Business Continuity in the Age of Novel Coronavirus

The COVID-19 global pandemic is causing a tremendous amount of worry, stress, and anxiety for employees as well as businesses. Life struggles to go on as millions of people are ordered to stay in their homes, and in the midst of the pandemic, organizations must try to continue operations and execute on a business continuity plan that no one planned for. Depending on how life resumes - whether it returns to normal or achieves a “new normal”—it’ll be thanks, in part, to business continuity planning.

I caught up with business continuity expert Ross Jackson, Mimecast’s VP, Organizational Resilience, to find out how resilient the world economy has proven so far in the midst of this unparalleled health crisis. Here are edited excerpts:

MA: From a business continuity perspective, the novel coronavirus pandemic seems so novel that I have to wonder whether any organization’s business continuity plan was prepared for this. Would an organization’s business continuity plan contemplate such an event? 

RJ: I would think probably only 15-20%, roughly, broken down between two very different kinds of organizations. First, very large organizations that have mature incident response and business continuity teams should have been thinking about infectious diseases. Not necessarily to this magnitude, but what if the measles or a localized flu outbreak took out a particular team within a region? That should be part of their planning. These plans should have answers for ‘How do we job share? How do we make sure we’ve got cover?’ ‘What are the remote working issues?’ Not many businesses will have gone to ‘What are we doing at a global scale?’ But you’d expect to see some sort of infectious disease thinking at the team level.

Second are new-world SaaS businesses. Smaller-size SaaS businesses are used to providing services virtually and remotely, which naturally leads to a generally higher-resilience perspective. They’re likely to at least have thought about infectious disease planning, thinking through what would happen if ‘my team X’ was temporarily incapacitated or quarantined.

MA: What are the characteristics of those organizations’ business continuity plans that set them apart and help keep the business running?

RJ: Most companies, of course, won’t talk about the details of their business continuity plans publicly, especially the bits that didn’t eventually work out. But for the most part, people are doing relatively the same thing—there is a fair amount of information and guidance on the coronavirus/COVID-19 from trusted sources like the World Health Organization or the CDC [US Centers for Disease Control and Prevention] The Johns Hopkins coronavirus tracking website is obviously being bombarded by everybody, and Worldometer’s similar site is a very useful one for digging deeper of the impact at the regional level.

Business continuity and incident response teams are looking at those sites to understand the potential impacts on their business operations, especially employee health risks. You’ve got to focus on your duty of care and concern for employees, from a humane perspective, of course, but also from a business continuity perspective because it’s more important than the technology. An effective business continuity encompasses backup, overflow and repetitive technology solutions. If video conferencing solution is mission critical and it is fails to operate as normal, you’d have one or more other video conferencing or collaboration solutions at the ready.  If your entire engineering or customer support team is unavailable because they’re sick, that’s a much bigger issue as there is not a backup engineering or customer support team.  Protecting employees become paramount. 

Then, and I can’t emphasize this enough, communication is key, as ever. There’s so much anxiety created as a consequence of the volume of news and the unknown, it’s rightly scaring people. There are too many information sources, some of which are unreliable, and lots of people are sharing rumor-mill stuff. Organizations need to stay in front of that, first with frequent and consistent corporate messaging and second by pointing their employees to good, official sources—not necessarily trying to be the source for their health advice but helping them find the official source. Company messaging is particularly important, meaning consistent and transparent messages coming from one source that points employees to one place, like an intranet page, that tells them, ‘This is what we’re doing, this is how we’re handling it, this is what you can tell your customers or message to your staff.’ The business continuity team might be used to dealing with the high pressure of things going wrong and picking up the pieces again, but everybody else is actually trying to work out how to do their day job in a new environment, while worrying about what’s happening with their kids or what’s happening with their elderly parents. Just keeping that flow of communications up helps empower a level of trust.

MA: What about midsize and smaller companies? How are they holding up in this crisis and what is enabling them to hold up if they are?

RJ: First, like larger companies, they’re following the health guidelines from WHO and CDC and their regional governments to do what they can to protect their employees’ health. After that, it’s all about the shift to remote work. For a typical midsize customer of Mimecast, business continuity probably means having to work through the challenges of who actually is critical, who needs to be in the office. They’re trying to segregate their employees into ‘mission critical can work remotely’ versus ‘mission critical can’t.’ That’s the focus for smaller businesses: Figuring out those people who have got to still have access to the physical office, for whatever reason, and those who do not, and focusing on the right infrastructure and security for remote working if needed.

MA: In what ways have you seen bad actors trying to take advantage of the coronavirus to drive exploits?

RJ: We’re seeing malware campaigns, we’re seeing phony solutions to the virus, we’re seeing straight redirects, we’re seeing domain takeovers. There’s quite a lot going on. Attackers are preying on people’s fears, nerves, and desire to see the latest news. [For more, read “Beware of Fast-Evolving Coronavirus Email Phishing Attacks.”]

