COVID-19 Will Change Forever How We Look at Business Continuity / Crisis Management

The effects of the COVID-19 on businesses are already unprecedented. It’s also going to get worse before it gets better, and I don’t just mean the ridiculous demand for toilet roll. While I am not very good at thinking in ‘futuristic’ terms, even I already know that the businesses that manage to survive will have no choice but to fundamentally change how they do what they do.


Well, those for whom data and electronic communications are the primary keys to their business model that is. Face-to-face stuff (e.g. brick-and-mortar retail) is a whole other ball game and way beyond my ken.

From tele-working, to business travel / commuting, to the communication / collaboration technologies in use, the impact of this global phenomenon will be dissected and analysed for decades. The ‘old ways’ of working; 9-5; bum-on-seat; Mon -Fri could [and I think should] largely disappear if, and ONLY if, the lessons learned are taken on board. Every business is a series of functions, and it should not be of primary importance where the person who performs those functions is, or even who that person is.

This is the mistake most organisations make, and while the impact of something like COVID-19 has never been part of any BCP I’ve ever seen, we could certainly have extrapolated and prepared for events like it. Here in London for example; if TFL goes on strike there is an enormous impact on the daily commute; people take 3 to 4 weeks off in a row on annual leave; long term power outages at critical locations and so on. All of these things, and many more like them, have all pointed to what is now required but almost universally absent.

But while there are literally hundreds of articles on how to DO business continuity in the face of COVID-19, they are ALL too little too late. It’s not the security industry’s fault however, it’s the fault of every senior leadership team who saw the aspects of security from incident response onwards as nothing more than a paperwork exercise. Or worse, chose to remain ignorant of the right way forward.

Ignorance is a choice.

All that said, this blog is not actually about business continuity planning per se, that’s not really my forte, this is more about ‘crisis management’, and how the LACK of it has made the COVID-19 pandemic worse for everyone. Especially those in the medical professions.

At its heart, crisis management (and by extension, business continuity planning) is about four things:

  1. An understanding of the business’s individual functions;
  2. An understanding of how those functions are performed;
  3. An understanding of who performs those functions; and
  4. Appropriate communication

In other words, if what you do:

  1. and how you do it is known and documented; AND
  2. is assigned to the appropriate and accountable resources…

…then all you have to worry about is the ongoing communication. Yes, the implementation of appropriate technology(ies) is relevant, but that should really be a one-off exercise plus ongoing maintenance.

Clearly this is not happening as a matter of course. Very few organisations have been adequately proactive in communicating to their employees what COVID-19 is, what its impact could be, and what to do about it. Almost everything that has happened to date has been reactive, ad hoc, and ineffective.

You think maybe this is a little unfair? That it’s not the employer’s responsibility to keep their workforce both informed and safe in the face of a pandemic? Tell me, who is better placed to do that? The Government? The newspapers? Your doctor?

It is my contention, and the real point of this blog [finally], that it’s the employers who should take the lead in these situations, because even Governments don’t have the level of influence over people that employers do. Of course everyone should follow what the Government and reputable experts say in these scenarios (CDC for example), but it’s the employers who have the most effective access to, and authority over, the lion’s share of the population.

They also have the best chance, by far, of heading off the rampant ignorance that leads to wearing a plastic bag over your head and other irretrievably stupid things that are still going on!

Not convinced? Think about it for a second. In the UK [for example] there are ~66 million people, ~half of whom are gainfully employed by ~2 million employers. If you exclude the public sector and the self-employed, you’re left with ~1 million employers with multiple employees.

I have long maintained that our employers have taken over the role of the communities of old (albeit very poorly):

  • Your and your family’s very livelihood (read Maslow’s Hierarchy of Needs) is largely dependent on them. Even your sense of identity;
  • You spend more than a third of your working life either at work or getting to and from it;
  • A huge chunk of your interpersonal interactions are a result of your place of work (I married an ex-colleague for example (much to her horror and regret)).

Virtually everyone has a laptop/desktop, mobile phone, or both. And whether they are work-supplied or personally-owned makes no difference, your employer has direct and personalised access to you. They also have the ‘power’ to MAKE you listen/read/respond and ACT in accordance with their mandates.

Now imagine if your employer implemented [or had access to] a service that provided not only the most up to date information from all of the reputable and relevant resources, but detailed instructions on what each employee should be doing at any given time? Would these millions of people, who are now armed against ignorance, not significantly ‘flatten the curve’? Imagine almost one HALF of the population influencing and protecting the other half, even if it’s only against themselves.

Bottom line; I believe organisations not only have a responsibility to keep their employees both informed and safe, they should be held accountable for it (up to and including regulation). It is, after all, in everyone’s best interests including the employers themselves. It just makes sense even if you’re mercenary enough to only see this from a financial perspective.

Eventually I’ll write up more specifics on how every organisation can put something like this in place, but now is not the time. All I ask is that you pay particular attention to how YOU are managing to perform your duties while stuck at home, because if you can’t do it the next time you’ll have failed yourself and your employer equally.

Everyone, please stay safe, informed, and help out where you can, even if it’s by staying in the house.

[If you liked this article, please share! Want more like it, subscribe!]

Running Marathons: The Perfect Cybersecurity Analogy

What follows is an analogy that I have been meaning to write for years, but, like all great procrastinators, I let life get in the way.

Be warned however, I have taken significant ‘poetic licence’, and generalised outrageously, so don’t be too upset with the glaring ‘plot’ holes. I have also written this from the perspective of my own experience running, not from a true runner’s perspective. Anyway, I’m still faffing…

Continue reading

Cybersecurity Skills Gap my Arse, I Can’t GIVE my Time Away!

A month ago I wrote the blog ‘Beware of the ‘Pet Rock’ Cybersecurity Vendors‘, in which I offered to give a day of my time away for free. I stated:

Any organisation within a 1 hour train ride from London can have 1 day of my time for ‘free’ as long as the following requirements are fulfilled:

And while those ‘requirements’ were as basic as there were necessary…:

Continue reading

GDPR: How Much Compliance is Enough?

I was asked the equivalent of the subject question the other day, and realised that perhaps the demonstration of compliance is not quite as obvious as I have made it out to be in previous blogs.

And by ‘obvious’ I don’t mean ‘simple’, because this has always been simple.

The word ‘appropriate‘ appears 115 times in the GDPR final text, and the word ‘reasonable‘ a further 23, but if you don’t know how to define those things in relation to compliance for your organisation, how do you know when you’ve done enough? Or too much? The balance is as important to your business as compliance itself.

Continue reading

Getting from 'Paper' Policies to Regulatory Compliance

I have lost count of the number of times I have stated the equivalent of; “Without good policies you’ll never have real security. “. Then again, security is what I do for a living, so it’s obvious to me, but clearly it’s not obvious to the thousands of organisations who think policies are just pieces of paper you use to tick a compliance box.

Then it occured to me that maybe organisations just don’t know how to take a policy and turn it into something that can be used to both demonstrate and validate adherence to a regulatory compliance regime such as GDPR or PCI. Or perhaps just as importantly, pass a due diligence audit for a potentially huge client.

Continue reading