Business Continuity – Staying Healthy, Informed, Calm & Productive in a Pandemic

If you clicked on this out of mild curiosity but with a healthy bit of scepticism, or because it’s the first time you’ve read ‘Pandemic’ & ‘Business Continuity’ in the same article, you’re come to the right place for a measured approach to keeping your company, community or organisation running during a pandemic..   

Some context: Over the past 20 years in IT Risk and Cyber security we have seen many operational level events that have impacted the way international and domestic businesses function. Y2K, 9/11, 7/7, 11/4, Boxing Day Tsunami, SARS, MERS, Measles, Cholera, HIV…

Indeed, every year there are multiple viral influenza (flu) outbreaks that impact business. Country and regional models exist that clearly show the impact upon business and country gross domestic product (GDP) based on the World Health Organisation (WHO) estimate of “3–5 million cases of severe influenza illness occur every year resulting in 250,000-500,000 deaths worldwide…”.

There are many good analogies between computer viruses and Pandemic challenges. There are thousands of new computer virus every day.  And just like human viruses, most are not problematic and there are some simple steps to take to avoid infection. Thinking about risk; more people die in car crashes or while crossing the street every day than die because of the common cold. Where is the most dangerous place where most people die? The household bed. So chances are, by reading this you have already cheated death by getting up (assuming you’re not reading this in bed)…

So what can we learn about dealing with Pandemics? A lot can be achieved by asking simple, reasonable questions of your company, community or organisation:

People questions

  • All pandemics are personal; infection happens on a person to person basis, remember to look around you when you use public transportation and are in public spaces.  Arm yourself with the best information. Digital Literacy is your best friend! Know your local health authorities public communication methods and sign up for local alerts. Check in with the WHO website directly. Local news stories are just repackaged facts from authorities with added local colour. By reading from the primary sources you can stay ahead of the local news by a few hours.
  • DO NOT spread information seen on social media. Remember we live in a time where Social Media is not an arbiter of truth. Think about your personal choices. A basic level of preparedness will go a long way and set you above the 80% of the population that takes too few actions too late. Take a look at the peak times of public transport and try move to an off peak time. Remind yourself to use hand sanitisers and limit person to person contact no matter how much you like hugs or cheek to cheek kissing. Have a personal call list, set your emergency contact details on your mobile phones lock screen to help medical professionals trying to assist you and reminder to ask yourself how you are feeling today before you go in to work.  It is always amazing just how many people think that it’s a good idea to come into an office with a common cold or flu, to prove how tough they are. When there’s a dangerous pandemic in progress, that ups the level of risk for everyone.   
  • Example: After I participated in an office Cholera outbreak mitigation plan, we found that Personally Identifiable Information (PII) data such as that collected by every smart phone and smart car will greatly help investigators as they try to track back your movements and interactions with other likely infected people. Exemptions for “health and safety reasons” exist in laws for the public good in  most jurisdictions. My advice is to be cooperative with medical professionals when asked for such data. Sitting in a police station demanding to know how your PII will be treated in accordance with GDPR may mean you are not getting the early treatment you need.   

Organisation questions:

  • So you have made it in to work with all the coughing sneezing and wheezing people around you and you feel healthy and well, what next? Find out if you company has a Pandemic plan. Many companies bought off-the-shelf plans in the early part of the 2000s. Whom to ask? Human Resources (HR) is a good place to start and your local IT support staff, if you have them. HR will know such things if there is a stash of hand sanitiser  and or masks around (financial DOA to buy more) and the local IT support staff will have knowledge (technical DOA to deliver) if there are plans in place to support a higher number of remote workers or distributed IT resources during a Business Continuity event. You should be able to see some changes already from your company’s Pandemic planning. Have you been offered a yearly Flu shot? Did you get yours? You are still many more times likely to get seasonalFlu this year than the latest Covid variant. It is best not to have to go into a hospital where many people will be already sick if you can avoid becoming sick in the first place.
  • What do to do if you are not seeing or experiencing any change in local office behaviour. First, realise, most Pandemic plans have trigger levels of worker absenteeism, that set plans into actions. So you many not have seen any change while actions are in place ready to be carried out. It can be helpful to ask about how often are the offices cleaned? What is cleaned and how is it cleaned? Has anyone checked with the cleaning staff about the quality of disinfectant or the amount they are using daily? Does the company provide hospital quality cleaning products to the cleaning staff (can help in measuring how much is used per cleaning).
  • Example: n a previous outbreak, it was discovered that the outsourced office cleaning service was reduced to cleaning every Wednesday and there happened to be a bank holiday on the coinciding Wednesday, which meant given a weekends in between, the office went two-weeks with out being cleaned. It would not have been such a problem, but the amount of disinfectant  in the outsourced cleaning services’s spray bottles was non-existent, it was water just smudging the bacteria and viruses around on desks, keyboards and monitors thus creating more opportunity to grow and spread.

