COVID 19: What the CIO and CISO can do to help COVID 19: What the CIO and CISO can do to help COVID 19: What the CIO and CISO can do to help

The article was originally published on kpmg.com.   

Concern over the scale and impact of the COVID-19 pandemic is growing, leading organizations to consider their response and the actions they need to take now to maintain their business. The Chief Information Officer (CIO) and Chief Information Security Officer (CISO) play vital roles in making sure their organizations can continue to function as pandemic containment measures are implemented. As such it is critical that CIOs and CISOs bear in the mind the following considerations in other to ensure their businesses continue during these challenging times. 

You need to ensure that your business can work remotely and flexibly, and that employees are confident in being able to do so. This may require you to revisit decisions on access rights, entitlements and risk posture.

Questions to consider:

• Have you scaled your VPN concentrators, portals and gateways to handle the large number of colleagues who will need to work remotely?
• Have you considered the potential key suppliers, contractors and vendors who will require access and the additional scale that will bring?
• Have you tested the infrastructure to assess whether it can handle the expected loading?
• Are there single points of failure in the infrastructure and can you provide additional resilience?
• Do you need to relax access controls or provide additional remote login accounts or credentials?
• Is there sufficient help desk capacity to handle queries from users who are unable to login or unfamiliar with remote working?
• Can you remote your help desk operations if help desk staff have to work from home?
• Where employees require access to laptops for remote working, is there a pool of laptops available? Can more be procured and installed to meet demand? How should allocation be prioritized?
• In cases where the pool of equipment is limited, have you considered focusing on essential services and splitting access to them via alternative access solutions (e.g. Office 365 and One Drive vs. in-house applications)?
• Have you considered the ability to whitelist only specific applications during this period and block all non-essential services?
• Do you have limitations on video and audio teleconferencing bridges, and can you do anything to scale that infrastructure?
• Do you need to consider alternate cloud-based conferencing and teleworking solutions?
• Do all staff have the necessary access numbers/links to allow them to access the video and audio teleconferencing bridges, is training material readily available and should you establish a helpline?
• Have you prepared simple guides to be distributed to staff on key help desk related queries:
  • How do I login?
  • How do I change my password?
  • How do I access key services?
  • How can I get assistance from the helpdesk?
  • Who are my key contacts if I have a crisis?

Restrictions on travel and the spread of the virus may lead to new patterns of demand and higher traffic on digital channels. With this comes new implications CIOs and CISOs will need to be mindful of.

Questions to consider:

• More customers and clients may expect to transact with you through digital channels. Can you scale those systems and services to deal with changing demand?
• How would you monitor loading and performance, and who can make the necessary decisions to scale capacity or create dynamic choices on prioritization if capacity is an issue?
• Are you clear about which services you may need to shed or how customer journeys may need to alter if systems are overloaded?
• Are you dependent on key call centers? If those call centers are closed or inaccessible, can customers and clients interact with you through other channels?
• Is there the option to allow call center staff to work remotely or to transfer their loads to another call center location?
• Have you considered the interactions between call centers and service/help desks and the impact of any outsourcing arrangements? 
• Have you discussed the arrangements with key suppliers of those services and how will they prioritize your needs against those of other clients?

Sadly, employees may be infected, may find themselves unable to travel, or needing to meet family caring commitments. As such, you should plan for a significant level of absenteeism.

Questions to consider:

• What would happen if key IT personnel (including contractors) are confined or are ill with the virus? Are you dependent on a small number of key individuals?
• How could you reduce that dependency? (For example, by ensuring that there are “break glass” procedures in place to allow other administrators access to critical systems.)
• Who are the key individuals of the security team? If the CISO is not available, who then will make the calls on the security posture and acceptable risks to the organization?

Data centers may be impacted by the virus too. A positive test may result in an evacuation and deep clean of the building; transport infrastructure disruption may prevent access, and data center staff may be unable to work.

Questions to consider:

• If one of your data centers is evacuated, do you have disaster recovery plans in place to deal with the disruption? Have you tested those plans?
• How quickly can you failover to an alternate site and who manages that process?
• Are you reliant on key individuals (including contractor support) for the operation of the data center and how can you manage that dependency?

There may be additional demands on cloud-based services, requiring you to scale the available computing power, which may incur additional costs. At the same time, other services may show reduced demand.

Questions to consider:

• Are you able to monitor the demand for cloud computing services and manage the allocation of resources effectively?
• Have you planned for any additional costs which may be incurred from scaling or provisioning other cloud services?

Your suppliers and partners will also be under pressure. Their operations can be disrupted too.

Questions to consider:

• Who are your critical suppliers and how would you manage if they are unable to operate (including disruption to your key managed service providers)?
• Are there steps you could take now to reduce that dependency, including using your team resources?
• Are you discussing these implications with your key suppliers, and do you have the right points of contact with those suppliers?
• Have you identified which IT suppliers may come under financial pressure and what would be your alternate sourcing strategy if they did fail?

Organized crime groups are using the fear of COVID-19 to carry out highly targeted spear-phishing campaigns and set up fake websites, leading to an increased risk of a cybersecurity incident.

Questions to consider:

• Have you made clear to employees where to access definitive information on the COVID-19 pandemic and your organization's response to COVID-19?
• Have you warned staff of the increased risk of phishing attacks that use COVID-19 as a cover story?
• If you are dependent on alternative systems or solutions, including those procured as cloud services, who would handle a security incident involving those systems?
• Do you need to change your approach to security operations during the pandemic, including arrangements for monitoring of security events?

While COVID-19 dominates the news, you should still be aware of the possibility of an IT failure given the changing demands on your infrastructure or an opportunistic cyber-attack.

Questions to consider:

• Would you be able to co-ordinate a response to an IT incident remotely? Do you have the necessary conferencing facilities and access to incident management sites/processes and guides?
• Do you have a virtual war room set up for instances where physical access may become limited or restricted?
• Are you dependent on key individuals for the incident response and if so, what can you do to reduce that dependency?
• How does the emergency/incident response crisis management structure change if key incident managers/recovery leads are unavailable?
• Are you confident that your backups are current and that, in the worst-case scenario, you can restore vital corporate data and systems?
• How would you deal with a widespread ransomware incident when large parts of your workforce are working from home?

You'll need to be able to function with limited employee numbers and be clear on the priority tasks your team needs to be able to complete.

Questions to consider:

• Have you prioritized your team's activities? Are there tasks which you can defer so as to release staff for contingency planning and priority preparation tasks?
• Do you have access to emergency funds if you need to quickly source for equipment or additional contractor/specialist support?
• If you are placed under pressure to reduce discretionary spend to preserve cash, are you clear on which spend must be protected and where to make those savings?

Amongst all these organizational considerations, your team will still look to you for leadership and support.

Questions to consider:

• Have you made sure your team is implementing sensible hygiene practices, including offering flexible and remote working arrangements to meet changing needs?
• Do you have up-to-date points of contact details for all your team? Is your team aware of who to contact in an emergency?
• Do you model the behaviors you expect of your team? What would happen if you were incapacitated? Who would step in for you?