are growing accustomed to using when working remotely.
If the success of an organization depends on the well-being of its people, it is important to understand how people respond to stress and build systems to both assuage generalized concern and address spikes. Developing contracts with contact-tracing firms and testing companies will help assure your people that you have a solid plan for monitoring and responding to any COVID-19 outbreaks that might impact them. Similarly, creating plans to shut the organization down again when outbreaks happen that meet specific criteria – such as the region’s number of people diagnosed in a week, number of weekly deaths or proximity of hotspots – can go a long way to both protect and assure your people that you are working in their best interest.
COVID-19 and InfoSec: What You Need to Know, May 11, 2020
Poll: Gauging the Market Effects of COVID-19, April 1, 2020
COVID-19: Address the Next Black Swan in Your BCP, April 6, 2020
Any views or opinions presented in this document are solely those of the Faculty and do not necessarily represent the views and opinions of IANS. Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our written reports, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by the client in connection with such information, opinions, or advice.