March 14 - COVID-19 information risk update

Further to yesterday's assessment of the information risks associated with the coronavirus pandemic and the discussion arising, here are a few more aspects.

An increased number of knowledge workers are now working from home, some of them for the first time. What equipment and services are they using? What are the information risks and security arrangements? Who knows? Larger organizations tend to have in place suitable policies plus structured, systematic approaches towards home and other off-site working, with controls such as management authorization, remote security management of end user devices (corporate or BYOD), VPNs, network security monitoring, network backups, automated patching, antivirus etc. Hopefully they have all scaled easily to cope with the changing proportions of off-siters. Medium and especially small organizations, however, may be less well prepared ... and all of them are likely to be feeling the strain of changed working practices and social interaction. The managers, supervisors, network security pro's and others who are meant to be keeping an eye on all this are also more likely to be working off-site, relying more on automation and information through the systems. 

That smells like a green or borderline amber information risk to me, redder for those ill-prepared SMEs maybe, or for larger organizations that for some reason were not on top of this already. Given that managers and execs generally have been working off-site for years, they really have no excuse for failing to identify, evaluate and treat the associated information risks. If they now deserve to be called to account, so be it. 

Which reminds me, another bit of good news is that organizations are running and hopefully proving the adequacy of their business continuity arrangements, including the resilience aspects of keeping the information flowing more or less normally. This is better than the normal business continuity exercise in that everyone is participating (like it or not!) ... but as to whether everyone is coping well, we shall see. Some supply chains/networks are clearly under stress (toilet rolls, for instance!), and others probably too. If they fail due to inadequate resilience, the consequences may ripple outwards, meaning that some organizations will also get to use and prove their contingency arrangements. 

There are some more green/amber information risks in there, judging largely by what we see today i.e. nothing significantly amiss so far, no dramatic failures or industry collapses (except perhaps for the financial industry - a red risk already on the chart). 

Oh and there's more good news: most of the population now knows the basics of personal hygiene such as covering their sneezes and washing their hands. These aren't totally effective controls, but they are better than nothing [the scientist in my head made me say that]. Hopefully we will find that human behaviours have changed as a result of coronavirus, thanks to information about modes of transmission, with benefits for other infectious diseases. There are information risks in this area but nothing worth bringing up here and now. 

That's enough for today. It's Saturday morning here in NZ and I have Things To Do. Maybe over the weekend I'll update the PIG. Maybe not.