COVID-19 and Enterprise Security's Response
What challenges has COVID-19 presented to enterprise security?
As of this writing in mid-April, more than 167,000 people have died worldwide of COVID-19, the flu-like disease caused by the new coronavirus, according to data from Johns Hopkins University. The United States had the highest confirmed death toll, with more than 35,000 fatalities.
During the COVID-19 crisis, enterprise security executives are busier than ever – standing up business continuity plans, enacting broader contingency plans, mitigating risks with employees working at home and more – all to keep businesses humming as the coronavirus outbreak has spread.
To date, what challenges has the coronavirus presented to enterprise security, especially as stay-at-home orders went into effect and most enterprise employees telecommuted? How did business continuity plans evolve as the crisis progressed? And what lessons have enterprise security learned to date?
Hospital and medical centers, once considered “open” environments, closed their doors to patients, medical personnel and essential employees only.
“Like virtually every hospital security department, COVID-19 has forced us to restrict access to our facilities,” says Eric Clay, Chief Security Officer, Public Safety and Security for Cox Health. “We reduced the number of entries available to both the public and to our employees, ensuring that everyone receives adequate screening prior to entering. A major change such as this invariably results in confusion and frustration by some. Although non-security personnel are handling the screening, displaced due to department closures or low volumes, our security staff still round to check on these entry points and respond when there are issues. We are also spending time ensuring that everyone in our facilities display a decal confirming that they have been screened. This includes contractors, vendors and delivery personnel.”
Clay’s security team has also spent time securing vacant offices and facilities. “While this is a task normally provided by security, the volumes are higher due to some facilities being closed,” he says. “Our hospitals also established alternative care sites, outside of the main hospitals, which contained expensive medical equipment. Although we were able to partly secure it with video surveillance, we still have to physically round on them.”
Critical supplies also need to be monitored. “We spent more time rounding on our docks and areas where supplies are stored. Items such as N95 masks, protective gowns, hand sanitizer, disinfectant and toilet paper can quickly become in short supply, which makes them very valuable,” he says.
Jeff Hauk, Director, Public Safety and Police Authority Services for Memorial Healthcare, has adapted the work that his security staff does, as well. “Our overall protective approach has moved from an ‘open’ facility to a ‘restricted-closed’ facility, which required a significant change in operations for our uniformed staff to move towards static checkpoints, rather than more fluid and random patrols,” he says. “We shifted towards implementation of virtual patrols and welfare checks of staff and their environments.”
“Because this is a marathon and not a sprint, we continually review the staff schedule to ensure that we are incorporating appropriate rest cycles and staff rotations to prevent fatigue or burnout,” Hauk adds. “We have continued to honor and approve time off for staff, and we went back after the initial emergency call-out and reduced or eliminated shift times, where appropriate.”
One tool that Hauk finds useful is to take time to huddle up throughout the day. “In any crisis, clear communication and information are always critical, but particularly key during a crisis,” he shares. “One approach that has proven valuable for us, especially with the cancellation of mass staff meetings, has been pre-shift and post-shift briefing huddles. These briefing huddles have given us the opportunity with our small teams to meet safely face-to-face, pass on information, ensure staff understand the information presented, answer any questions, be fluid in changing tactics, proactive in monitoring morale, and as leadership gives us the opportunity to, most importantly, thank and hopefully inspire our staff.”
Even though most students have been not on college or K-12 campuses since mid-March, security has increased responsibilities, says Eileen W. Behr, Vice President; Chief of Police, Department of Public Safety for Drexel University. “Security has become more a task of protecting buildings and assets rather than safety, security and service for students and the campus community,” Behr shares. “For the police officers, we have changed methods for receiving complaints and arrests. We now accept complaints by phone and email with a phone call review after filing. In-custody arrests are few and must be approved by Command. Offenders are interviewed, fingerprinted on the street and reports are filed and warrants are issued, rather than immediate custody. Preparing for duty has changed – officers have cleaning products for the vehicles, officers clean their vehicle before start of duty and are recommended to clean the vehicle interior during the day and at the end of their tour.”
