IT risk & threat management during COVID-19

As with most things during this current period of uncertainty, many organisations are coming to terms with the fact that certain issues and risks that may have been perceived as having a low likelihood of occurrence is now coming to light, and fast becoming a reality. The COVID-19 pandemic has highlighted a number of risks to employees, IT infrastructure, communications, and cyber-security operations, which may have a detrimental impact on operations within organisations.

Business Continuity Plans

It is clear that during this critical period, organisations' regular operations will continue to be affected. Whilst various measures may be adopted to limit the impact of threats such as supply chain issues, workforce reduction, and infrastructure outages, the underlying tool which should encompass all mitigating controls to deal with this current situation is an effective Business Continuity Strategy. Having a Business Continuity Plan in place helps address continuity issues and ensures the stability of the organisation's regular operations.

IT infrastructure

There is now a clear emphasis on the reliance on organisations' IT infrastructure in order to guarantee continued business operations. The availability of a robust and fault-tolerant infrastructure ensures that any services and applications can handle the additional load of remote-working employees. With government-mandated lockdowns in effect, companies must face the reality that the day-to-day management of any on-premise infrastructure may now have to be done remotely.

For companies which previously handled the operational aspects of infrastructure management via on-site staff, this may present a challenge which may be met by ensuring that remote access to such systems is always available, without compromising the overall security of the IT systems in place.

Any single point of failure in the infrastructure should be eliminated to prevent a loss of access to services and applications, which could trigger a chain of events resulting in additional disruptions to the business. If outsourcing agreements with managed services suppliers are in place, any service level agreements (SLAs) should clearly outline the responsibilities of the suppliers throughout the duration of emergency situations. SLAs should be amended to cater for such eventualities should these have not already been defined.

Cybersecurity

In such an environment, the cybersecurity issue also demands greater attention. With the increased reliance on in-house or hosted IT systems, as well as third-party tools for remote working and communications, the risks to an organisation's cybersecurity, are accentuated. Any attack on an organization's IT system may result in prolonged service interruptions, data breaches, and theft of personal information, not to mention reputational damage.

In the current circumstances, some companies may find it difficult to create and introduce measures such as information security policies and procedures to adequately address cybersecurity concerns.  However, they may find it useful to prioritize and implement ad-hoc procedures, such as security awareness campaigns for staff to mitigate the risk of social engineering attacks related to the epidemic.

In the meantime, IT systems should be closely monitored to detect potential security events and to control and contain any incidents which may interrupt regular operations. While patching and updates to IT systems should normally be conducted at regular intervals, companies may need to plan for the deployment of emergency hotfixes and patches to bring hardware and software up to date with the latest firmware and software revisions, thus further mitigating risks of remote threats and other vulnerabilities.

Communications

Communication is emerging as a key factor in ensuring that all stakeholders within an organisation are adequately informed of the ongoing situation at regular intervals. Business Continuity Plans should contain communication strategies clearly defining how the organisation will keep in touch with employees, suppliers, clients, and other stakeholders.

The risk of an organisation prioritising operational uptime and effectively "going dark" can clearly have an adverse impact: employees could start having doubts as to how their viability within the organisation is being perceived; clients could assume that all business operations have ceased; while suppliers could decide to interrupt their service supply to the company. In times of uncertainty such as these, reassuring internal and external stakeholders becomes a  vital communications objective

Stop-gap solutions for COVID-19

Companies that do not have a Business Continuity Strategy in place should consider short-term plans to implement measures such as: 

• The elimination of single points of failure
• The implementation of disaster recovery plans to restore regular business operations
• Quantifying various risk levels within business processes and establishing emergency measures and controls for each individual risk item
• Planning for the closure of one or more of the organisation's premises
• Planning and preparing  for any forecasted supply chain issues
• Establishing reaction plans for multiple eventualities which may impact regular operations

The implementation of such measures and controls can contribute substantially towards the protracted duration of business operations (albeit with comprehensible and manageable losses) throughout the extent of the current crisis.

Publication date: 23/04/2020