According to McKinsey & Company, an American management consulting firm that also funds the McKinsey Global Institute research organization, COVID-19 crossed an inflection point last week when new cases reported outside China exceeded those within China for the first time, and as of March 5, more than 56 countries have been impacted, more than 95,000 people infected and at least 3,300 worldwide have died.
McKinsey says the outbreak remains concentrated in four transmission complexes—China (centered in Hubei), East Asia (centered in South Korea and Japan), the Middle East (centered in Iran), and Western Europe (centered in Italy). In total, the most-affected countries represent nearly 40 percent of the global economy. The daily movements of people and the sheer number of personal connections within these transmission complexes make it unlikely that COVID-19 can be contained. Of concern for those across the globe and those in the United States who have counted on U.S. assistance and expertise in battling medical epidemics in the past, cuts by the Trump administration have done little to quell fears. The administration shut down the National Security Council’s global health security unit in 2018, dissolved the Department of Homeland Security’s epidemic response teams and substantially cut the funding of the CDC’s global health section, reducing the number of countries where the CDC worked from 49 to 10.
Be Prepared
The message to senior corporate security and risk officials across the U.S. is clear as the COVID-19 crisis moves beyond lurid cable news headlines to the frontlines of their businesses; you are on your own so batten down the hatches. Of course, many global organizations have been preparing for another global virus outbreak since weathering the Ebola, SARS and Avian Flu epidemics over the last several decades.
Former corporate security executive turned consultant, Russell Law, who recently spoke at the C&E Converged Systems Summit in Atlanta, points out that when organizations assess the effects of the coronavirus outbreak and its impact on global businesses and economies, the far-reaching and significant effects that are specific to security operations depend upon the nature of the organization's core business. Law insists that how an organization’s security team mitigates that risk and ensures the business continuity in a crisis like this must be a top-down proposition.
“The first thing that security really needs to do is talk with the business leaders and understand what their priorities are during this period, because, this is something that could impact all manner of things throughout the supply chain. If your primary business function allows you to have office workers who have the capability of doing things remotely, then you take advantage of that and you let them work remotely if possible. Now, not all businesses, of course, are going to have that luxury. You're going to have some things that need people to be there physically doing their jobs,” says Law. “But this is a time to adhere to your best practices. Pay attention to what the local government is saying. Pay attention to what the local agencies and the global agencies are saying as far as what you need to do. One pitfall that I've observed over the years is that management oftentimes will tell security that we want assurances from our security contract provider, our security services provider, whoever provides our security officers, that in the event that the things really get out of hand that we're going to have assurances that we have officers on duty. Remember, they will be suffering the same effects on staff due to the virus as your own organization. Make sure you have countermeasures in place.”
How to Handle The Moving Parts
McKinsey & Company also stress that setting up a cross-functional COVID-19 response team is important and that companies should nominate a direct report of the CEO to lead the effort and should appoint members from every function and discipline to assist. For many companies, staff will need to assume multiple roles other than their assigned jobs during a virus crisis. The consulting group highlights several organizational tasks that might have commonality when dealing with employee health and welfare issues, financial stress-testing and contingency planning, supply-chain monitoring and rapid response, marketing and sales responses and coordination and communication with relevant constituencies.
“Whenever you're talking about a global operation, you're going to have a lot of moving parts and a lot of interdependencies within the organization. You’re probably going to scale back travel, you're going to have operations that, because of their geographic location, are going to be more impacted more immediately than others will, if those others are ever impacted. So, you are like a field medical team doing a bit of triage to determine where the risk is and where you need to put plans in place,” adds Law, who is a senior security consultant with Gralion Security Consulting and a former corporate security advisor with ExxonMobil Global.
Like Law, Meredith Wilson, the founder and CEO of Emergent Risk International and a former security analyst with ConocoPhillips, notes that every organization is different, and even among companies with well-established security and intelligence functions, the roles can vary markedly. She admits that among her current clients, nearly every security and crisis management group they interact with is consumed with containing and mitigating the coronavirus crisis within their organization.
“They are providing support to business functions as well as most groups having at least one, if not multiple personnel sitting on the Crisis Management - Incident Management Team (IMT), leading and facilitating changes in travel postures – usually in coordination with C-suite personnel and travel groups. Importantly, most are also providing consistent intelligence support, in some companies, around the clock. The amount of information, and misinformation, about the virus and new developments coming out every day is staggering,” laments Wilson. “Sorting fact from fiction and ensuring the best information is available to decision-makers right now is crucial and more than a full-time job by itself. Beyond the information piece, regional security personnel is generally heavily involved in IMT procedures in some form or another. How involved often depends on whether it is a natural disaster, health-related emergency or a security issue. But, when a situation becomes as big as this one has, it’s all hands on deck.”
Communications are Key
When you're looking at the security function for a global enterprise during a crisis, proactive dissemination of information and the effective management of support requests is essential. The execution of these items in a timely manner is critical to fulfilling an organization’s duty of care obligations as a security department. For Law, the communications piece is key because he and his team understand there are going be myriad questions from employees and those questions are going to get directed to basically whoever they see as a person of authority.
