My military and police experiences have paid dividends and made me a much better CIO and CISO. These professions plan and practice until the effort becomes muscle memory and robotic.
Why? In a time of a crisis, your plan works until the first punch is thrown or the first shot is fired. What happens next is anyone’s guess. But, the hope is you revert to instinct. At the head of the effort requires an individual that can quickly assess and make decisions. A word of advice here, always be reassessing and be open to being questioned. In the time of crisis, blind spots happen, recognize them, and be the one that circles back to see what was accomplished and could have been done better.
Being prepared is being tested. Business Continuity Planning and Disaster Recovery (BCP/DR) is essential but was a Pandemic in your BCP/DR plan?
Was there a section that said, within two days, deploy laptops to people that only require a desktop or a thin client? Did it allow people to take their desktop home? How will they connect the device to the corporate network, print, and scan? How will they protect PII and ePHI and other confidential documents? How will they destroy the records?
Can anyone say they were 100% ready and the transition went smooth? We prepare for what we have experienced—Tornado, flood, hurricane CAT 5. Not a Pandemic.
As I type this article, I recalled the days of cold, warm, and hot sites. Over time these have been replaced with ROI versus cost savings/avoidance and just in time mentality. So what exists today? For those that invested heavily in laptops, you might sprinkle a little VPN and you may be prepared. Those that spent in Citrix or VDI solutions are ahead of the pack.
Collaboration tools and office productivity issues make those that invested in Microsoft 365 appear clairvoyant and ready. Those that switched to Saas, PaaS, or web applications are in the best place of all. The caveat here is that the provider has also invested in its infrastructure and capability.
A recent article showed Microsoft is seeing a 775% spike in cloud services in regions with social distancing.
Where do you focus on the security of working from home or remote? Endpoint protection is a must. Domain Name Service (DNS) protection of internet access across all network devices, office locations, and roaming users will minimize users going to fraudulent/malicious websites or applications. A must-have is multifactor authentication (MFA). And how are your telework agreements? Do they discuss the place of work condition, and does the employee have the correct protection on their home computer?
Do they have a firewall between their router and computer(s)? Are employee responsibilities for reporting unauthorized access to their home network/computer clearly spelled out? Would the person even know its happening? Do you have training material and How-To documents? The service desk will inevitably get overrun by calls for help. Where does this cable go? I can’t get my computer to power up. I can’t connect to the WiFi.
The last thought is around staffing. In my past experiences, those two positions that weren’t filled before the BCP/DR event were completely overcome. During the BCP/DR event, it quickly turns to 3 and 4 that need to be filled. Having relationships with external staffing agencies is a must. They will save your bacon.
Word of advice, get through the fog of a BCP/DR event quickly. Establish lists and routines. Get back to normal as soon as possible. Remember to patch, conduct daily security checks, and continue to build and innovate.
Use the crisis to push some of the items that have stalled due to funding needs. Even if this one allows a return to some form of normalcy, the next one may not. Let’s not waste this lesson.