March 18 - COVID-19 PIG update

I've updated the PIG showing information risks relating to COVID-19, originally published here five days ago: 


Two additional information risks now feature in the middle:

  • Mental health issues arising from the sudden widespread introduction of work-from-home, social distancing, cancellation of many leisure activities etc., on top of the stress of potentially being infected and becoming sick. Laid-off workers are basically cast adrift, placing them under immense personal stress at this difficult time because of the scale of COVID-19: they are unlikely to walk directly into their next contract or permanent role with some other organisation if everyone is in crisis. Remaining workers may have 'survivor guilt', and fear also being laid off - hardly conducive to productive working. It may increase 'insider threats'. Also, this risk may increase over time once we get beyond the honeymoon period as workers settle in to their more isolated workspaces, and face up to the realities of being largely self-directed.
  • I brought up the increased information risks associated with working-from-home four days ago. Scrambling to get workers set up for home working probably means corner-cutting here and there, for example making do with whatever comms and IT technology people already have, rather than the organization providing suitable new equipment pre-configured for security and perhaps dedicated for work purposes.  Another tech risk here relates to our suddenly increased reliance on comms and collaborative working tools: the Internet and cloud service providers so far seem to be coping quite well but things could change quickly - for example if they are hit by ransomware ... which in turn begs questions about their customers' readiness to cope with service issues and incidents.
I'll stress once again that IANAV and my assessment is focused on risks pertaining to information.

I'll have more to say about treating these information risks soon (still contemplating!). Meanwhile, there is quite a lot of advice already circulating on social media such as LinkeDin. We've seen outpourings of sympathy before following natural disasters, but the global real-time sharing of pragmatic advice on dealing with a health crisis in progress is unprecedented. See it's not all bad news!

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Two dozen information risks that ISO forgot

Philosophical phriday - compliance risk

ISMS internal audit priorities

Reading between the lines of ISO27001 [L O N G]

Passionate dispassion

45 ISO Management Systems Standards

Philosophical phriday - a noncompliance ramble

Adaptive SME security Crowdstrike special