“You have to be involved with your internal communications team and as a security professional because if you start disseminating inconsistent information, then the rumor mill really gets started. You've got to have that consistency piece and ensure you treat this as you would any other type of crisis in that you have a very specific message that goes out internally, a very specific message that goes out externally, and that all the right people are involved in that messaging,” explains Law. “And in the case of a pandemic-type situation, not that that's what we have here as of yet, you are going to have to have HR weigh in on it, you're going to have to have security weigh in on it and you're going to have to have your communications folks understand the repercussions of sending out certain information. From a security and risk perspective, make sure that your executives understand that they're going to be asked these questions as part of something that might be completely unrelated. You might be having like a global town hall conference call or something like that with your CEO where you're talking about earnings and they might get questions about, ‘Well, what are we doing about this virus?’"
Wilson realizes the communication factor will play out differently from one company to the next. But she maintains that having foundational best practices to follow will prevent the message from being misconstrued.
“Some companies have been at the proactive information and analysis side of things for years (like oil and gas), while others are still relatively new at it. And as many find out, it’s a lot more involved than simply putting a person in front of a computer. It is exceptionally important to have well laid out information gathering and assessment processes, particularly as crises like the current one deepens. Understanding how a company operates in a crisis scenario, including what is and isn’t relevant information is not always clear to people newer to the field, so conducting Crisis Management (CM) exercises once or twice a year to keep those skills fresh and to build good communication between the people who make up these teams provides a more sound basis when the real thing comes around,
“In addition, we have a duty to ensure that our professionals in charge of formulating policy and mitigation measures are able to make decisions based on the best information available at a time when we are navigating a minefield of information, much of which is incomplete at best, and some of which is flat out wrong. This requires individuals with strong critical thinking, analytic and writing skills as well as the knowledge and networks required to build ground truth that can be corroborated and acted upon. Finally, processes for who communicates what to whom when become crucially important to ensure that the information flow lessens confusion, instead of adding to it,” Wilson adds.
How to Secure the Remote Office During a Crisis
One of the contingencies that many global organizations may employ during a crisis to lessen the on-site risk to employees is setting up a work-at-home strategy. However, these may have security repercussions that could prove just as impactful. Many businesses are now scammed by a fake email that tells an employee to send a payment to a new supplier. With a crisis moving the workforce to a home office, businesses need protocols for phone conversations to limit this risk. An employee’s mobile device our home computer may also be a vulnerability that must be secured during an extended home quarantine.
Larry Dorie, CEO and Co-Founder of RHUB Communications. a U.S.-based company that deploys highly secure remote access, remote support and web conferencing solutions to global organizations, says the key issue is access security — making sure the authorized person and only the authorized person gets access to technologies and the data within those technologies. Whether a company uses remote support tools to assist customers virtually, or cloud-based solutions to grab important corporate files, or even web conferencing solutions to communicate with customers or collaborate with a large base of remote workers nationally or across the globe – blocking out the bad guys and protecting communications is vital.
“Even using meeting IDs or passwords can be easily compromised as they are typically sent via email. However, if solutions operate behind a firewall or VPN then this can preclude anyone from outside the network getting access even if they ‘illegally’ gain access to your ID or password.” Dorie says. “The same security level of the VPN can be implemented even with public access by enforcing a check on IP addresses and only allowing access from specific sites like satellite offices, known partners and employees’ home offices.”
Because of the growing nature of the COVID-19, Dorie believes more companies are going to allow remote work and will be challenged with the necessity to secure organizational data as it ebbs back and forth.
“Avoiding large assemblies is the number one caution being promoted by health authorities now. Working from home allows the employee to avoid joining larger groups whereby the virus can be contacted. Moreover, since business travel is being significantly impacted by the virus, companies will not only have to prepare to support more people working from home domestically but even support their teams who currently working across the globe. So, having robust tech solutions that can support thousands of people (not just 10 people), in a highly secure and protected way, is extremely important when supporting an increasingly decentralized workforce,” concludes Dorie.
Trust Your Business Continuity Plan
Wilson contends that one of the most crucial aspects of a global enterprise is possessing a Business Continuity Plan and ensuring that it is a practiced strategy. She is adamant that the bigger the company, the harder it is to implement a plan to address these types of situations on the fly.
“Our companies are mostly Fortune 100 and above and most have these people and processes in place. But small and medium-sized companies often do not. Especially those that grew very fast and are still playing catch up on support functions. And it is those businesses who tend to be hurt the most by situations like this due to single-source supply lines, lack of business contingency planning, lack of business disruption insurance, or lack of a reservoir of funds to draw on when the economy starts heading south,” says Wilson.
She adds that handling operations when employees may be in harm’s way is exactly why companies need to build strategies ahead of time. This includes everything from planning for extractions from war zones to kidnap and ransom policies and planning.
“Regional security personnel who do their job well, build strong relationships in their areas of responsibility that can be called upon to assist in an emergency. This means getting to know everyone from the local police and military to the local street vendors. They also build local knowledge of these areas so that they can build plans that are culturally, socially and logistically feasible based on local conditions. And even with all that planning, every situation that materializes will present with different contingencies, concerns and technicalities that will have to be resolved case by case,” Wilson stresses. “This underscores the importance of hiring level-headed professionals who know how to problem solve, collaborate and communicate effectively, make-clear headed recommendations and avoid being reactive at the moment.”
About the Author: Steve Lasky is a 33-year veteran of the security publishing industry and multiple-award-winning journalist. He is currently the Editorial and Conference Director for the Endeavor Business Security Media Group, the world’s largest security media entity, serving more than 190,000 security professionals in print, interactive and events. It includes Security Technology Executive, Security Business and Locksmith Ledger International magazines, and SecurityInfoWatch.com, the most visited security web portal in the world.
