Security Risks during Recovery and Repair

by C. Warren Axelrod on April 20, 2020

With “all hands-on deck” battling the coronavirus pandemic, it is difficult to turn one’s attention to recovery and reconstruction of the many organizations that have had to be reduced or closed down Yet now is the time to be planning and preparing for recovery and rebuilding, as some reporters are starting to consider.[i] Time spent planning and preparing for recovery and restoration before or during a catastrophe can greatly reduce the time and effort required to reestablish businesses, government agencies and other institutions. Perhaps you have staff who are not directly involved in the battle against the pandemic or, if not, you might be able to retain third-parties to develop your recovery plan and suggest how you might restore what was lost and hopefully get back to normal, which will likely be a new normal. Reopening won’t be easy or trouble free, as China is discovering,[ii]

Catastrophe recovery and reconstitution planning is key; not doing so is like entering a war without an exit strategy. And we know the consequences of that …

There are many practical things to be done to make sure that, when you are ready to restart, it will go more smoothly and efficiently. First among them is to be sure to maintain facilities, equipment, software, and personnel skills during the restrictions. In fact, it might be a good time for some workers, who are not directly involved in fighting the pandemic to add to their qualifications by getting new training and additional certifications. Are heating and cooling systems working and are filters being changed regularly? Are physical security systems operating and being monitored? Is equipment being maintained—cleaned, oiled, batteries checked and replaced or recharged? Don’t forget to start and move vehicles from time to time to ensure that they will be operational when needed. Also, regular servicing of fire and smoke alarms, sprinkler systems, security systems, and the like, needs to be maintained. These and many other aspects must be considered and acted upon. Envisioning various scenarios and coming up with checklists will be helpful.

Don’t forget to check your contracts with vendors, full-time and part-time employees, contractors, and the like, to see how the current situation is covered. And also check your business continuance and cyber insurance policies to determine your coverage in the case of a pandemic, and how you might be protected in the event of a cyberattack.[iii]

From the security perspective, both cyber and physical security have to be managed. Make sure that maintenance and support contracts are kept in place and that any necessary servicing is done. Software needs to be checked and updated, security and functional patches applied, and identity and access management (IAM) systems kept up to date. The latter is particularly important as there will likely have been many changes in staff and their roles as a result of winding down and outright closings. As disgusting as it sounds, cyberattacks and hacking has increased significantly during this period of high vulnerability, so that information security professionals need to be particularly alert to such attacks and strengthen their defenses, monitoring and responses.

Sponsorships Available

Not only do planners have to ensure that they can recover from the shutdowns and reconstruct what has been lost, they need to check that suppliers and customers are also getting prepared to restart when the time comes. There is much that can be done to facilitate recovery and learn from the experience to make supply chains more secure, resilient and dependable going forward.[iv][v]

The recovery from catastrophes and repair necessary to get back up and running are generally more aimed at physical destruction from the likes of hurricanes, tornadoes, and floods.[vi] Many of the same tasks are applicable to the current situation. However, the complexity of restoring those parts of the economy most affected by the pandemic is much greater than anyone thought necessary. Consequently, “getting back to normal” will be such an enormous project that whatever can be achieved in planning and preparing for this transition ahead of time will be very worthwhile. If you have employees with available time, or if you need to employ third parties, to put together such a plan, they should be directed to think through what will be needed and how to accomplish those tasks. It will likely turn out to have been a very sound investment.

[i] CBSNewYork, “Coronavirus update: Nassau County continuing to lay groundwork for small business recovery,” April 2, 2020. Available at https://newyork.cbslocal.com/2020/04/02/coronavirus-nassau-county-long-island-economic-recovery-small-business-laura-curran/

[ii] A. Fifield, “As Wuhan reopens, China revs engine to move past coronavirus. But it’s stuck in second gear,” The Washington Post, March 31, 2020.

[iii] C.W. Axelrod, “Using contracts to reduce cybersecurity risks,” CrossTalk Magazine, July/August 2017.

[iv] J.B. Rice, Jr., “Prepare your supply chain for coronavirus,” Harvard Business Review, February 27, 2020. Available at https://hbr.org/2020/02/prepare-your-supply-chain-for-coronavirus

[v] J. Goodchild, “Supply chain security amid coronavirus fallout,” Security Boulevard, March 17, 2020. Available at https://securityboulevard.com/2020/03/supply-chain-security-coronavirus-fallout/

[vi] C.W. Axelrod, “Systems and communications security during recovery and repair” Appendix F in Hospital Preparation for Bioterror: A Medical and Biomedical Systems Approach edited by Joseph H. McIsaacs III, Academic Press, 2006.