MA: What novel issues does this massive and extended remote working situation create for security professionals? How do they need to think differently about ensuring the integrity of company networks?

RJ: Local security is a big challenge. While many people work from home one day here or there, or one or two days a week, we’re now asking people who are normally five days in the office to work from home every day. We don’t know the security of their WiFi, or if they even use WPA2. If so, is it a strong password? Who have they shared their password with, their friends and neighbors? And then there are issues like leaving your laptop unlocked and even something as simple as confidential information that your housemate shouldn’t see; and then you’ve got the little fingers of kids at home with schools shutting. There are a whole host of new security issues coming from all this remote work.

MA: Are corporate networks prepared for their entire employee base to ‘VPN in’ from home?

RJ: Some organizations may not have enough VPN user licenses, but that’s mitigated by a couple of factors. Within a typical organization, there will be a lot of people using purely online products, like video conferencing tools and online ERP or CRM solutions like Salesforce, HubSpot, or NetSuite. You don’t need to be on VPNs for 9 out of 10 applications, you just go out and surf the internet and it’s there. So you’re not putting any additional strain on your office environment or your office hardware or the VPN device.

Where you need to get to internal drives or apps, that’s when you’re going to have to VPN back in to a piece of kit. Generally, it’s a firewall that is the VPN terminator, and you have to have a number of licenses for it. But there are a couple of providers, and I believe more will follow suit, that are allowing organizations to automatically burst to a higher level than they’re paying for. Say you’re a 1,000-seat organization with 200 VPN licenses. SonicWALL, for example, have said, ‘Don’t worry, we’ll let you burst higher than that.’ So if there is that sudden increase because everyone is working from home and needs to get to a shared hard drive, they’re actually able to still carry on working.

MA: So basically, the technology industry is coming together to support everyone’s business continuity?

RJ: Yeah. We’re seeing a real sense of, ‘We’re aware of what’s going on, we know what you’re going through and we’re going to try to work with you.’ You see it in that burst ability for the VPN license. Or the understanding that you’re going to get reporting slower because people are more worried about making sure your core functionality is up. There's an understanding that everybody is being stretched one way or another, and not to expect necessarily those nice things around the edges. Let’s focus on the core.

MA: What about the world’s network bandwidth? How is that holding up with the entire developed world transitioning to remote work in the last two weeks?

RJ: The big ISPs have come out and said yeah, we’re good, we can cope, we’ve got enough capacity here. But coming soon, we’re going to start to see some strains in some smaller providers. As we have more and more people offsite, ISPs are may to have to start throttling bandwidth. We’re going to start to see issues where your video calls are going to be a little bit choppier because suddenly your entire street is trying to do a video call at the same time. We have already seen YouTube and Netflix reduce the streaming quality in Europe to help reduce bandwidth use.

MA: Aside from the 15-20% of organizations that are very mature from a business continuity perspective, does the rest of the business world need to rethink business continuity following COVID-19?

RJ: I think they naturally will. They’re all playing catch up, now, so COVID-19 pandemic will help raise the visibility of business continuity issues. The people on your IT team that have been hankering after that high-availability firewall or that secondary server, they might suddenly get a bit more budget. Till now, they’ve been wondering, ‘How much do I want to buy the insurance versus I’m never going to use it.’ This event shines a light right on that spot, and I think budgets might get opened a bit, people might start thinking about actually tabletopping or running a full simulation against some of those scenarios that they now have envisaged.

MA: What if we’re talking five or six months before people can return to their offices, how does that change the way organizations think about business continuity?

RJ: I don’t know whether it will be five or six months, human nature gets in the way before then, but six to eight weeks is one potential scenario, and you’re absolutely right that nobody really planned for even six weeks of remote working. All those plans have been much smaller scale, like a week or 10 days, like with a severe weather issue. If office ‘X’ is unavailable through terrorist attack or gas failures or whatever it might be, the assumption would be to move off to a managed office where you can just find another office. Obviously with this scenario we cannot do that.

So, there will need to be a lot of reworking of the plans, going back to the point of it being an extension of the infectious disease plan, where you’re looking at a team level or a department level business continuity challenge, and then scaling that up to a city-wide, country-wide, state-wide scenario. A lot of business continuity plans will have to be re-worked and re-worked as we go through this extended public health crisis.

MA: Right. What important issue haven’t we touched on yet?

RJ: I think the only other thing from an organizational perspective is just making sure that you have a cross-functional group looking at all this with you. Don’t sit there with just a straight business continuity team, make sure you’ve got people from departments that aren’t used to working from home, so whether it’s finance or facilities or a customer-facing team, making sure you’ve got their cross-functional representation so you’re thinking about the business as a whole, not just your usual business continuity crew. But otherwise, we’ve touched on the key business continuity topics people need to know.