By Scott Dickinson, CISSP, CCSP

First a disclaimer. This is not designed to be a piece discussing the political beliefs or whether the right or wrong decisions were made at the appropriate time during the COVID-19 crisis. This COVID-19 event is happening to us, but what can we do about it? We can document our activities and use it as an actual exercise for BCP/COOP/DR. I will be using some examples from colleagues, as well as some of my personal experiences mixed in, so please don’t assume I am speaking for any one organization.

During this time of COVID-19 social distancing and working from home, many individuals, businesses and organizations are struggling with the sudden imposition of remote work and the ramifications of not being prepared for a mass remote work transition. Consider a rapidly changing situation, a declared pandemic, an outbreak of infections, and a lot of uncertainty with wildly projected totals of deaths and infections. Then schools and other businesses closed, and employees were forced into an uncertain situation of childcare and online schooling needs that weren’t there a week before. We were forced into social distancing, yet restricted from going to work with others or even going out to dinner with friends. We had elderly relatives and vulnerable populations that we had to be thinking about.

So, let’s look at how we can turn these events into an actual exercise of our Business Continuity Plan (BCP), Continuity of Operations (COOP), or Disaster Recovery (DR) plans. In preparing for these plans we usually do a tabletop exercise that is a paper led, theory-operated planning meeting. People discuss what would happen if X, Y, or Z events happened and how the organization would respond. We are in the middle of an actual exercise so we should use this to our advantage and use this experience to improve our future plans. The purpose of the tabletop is to try and plan without damaging anything or causing disruption. Well with any true disruption, you usually do not get any warning, or at least enough to prepare for, as it is with this COVID-19 situation. This is a real life-or-death event. If you are questioning why I am including DR plans in this article, in recovering from a disaster you occasionally need to work from remote locations, and this can help with those situations. For some businesses, this will truly be a disaster.

When people were suddenly told to either go home and work, if they could, or take personal leave, or go home without pay, it caused a sudden shift in the work paradigm. Businesses that were still operating, were tasked with shifting to an 80-100% telework methodology. Some businesses were better prepared than others as they had already established telework policies, IT equipment and work expectations. Other businesses only had a select few who were authorized or even available to telework. Some businesses were totally unprepared to shift to a majority telework environment paradigm. Many weren’t set up to telework, so we need to start with decisions of who really are the essential employees required to have the business function at the bare minimum capacity. We should equip and train them first on how to telework effectively. I know many IT departments who had to scramble to equip people to work from home and some are still scrambling to get to 100% capacity.

Another problem arises in that not all work can be transferred from the workplace. I have worked in SCIF’s and other areas that I know I couldn’t take my work home without getting a visit from the people in the black SUVs. We have to determine what business processes are “teleworkable” (the COVID-19 situation is even creating new words). There may even be some positions whose work just isn’t teleworkable, like loading dock personnel for example. What does the organization do about those people? Some organizations had prepared for the evolution to a mobile workforce by transitioning the IT equipment from desktops to laptops or tablets/mobile devices, but many haven’t. With the disruption of the supply chain, even if you place an emergency order for laptops, the supply chain may not be able to fulfill it for a while and the pandemic may be over before you get your first shipment of new laptops. HR departments are struggling with work from home agreements, telework policies, and other “who’s responsibility is it if an employee trips over a power cord on the way to their work from home office?” type questions. The good thing about an emergency situation is it will quickly expose how unprepared you were for a situation. Now that this event has happened, we have to look at the big three questions we look at post-event: What worked, what didn’t and how do we improve for the future?

What Worked

First, take a look at what did work in your environment and start documenting that. If you were not experienced at teleworking, was your staff able to come up with a solution or did you have to outsource that function? Did you have a limited group of employees that were already teleworking and you were able to use that experience to deploy it to others? Was your telework situation able to scale up? Did you already have a good teleconferencing system/program or team collaboration tool? Do employees have good work at home environments and are they aware enough not to create situations where people in their homes cannot see/hear/view work items they shouldn’t? Do employees understand the security and privacy rules and expectations well enough not to cause an incident?

