COVID-19 WILL CHANGE FOREVER HOW WE LOOK AT BUSINESS CONTINUITY AND CRISIS MANAGEMENT

The effects of COVID-19 on businesses are already unprecedented. It's also going to get worse before it gets better. While I am not very good at thinking in 'futuristic' terms, even I already know that the businesses that manage to survive will have no choice but to fundamentally change how they do what they do. Permanently!
Well, for those businesses for whom data and electronic communications are the primary keys to their business model that is. Face-to-face stuff (e.g. brick-and-mortar retail) is a whole other ball game and way beyond my ken.
From tele-working, to business travel / commuting, to the communication and collaboration technologies in use, the impact of this global phenomenon will be dissected and analysed for decades. The 'old ways' of working; 9-5; bum-on -seat; Mon-Fri could [and I think should] largely disappear if, and ONLY if, the lessons learned are taken on board. Every business is a series of functions, and it should not be of primary importance where the person who performs those functions is, or even who that person is.
This is the mistake most organisations make, and while the impact of something like COVID-19 has never been part of any BCP I've ever seen, we could certainly have extrapolated and prepared for events like it. Here in London for example, if the trains go on strike there is an enormous impact on the daily commute; people take 3 to 4 weeks off in a row on annual leave; long term power outages at critical locations and so on. All of these things, and many more like them, have all pointed to what is now required but almost universally absent. But while there are literally hundreds of articles on how to DO business continuity in the face of COVID-19,
they are almost ALL too little too late. It's not the security industry's fault however, it's the fault of every senior leadership team who saw the aspects of security from incident response onwards as nothing more than a paperwork exercise. Or worse, chose to remain ignorant of the right way forward.
At its heart, crisis management (and by extension, business continuity planning) is about four things:
An understanding of the business's individual functions.
An understanding of how those functions are performed.
An understanding of who performs those functions.
Appropriate communication.
In other words, if what you do, and how you do it is known and documented; AND is assigned to the appropriate and accountable resources... then all you have to worry about is the ongoing communication. Yes, the implementation of appropriate technology(ies) is relevant, but that should really be a one-off exercise plus ongoing maintenance.
Clearly this is not happening. Very few organisations have been adequately proactive in communicating to their employees what COVID-19 is, what its impact could be, and what to do about it. Almost everything that has happened to date has been reactive, ad hoc, and ineffective. You may think this is a little unfair? You may think that it should not be the employer's responsibility to keep their workforce both informed and safe in the face of a pandemic? Tell me, who is better placed to do that? The Government? The newspapers? Your doctor?
It is my contention, and the real point of this article [finally], that it's the employers who should take the lead in these situations, because even Governments don't have the level of influence over people that employers do. Of course everyone should follow what the Government and reputable experts say in these scenarios (CDC for example), but it's the employers who have the most effective access to, and authority over, the lion's share of the population. They also have the best chance, by far, of heading off the rampant ignorance that leads to wearing a plastic bag over your head and other irretrievably stupid things that that we have seen during the pandemic!
Not convinced? Think about it for a second. In the UK [for example] there are ~66 million people, ~half of whom are gainfully employed by ~2 million employers. If you exclude the public sector and the self-employed, you're left with ~1 million employers with multiple employees. I have long maintained that our employers have taken over the role of the communities of old (albeit very poorly): Your and your family's very livelihood (read Maslow's Hierarchy of Needs) is largely dependent on them. Even your sense of identity; You spend more than a third of your working life either at work or getting to and from it; A huge chunk of your interpersonal interactions are a result of your place of work (I married an ex-colleague for example (much to her regret)).
Virtually everyone has a laptop/desktop, mobile phone, or both. And whether they are work-supplied or personally-owned makes no difference, your employer has direct and personalised access to you. They also have the 'power' to MAKE you listen/read/respond and ACT in accordance with their mandates.
Now imagine if your employer implemented [or had access to] a service that provided not only the most up to date information from all of the reputable and relevant resources, but detailed instructions on what each employee should be doing at any given time? Would these millions of people who are now armed against ignorance not significantly 'flatten the curve'? Imagine almost one HALF of the population influencing and protecting the other half, even if it's only against themselves.
Bottom line; I believe organisations not only have a responsibility to keep their employees both informed and safe, they should be held accountable for it (up to and including regulation). It is, after all, in everyone’s best interests including the employers themselves. It just makes sense even if you’re mercenary enough to only see this from a financial perspective. Everyone, please stay safe, informed, and help out where you can, even if it's by staying in the house.

David Froud
David is Director at Core Concept Security. He is a Cybersecurity practitioner specialising in delivering collaborative data security solutions to high-end corporate clients. He is particular focused in Regulatory Compliance, Governance Framework Design, and Secure Payments and Innovation. He has significant international team management and sales support skills. He is an industry speaker, with a track record for simplifying security into terms that can be understood and implemented by anyone.
Website: www.davidfroud.com
Core Concept Security (CCS)
Core Concept Security (CCS) is an independent cybersecurity and data protection consulting practice based in the UK with clients around the world.
Website: www.coreconceptsecurity.com