Process questions

  • What to do when you are feeling sick, better yet, before you feel sick. Ask your HR and management what should be the communication protocol ? Best advice is always stay home as to not infect others and get well soon. Important to know that most viruses have some time where they are contagious but not showing signs of symptoms. What will be key to know is your work schedule from the prior few days. Who did you meet with, what coffee machine and nearest bathroom you often used, data and time in the office and method of travel to and from.
  • What to do if you have a “key role” in the business? Can you train someone else in a reasonable time frame and to a reasonable level of proficiency to carry out the same tasks? Has the tasks been documented to a reasonable level where someone of average intelligence could follow step by step instructions? Has any such documentation been recently updated to taken into account for recent screen shots and software version numbers. Remember, it does not take a Pandemic for panic to set in within a company’s workforce.  See what happens in most companies when pay roll is delayed for a few days. The experience is one that not soon will be forgotten. Many times resources are hoarded by will meaning groups. However, in emergency situations, resources can go to waste if not properly distributed. If there is IT waiting to be distributed to the workforce or additional remote work tokens then distribute it before the Continuity event impacts your IT staff’s ability to get the most out of it.
  • Remember even the best planning cannot migrate the randomness of who will be impacted in any event. In many situations where a hiker is found dead due to dehydration, hikers are often found to have water on them that they did not consume before becoming seriously debilitated.

Technology questions

  • So you got your flu shot, the company distributed its IT hardware and software ahead of the Business Continuity event and they have sent you home to work in a bubble until the event passes. What can you expect? Well the coffee line at your home coffee machine will hopefully be shorter, but think of all the other people in your local area doing the same thing. After reviewing and contributing to many Business Continuity Management Plans, I find that most companies take the approach that it is some sort of silver bullet to send staff to work from home.  The truth is that there is just not a lot of additional bandwidth setting out in our neighbourhoods waiting to be enabled.
  • Todays wired networks are over loaded and out dated. Telecom Companies have willingly accepted having millions of outdated pieces of hardware in their networks and needing multiple hundreds of millions of dollars to replace such outdated and unsupported network components. Few national regulators have cared to investigate such issues and despite recent outages, knowing full well the investments needed and the existents of operational problems. In the wireless space it is even worse and less transparent. You might have a contract with a virtual network mobile operator (VNMO) that literally operates nothing in the communications space, only owns a billing system (buying minutes from other operator providers who own communications infrastructure). The hard truth will be that free of charge shared internet services, without any Service Level Agreements (SLAs), will be the first to fail. As we have seen in the past, operators will remove infrastructure from one place to another with little or no notification. Many times complying with governmental mandate to restrict operations. Where a company has SLA defined services expect that it will be slower than normal. Recent network bursting technologies means that already over subscribed lines (willing operated and sold 5 to 10 times over subscribed) will become overly saturated.
  • Video and Voice application will be the first to suffer quality-wise to the point of becoming unusable. Sadly, many people have become used to data centric applications like WhatsApp, Messages and Facebook messenger, that if you ask them did they send an “SMS” text message they don’t know the difference between messaging services types.    

Every Pandemic has come and gone in the past with little lasting impact upon we billions of humans. The most important things to know about Business Continuity events is: Stay Healthy, Stay Calm, Stay Informed and Stay Productive. If we rely upon our previous experiences balancing People, Organisation, Processes and Technologies we will continue to learn from these events and contribute to making our Pandemic plans better for the future.   

About the author:

Jeff Schiemann has over 20 years experience in Cyber Security and Information Communication Technologies (ICT) Infrastructure for a global communication provider with over 100,000 employees and in over 160 countries world wide.  As Director of Security, Compliance & Enterprise Risk, he has tested the impact of new technologies with business units, liaised with regulators during continuity events, and helped customers to create better security infrastructure after being hit by cyber attacks.