30 Mar COVID-19 Business continuity
You’re ready for working differently,
but now you actually have to do it.
Businesses have been preparing for remote and flexible working for years by implementing technologies that enable remote collaboration and access to required systems. What we are learning from the current COVID-19 crisis is that many haven’t fully prepared for extended disruption on a global scale.
Business continuity and disaster recovery plans have been created and amended to include processes for remote working, and tools for communicating effectively where normal operations are impacted. However, the capability of businesses to do this at scale, and over an indefinite time frame has not always been factored into these plans. The recent scale and rate of change have shown us that our preparations have not been sufficient and working differently has led to an increase in risk that now requires additional management and operational capability.
If your business is operating remotely, you may have noticed a few snags here and there. Questions may have arisen around the privacy obligations with regards to sharing information differently. Third party vendors may be talking about force majeure clauses and other contractual frustrations. Managing resources such as software licences, as well as management and control of access may be presenting new challenges. Though frustrating, there are ways to ensure these snags do not become major issues that take up time you may not have. Aspects of business that may be compromised include efficiency and scale, security, privacy, relationships with your supply chain, and duties of directors.
Efficiency and scale
There are many reasons why efficiencies will be affected: employees may be distracted as they multi-task with other aspects of their lives, clients may have other priorities that do not include your products or services, and to be honest, the daily updates on the virus are enough to distract anyone.
Capacity of IT and network systems will be impacted; stress to the network as you roll out security patches or configuration changes may cause disruption, and there is the additional consideration of how shared online platforms will cope with the increase in online communications. There may also be added costs and planning with regards to licensing and certificates for users.
Managing your information systems and how information flows through them is the key here, as is communication with employees on changes that may affect them. In addition, financial support for additional costs accumulated through managing these inefficiencies may be available to you.
Security depends on how the people, processes and technology in your business interact. For some businesses, security may have been built in by design. For many it has been an afterthought until now. In either case, changes in day to day operations will mean new and increased risks that need to be identified and managed.
Concerns for leaders of companies here will revolve around threats to mobile devices (such as access to company systems without secure connections), an increase in malware and social engineering (phishing, smishing etc.), denial of service attacks, and legitimate use where demand simply outstrips the capability therefore overloading systems to a point of failure.
The European Union Agency for Cyber Security has released the following tips for employers and employees. Regardless of which country you are in, this is a great guide for all businesses to implement small changes for added security. ICTLC have success in implementing these changes and can assist.
There are a few elements to be discussed with regards to privacy. The first is the sharing of employee personal information. It should be noted that there are restrictions on processing personal health information in each jurisdiction so be mindful before implementing new practices regarding employee personal information. Check the OAIC in Australia, and the EDPB in the EU for an outline on the information relevant to you.
Extra precaution should be taken to ensure that information is processed for the purpose for which it was intended, and in accordance with relevant laws depending on where it is being processed (collected, transmitted, stored etc.). With the move to different ways of working, ensuring strong information governance is just as important as before. Businesses should consider that new kinds of information are being created that did not exist before, or new uses may result in different classifications, for example video feeds/streams, chat logs, etc. which were not highly used previously are now very likely to contain confidential or privileged information. The same recommendations made around securing information systems apply here, but you must also consider that information is being handled and processed differently. Identify what these differences are (e.g. whether it is exposed to other parties in an individual’s house or is being stored in a new platform) and cross check this with your ongoing obligations to protect it.
Data analytics may also create privacy issues. Rapid adoption of new tools to facilitate online collaboration will create masses of behavioural data on your organisation that these online platforms can collect, collate, and extrapolate to create a detailed profile of your organisation and its users. While this is largely an unavoidable reality of the modern workplace, it is important to consider and understand the implications this shift may have for your business and your users.
Third party relationships
Managing relationships with third parties in your supply chain while meeting customer expectations is going to be a dominant concern in the immediate and long term. Agreements with third parties that include security provisions and force majeure clauses may impact the security requirements that those parties are contractually bound to adhere to despite the changes to working differently.
These relationships may also be under strain, given the entire supply chain is affected one way or another by COVID-19. Security and law combine here, as the risk is to all parties involved and an understanding of both law and security will be important when negotiating a way forward that is operationally possible for all involved. For example, force majeure provides a legitimate reason to terminate, however we need to find answers to make it possible for relationships and services to continue.
My final notes are to the managers and board members reading this. You are all aware of your duties and the standard of care and diligence required from you. I would like to draw your attention to the ASX Corporate Governance Principles, namely Principle 7 which goes to recognising and managing risk. The risks presented by employees and third parties working from home will need to be managed differently. Careful assessment of the security implications is required in the short term. In the long term, a review of ongoing business continuity and disaster recovery plans will need to take place to ensure they incorporate lessons learned. At all times you will be required to ensure that the changing risks you face, and your treatment of such risk is in line with your risk appetite.
Secondly, businesses are currently in response mode, which will then become recovery mode. Your main concern from a cyber law perspective is going to be your supply chain and your ability to recover operations effectively, despite possible renegotiation of agreements. Ensure you understand your obligations when it comes to any frustrations in your agreements and what remedies are available.
Finally, new conversations may arise that require a balance of corporate governance and individual rights and freedoms especially with regards to using personal mobile devices for company work. Discussion with employees is incredibly important in order to ensure compliance with company policies and physical solutions, including safety.