March 20 - COVID-19 PIG update

Here's today's update to my COVID-19 information risk Probability Impact Graphic:


I've slightly shifted and revised the wording of some of the risks but there's nothing really new (as far as I know anyway). 

Reports of panic buying from the UK and US are concerning, given the possible escalation to social disorder and looting … but hopefully sanity will soon return, aided by the authorities promoting “social distancing” and “self-isolation”. Meanwhile, I hope those of you responsible for physically securing corporate premises have appropriate security arrangements in place. Remotely monitored alarms and CCTV are all very well, but what if the guards that would be expected to do their rounds and respond to an incident are off sick or isolated at home? Do you have contingency arrangements for physical security?

‘Sanity’ is a fragile condition: there is clearly a lot of anxiety, stress and tension around, due to the sudden social changes, fear about the infectious disease etc., which is my rationale for including ‘mental health issues’ in the middle of the PIG. There is some genuinely good news in the medical world concerning progress on coronavirus testing, antiviral drugs and vaccines, although it’s hard to spot among the large volume of dubious information and rumours sloshing around on social media (another information risk on the PIG). 

There’s even some good news for infosec pro’s. COVID-19 is a golden opportunity for those of us with an interest in security awareness and business continuity. Essentially, we are in the midst of a dramatic case study. I encourage you to think about the information risk and security aspects of this, and perhaps make little notes as reminders of the lessons to be learnt when the storm blows over. 

Here's one of mine. Toilet roll shortages are a handy leading indicator of panic buying and perhaps more substantial physical security threats ahead i.e. a predictive physical security metric. 

For some reason buried deep in the human psyche, a perceived shortage of toilet rolls and other “essentials” precedes, perhaps even triggers the cascading social disorder that we are now experiencing … so this is a gentle reminder to maintain stocks of “essentials” even in good times. Here in NZ, we are urged to maintain our earthquake kits ready for major incidents that can happen without warning. Having a sensible stock of toilet rolls, water, pasta, soup, soap etc. in the kit reduces the pressure to join the plague of locusts clearing the supermarket shelves, and frees us up for other things – not least, being able to think straight and focus on what matters: helping ourselves, our families, friends and colleagues get through this. 

I'm doing my best to maintain a sense of perspective, keeping a balanced, level-headed view of what's going on and spreading what I hope is sensible and helpful information right here.

Yet more good news: so far, the IT and comms services have held up quite well through the crisis, aside from the odd collaborative working wobble … although those ‘increased cyber risks working from home’ shown on the PIG remain a concern. I expect there will be incidents involving malware, hacking and social engineering due to weaknesses in the preventive controls, while incident detection and recovery may also be challenging. In your organization, are you on top of all of this? Do you have reliable VPNs, network security monitoring, antivirus controls, patching and backups all sewn-up for your off-site workforce using corporate kit or BYOD? Do you have the appropriate policies and procedures in place, including incident responses? What about the IT workers we rely upon to keep everything running smoothly: how are they bearing up under the strain?