The effects of the coronavirus are far-reaching in the business world and the information security function is no exception to this disruption. In this light, business continuity and resilience have never been more important. Even before the outbreak of COVID-19, these topics were high on the agenda of CISOs, and the information security function has a crucial role to play.
Dealing with the enterprise disruption caused by COVID-19 starts with risk and leads into security
The information security function is not an island or an ivory tower. Omdia (as Ovum) has long focused on the “big picture” of cybersecurity: technology as one of the triumvirate of people, process, and technology that comprise security controls. Furthermore, the influencers on security: governance, risk, and compliance, are crucial inputs to an organization’s security posture.
For the information security function, dealing with the disruption caused by COVID-19 starts with the risk function and leads into security. This virus is clearly a risk to many organizations. Using the common risk equation, likelihood multiplied by impact, the likelihood of an enterprise being affected by COVID-19 is increasing by the day, and the level of impact on the organization can be very low to very high. Risk mitigation can be anything from standardizing on remote working, to switching suppliers, to reducing the working week, which are all real-world very recent examples.
Even while the risks are being assessed, the information security and IT functions should ensure that “remote working” plans are up to date and that all affected employees (and contingent workers) have access to the tools, technology, and equipment they need to be able to operate effectively outside the office environment. Security controls are about people, process, and technology and the human factor should not be forgotten. Some of those new to remote working will need to be trained appropriately (and some others are likely to benefit from a reminder), so quickly rolling out updated remote worker training will be beneficial. We have also seen a sharp rise in using coronavirus for phishing emails, so make everyone connected to organizational systems and data aware of this and to report any suspicious emails.
In addition, take advantage of “technology champions” throughout the business. This includes individuals who have good knowledge of business systems and technology, but who do not work for IT. Ensure that these people are engaged and empowered by IT with the information and tools they need to support their colleagues.
Enterprises should be testing their business continuity and resiliency plans, and the information security function plays a key role in this. Resiliency objectives should be aligned with business objectives to minimize the impact of a variety of risks, including environmental ones such as COVID-19. The information security function will work with business continuity and resilience specialists by providing assurance that security risks are being managed within acceptable levels.
COVID-19 knows no boundaries and the same should apply to the information security function, working across the enterprise to mitigate the risks appropriately.