Like probably everyone on the planet, I haven’t been able to concentrate much this week. Coronavirus leaves us with unease in our mind and a pit on our stomach. Still, I’ve been looking for whatever resources might be useful to help compliance and risk officers develop some type of response to this menace, and have another one to share.
The document is a white paper from Bell Canada, published in 2009 when people feared that H1N1 would be the pandemic that jolts the world. That curse never happened, but Covid-19 is here today. So what lessons can we dust off and learn?
(First thank you to Dan Swanson, audit and risk executive in Manitoba, who circulated this Bell Canada guidance on a list-serve he maintains about governance and risk.)
The scenario Bell Canada envisioned was a pandemic that forces corporations to send vast amounts of people to work from home. Because of poor planning and management, that migration overloads the company’s ICT (integrated communications and telephone) system in phases. First the help desk and voicemail degraded, then the Internet, then the telephone system.
By the end, all that chaos has led employees to abandon the corporate network in favor of whatever ad hoc solution they could cobble together over personal networks. That leaves the company’s information assets at risk, and everyone is at wit’s end anyway.
Bell Canada specifically explored resilience for the telecommunications sector, so some of its lessons aren’t that applicable to the larger world. Other lessons are now outdated, like quaint references to voicemail and the then-heretical idea that employees might use their own mobile devices on corporate networks.
Still, some other points stood out to me. I’ll quote each one and then offer a take.
1. Update financial authority and delegation – As ICT threats escalate, managers at all levels of the organization need to know what, if any, resources are available to procure remediation solutions. A general practice is to establish accounting centers and cost-codes for the charging of ad hoc and emergency spending related to any emergency response.
This one is useful on two levels. First, clarity about what resources managers can use to address immediate issues, with dedicated financial accounts to track emergency expenses — that’s a good idea unto itself.
But another implicit point above is that managers know what discretion they have to act quickly. I’ve written about that idea before, as part of the OODA Loop. That’s the concept in military strategy for effective communication: senior executives set broad goals, while trusted junior executives have broad authority to act in pursuit of those goals as the junior executives see fit.
It’s organizational trust, which lets executives at every layer of the organization be more responsive to fast-changing conditions.
2. Develop fast-track procurement processes – Companies should develop a fast- track procurement policy in order to better manage emergency procurement of pandemic mitigation solutions (including ICT solutions). These procedures will support all future stages of ICT impacts associated with pandemic response and other forms of emergency response.
Another good idea on the practical level, but you know what? It’s also rooted in the same principles of organizational trust I mentioned in our last item. Fast-track procurement is about agility and responsivity. Any company can allow fast-track procedures — but if you want executives who execute those procedures smartly, they need to understand the bigger interests and priorities of the organization. You in the C-suite also need to trust those executives when they act.
3. Establish application prioritization policy – Organizations can also conserve bandwidth by establishing policy-level controls for applications. For example, some applications and services use far more bandwidth than others. When using teleworkers, it is often possible to use alternative, lower-bandwidth substitutions for applications. Management also needs to establish policies about which heavy applications may be disabled during pandemic response, as well as access controls for remote workers.
This point is talking about how to ration resources (bandwidth on the telecom network) not just quickly, but automatically — by having those decisions baked into policy, so people don’t need to spend precious time debating resource allocation during the crisis.
So in this example, management doesn’t need to enact new policies against high-definition video for remote workers; it already had that decision made, and designed its operating controls to send them to standard-definition video by default. People might not like that restriction, but think: far better to have it decided and known ahead of any pandemic, than to start announcing resource-rationing during the pandemic.
All of this implies that your company already has thought about pandemics, reached consensus about what’s important, and developed ensuing policies. I’m sure critical infrastructure businesses already have done this. Every other company should.
4. Establish public collaboration tools policies – To reduce risk, companies should develop and distribute a security policy that outlines the dos and don’ts of using public collaboration tools in advance of a pandemic.
“Public collaboration tools” refers to cloud-based applications such as DropBox or GoogleDocs. Such tools are far more widely used today than when Bell Canada wrote this guidance in 2009, but the above is common-sense advice every company should already have in place: tell employees how they should or shouldn’t use these tools.
Bell Canada raised a few related points about collaboration tools which I’ll just rapid-fire here:
- Yes, you might have policies for your employees about handling important data via public-collaboration software. You also need to remember your business partners might have their own policies, too — which might not always align with yours, and that could create a security risk. So be clear in contracts and service-level agreements about how third parties can handle your data.
- You might be able to allow certain types of employees to use public-collaboration tools without restriction, because they don’t handle confidential information. If you can grant those permissions pre-emptively, that’s one less issue to think about during the pandemic.
- Create your own private collaboration tools, or use such tools from preferred vendors. Honestly, companies have been doing this for years now, so this point is a bit of a throwback to the pre-cloud era in 2009. Still, it raises the issue of trusted collaboration tools, with security controls that meet your standards.