Q&A: Security’s Role During Pandemic Response
From supply chains to international travel to staffing availability, the COVID-19 pandemic is affecting many facets of businesses’ day-to-day activities and long-term goals.
To learn more about how the coronavirus pandemic is affecting business continuity and security professionals’ mission, Security Management connected with Scott Stewart, vice president of tactical analysis at Stratfor, to discuss emerging risks, trends, and opportunities for security professionals to step up. Stewart (pictured right) supervises Stratfor’s analysis of terrorism and security issues, and he is a regular contributor to leading media outlets on matters of security.
For additional resources and news around the pandemic, please visit the ASIS Disease Outbreak Security Resources page.
The following discussion has been lightly edited for clarity.
SM: How have recent travel restrictions related to the coronavirus pandemic changed security outlooks or business continuity plans?
Stewart: I would hope that after the 2009 H1N1 pandemic and disruptive outbreaks—such as SARS and MERS—most businesses and organizations already had accounted for pandemics in their contingency plans. For those that did, this will be an excellent opportunity to test and then improve on those contingency plans going forward. I have seen other companies that did not plan for pandemics that are working to adjust other contingency plans, such as hurricane, earthquake, or blizzard plans to help cope with COVID-19. Those organizations and companies that did not have contingency plans will certainly learn the importance of such plans through the steep learning curve they are now experiencing.
An important principle regarding contingency plans is that while they are a critically important guideline, they must be flexible so that they can adapt to changing circumstances. I am sure that many companies with pandemic plans are adjusting to the recent travel restrictions in stride.
SM: How is that expected to change in the coming weeks or months?
Stewart: That will depend a lot on what country we are talking about and where they are at in their COVID-19 cycle. The countries in the first wave—like China, South Korea, Italy, and Iran—will hit their plateaus and begin to recover before countries that have been impacted later.
We expect the second wave of countries—such as Germany, Spain, France, and the United Kingdom—to follow course and impose more severe travel restrictions over the next week.
Countries like Brazil and Egypt have introduced viral footholds in South America and Africa—two regions of the world that have not seen severe spreading up to now but could in the coming weeks. In the United States, national, state, and local authorities are introducing restrictions and preparing for cases to increase by several orders of magnitude from the current level of 1,600. Organizations operating in these second wave countries should anticipate additional restrictions on movement over the coming days as the number of cases continues to rise.
Next are countries that are seeing week-on-week growth rates between 100 and 500 percent and cases in the low double digits. These are more likely one to two weeks out from a major outbreak. Many of these countries, like Japan and Malaysia, have managed to maintain lower growth rates through aggressive screening, testing, and travel restrictions. Containment in these countries is still possible, and leaders there could choose to preemptively adopt some of the more drastic restrictions on external and internal movement to avoid the crisis situations that have emerged or are emerging in the first and second wave countries.
These countries warrant daily monitoring to watch for increases in the rate of growth and/or additional government restrictions on the movement or gathering of people.
Finally, there are countries that have confirmed cases but have seen low week-on-week growth or confirmed cases in the single digits, and countries that have not yet confirmed cases. At this rate, we have to assume that virtually every country in the world is going to have cases of COVID-19 eventually. Many will only see isolated incidents, but given the fluidity of the situation, it could quickly elevate to a serious problem in a matter of weeks, if not days. These are countries to monitor on a weekly basis for increased rates of growth or preemptive government responses that would restrict the movement and gathering of people.
SM: What does this mean for security and business continuity professionals?
Stewart: It means that we are going to face significant challenges, and in the face of these challenges we must remain flexible and creative as we seek to find solutions to problems. We must also continue to be a calming force.
COVID-19 is serious and bad—but it is not the zombie apocalypse. We need to help our corporate or organizational leadership take reasonable precautions but help keep them from panicking. This is a time for security and business continuity professionals to demonstrate our value and the critical nature of our work. It is also an opportunity for us to underscore the importance of contingency planning—a topic we often struggle to get leadership to pay attention to.
SM: How can security serve as a calming force during the pandemic? How can security and business continuity professionals demonstrate the value of their work during this time?
Stewart: First of all, just by our demeanor and presence. We should model the calm ourselves. We should also be reassuring: Yes, this is a problem, but we will get through it.
Obviously, the best way to show value is to already have a crisis plan in place for a pandemic that is now being implemented. If that is not the case, the best way is to demonstrate that we are creative and flexible solution providers, even if we have to move outside of our normal area of responsibility and take care of some non-traditional security duties. Our ability to take action and provide solutions during a crisis will be remembered.
SM: What are some of the tangential risks that organizations face as a result of the pandemic (i.e. staffing shortages, loss prevention challenges, data security with remote workforces, etc)?
Stewart: I think you've hit most of the major ones. Supply chain disruption is also huge. In addition to data security due to a remote workforce, working remotely may also increase the chances of companies falling victim of business email compromise scams as more business will be conducted over email. We have also seen a lot of phishing scams involving COVID-19 topics to drive people to websites containing malware or to open attachments containing malware.
SM: What other opportunistic attacks—such as phishing scams—have you seen around COVID-19 so far?
Stewart: There have been phishing emails circulating, claiming to have a link to the Johns Hopkins information website that in fact take victims to a site where malware is delivered. I've also seen reports estimating that some 10 percent of the COVID-19 registered websites contain malware.
CYBER SECURITY ALERT: A malicious website pretending to be the live map for Coronavirus COVID-19 Global Cases by Johns Hopkins University is circulating on the internet, visiting the website infects the user with the AZORult trojan. The legitimate link is: https://t.co/5asuZ1keJG pic.twitter.com/Ye7u8or62r
— NC National Guard (@NCNationalGuard) March 12, 2020
SM: What are some of the broader security considerations that security professionals need to consider outside of the pandemic during this time? For example, has the threat of civil unrest changed in the midst of the health crisis?
Stewart: Vacant offices can provide bad actors an opportunity to steal company property or even intellectual property. I think in many ways the fear of crowds will help to keep civil unrest down in the immediate future, but in the long run, we might see an increase in civil unrest in some countries (like Iran) due to their anger over how the pandemic was handled.
SM: You mentioned vacant offices as a security risk, particularly for asset or intellectual property theft—how can security professionals address this threat without unnecessarily placing personnel at risk?
Stewart: First, educate employees about the clean desk policy and ensure that all important information is secured before they leave the office to work from home. Secondly, do a sweep of areas where sensitive work is done or material stored to ensure there is nothing laying around. Do the same thing for valuable assets. Third, maintain a presence to protect against black bag jobs or office intruders.
SM: What should security or BC professionals be documenting during the current pandemic response for better after-action assessments or revising procedures after the outbreak?
Stewart: Keep a detailed log of activities that includes both problems encountered and solutions to those problems, as well as suggestions on how to do it better next time. It is also critical to take notes of places where the crisis plan was wrong and needed to be adjusted—plans always need to be adjusted, and the lessons learned from this crisis may help hone other crisis plans.
I would also strongly suggest doing a formal after-action review of the crisis plan when this is over and done with.