What Didn’t Work

Next you have to look at what didn’t work. Was your workforce able to work from home? Was your VPN environment able to handle the increased usage? Were your network switches, routers, and firewalls able to handle the increased traffic? Were your employees working from home just as secure at home as they were at work? Were your policies up to date and have correct information in them to protect the agency and the employees? Do your monitoring tools work as well on your remote employees as they do as your onsite employees? Did you find employees found creative ways around your security rules or restrictions? Did you have a Zoom incident? Did you have to send IT equipment home and then deal with the nightmare of trying to remotely get them connected? Or worse, have to send IT support to people’s homes to resolve it? I have heard many stories of how things didn’t go quite like they thought they might. Do not be ashamed if things didn’t go right, now is not the time for blame. Now is time to document what failed so that you can improve them not point out how (insert name here) was unprepared to handle this. Remember business/agencies exist to do business, not run a blame game. Now is the time to add value, not to add noise.

If you were in an environment that you couldn’t work from home, you have to see if you can come up with some creative solutions to increase social distancing and protect the employees. Can you go to shift work and separate your employees into multiple shifts to increase the social distancing? Does that incur other problems like transit issues, parking, etc.? If shift work isn’t an option, can you stagger workdays mixed with leave, or give employees “busy work” to do while at home like training, policy review/rewrites, etc.? If none of that works can you get some PPE to help protect your workers, etc.?

There are people who have questioned the ethical issues that can come up in a unique crisis like this. Some die-hard rule followers have suggested that giving employees “busy work” to perform while going through this crisis, is wrong. I feel there needs to be some compassion during this crisis. We already know people are losing their jobs and some of the people that are being forced home have jobs that really don’t transition well to work from home. It isn’t their fault. Some employees will struggle with IT issues if they must do it themselves at home. Others may not even be equipped to work from home due to living in rural areas that may not have adequate cell service or high-speed internet issues. Bandwidth issues can creep up with two parents working from home and their three kids trying to do school online. People have vulnerable persons to take care of. Then you have the fact that schools closed and suddenly parents are teachers, or at least are responsible for making sure the students have access to the online teachers. This particular crisis is causing us to experience some real pain and I feel there is no need to cause any more. After this is over, we can re-evaluate some things and business processes or positions, but now is the time to be compassionate and not inconsiderate.

What Can We Improve?

Here comes the value add. The next question to look at is: How can we make this better? Perhaps we can stop ordering desktops and go to mobile solutions such as laptops and tablets. Are there business processes that need to change? Are we prepared to do this again if the virus or another returns in six months? I am sure that you will be able to look back and see lots of areas for improvements. Think creatively about solutions that may be better than what was done. Use this as an opportunity for advancement of ideas you may have had for improvement. There is a saying that goes like this: “Never let a good crisis go to waste.” In this case, use this COVID-19 event to make improvements for the future. I know businesses that have adopted Microsoft Teams and found it to be a very helpful team collaboration tool. Even though we are social distancing now, after this event, collaborate with your peers and find out what they experienced. We will all need some coming together time after this event, this is a great time to reach out and go forward together.

The good news? You just went through a BCP/COOP/DR event! Tabletop exercises are great for their purpose, but real-life doesn’t always follow tabletop plans so neatly. There are always some unexpected twists and turns that pop up in real life scenarios that you didn’t plan for or couldn’t have expected at the time. Document it well and you will have met the requirement to test your BCP/COOP/DR plans for this year. This is a perfect real-life event that is not based off of hypotheticals. It happened. Some things worked, others didn’t. Now is the time to document it and update your plans. Talk to all the business units in your organization and hear from them what worked, what didn’t and what they need for the future. Use these to develop after-action reports and suggestions for future improvements. I mean who plans for 100% telework? You will now, hopefully. Maybe you will never need it, but at least you will be ready. I imagine you will have to review your security and privacy policies after this and ensure, to the best of your ability, that anything work related that may have found its way onto non-work IT assets is removed. If paperwork products were carried home, did they make it back or were they properly destroyed?

The future is going towards mobile workforces and cloud environments. This real-life exercise should have helped propel you forward toward those realities and realize the enhancements you can make now to prepare for this eventuality. It will have given you and your company’s leadership many things to think about and work out. It can be a real growth experience, if you let it. At the very least you can check off that you tested your BCP/COOP/DR plans…