“I’ve had some people ask what we do with all of this free time now that the students and faculty have largely departed,” adds Duane J. Lovello, Director of Security for Yale University. “The opposite has occurred. When the decision was made to have students not return to campus, Yale was on scheduled spring break. Students who were unable to return left behind dorm rooms full of personal belongings. Work had to be scheduled for all dorm rooms to be emptied, packed up and cleaned. Additional Public Safety staff had to be scheduled to monitor those activities. The Yale Medical School campus, and all of its related research facilities, remained largely operational with some new staggered shifts being introduced, so employees and staff were now working well into the evening – again placing additional demands on security. The interconnectivity of the Yale Medical School buildings to the adjacent 1,541 bed Yale New Haven Hospital via mechanical, freight and pedestrian tunnels and bridges led to additional demands on security as stricter visitor protocols were implemented at the hospital. Simultaneously, Yale healthcare facilities on campus instituted increased security and entry screening, which also required additional security staff.”
Once stay-at-home orders were issued for “non-essential” employees, many enterprises rushed to implement telecommute policies.
United Therapeutics was ready. “We are a global healthcare enterprise, as well as a part of the critical infrastructure of the U.S.,” says Mike Wanik, Senior Director, Corporate Security. “To ensure our patients can receive the treatments they need, we’ve maintained a footprint of essential personnel to continue our core healthcare operations. We adjusted operations in such a way as to be able to honor government mandates that wish less people in a workplace by having certain job functions work remotely. We have robust programs to ensure the continuity of our operations with a myriad of approaches.”
According to Wanik, challenges in this area were non-existent. “Our great technology allows us to operate transparently, and our bandwidth is more than adequate for the operations. We executed on both our pandemic and continuity plans,” he shares. “The challenge is really for our people to get used to their home environments – to have a routine; to honor our business processes for what turned into weeks instead of days. I’m also educating them about security and privacy as it comes to paper and conversations as appropriate.”
“We were prepared digitally to support a remote work platform,” adds Steve Antoine, Director, Global Assets Protection for Yum! Brands. “As a global organization with many employees who work while on the road or in the field, we were prepared digitally to support a remote work platform. An unforeseen challenge is the dynamic that school and childcare closures have presented regarding balance, pacing and sequencing. However, in our people-first organization in which work-life balance is a priority, we’ve embraced a new normal that may include a shift in work hours, children on conference calls, non-human co-workers in the background and more. Grace and empathy are at an all-time high, which is refreshing considering the challenge of being more digitally dependent. Our people’s ability to learn real-time lessons and execute quickly has become a competitive advantage.”
GoDaddy recognized the global impacts of COVID-19 and convened its crisis management team early, says Jason Veiock, Director, Workplace Experience, Security & Resilience. “Based on that early engagement, we aggressively pursued work-from-home, including our call center employees. From a traditional physical standpoint, it has actually reduced our surface area for attack, but has increased the exposure for information security issues, including fraud, data loss and social engineering. Our team has started to look forward and tackle the challenge of bringing people back to our facilities on the back end of the crisis. What are the data points we use to identify if it is safe to bring people back? What are the business priorities in terms of essential services and locations? What are the compensating controls to mitigate the threat of infection when we bring people back to our facilities?”
Matthew D. Hollandsworth, Director, Corporate Security, Facilities & Safety for American Systems, says, “We have had to learn how to work in a more effective manner. This has drove the need to increase our communication using video conferencing, texting, phone calls and other means. The security team has also taken the lead to ensure we are compliant in each state with stay at home orders. Since we are in the Defense Industrial Base, we are considered critical by DHS. Each state has its own unique requirements, however, most are relatively the same. The only exception we’ve found at this time is Maryland, where we had to issue individual letters, with the employee’s name and address, to each one that lives and/or works in Maryland.”
At Bridgestone Americas, corporate employees throughout the Americas, except for those whose business-critical roles prevent it, are working from home, says Margaret J. Levine, Vice President, Corporate Security. “Some of our front-line operations are considered essential services, and they remain open. Having a plant and sales office in China enabled us to anticipate challenges and prepare early for the virus’ impact in the Americas,” she adds. “We planned for a demand surge on our IT network, reviewed all business continuity plans to ensure critical processes could be executed remotely, and tested our crisis communications tool. Now, the work-from-home challenges are less operational and more about helping employees feel connected and engaged with one another and the company.”
“We implemented a mandatory work-from-home policy globally for our workforce for those who can do their jobs from home, as well as restrictions on business travel, visitor access, workplace and in-person meetings,” shares Amy Lyons, Vice President Corporate Security and CSO for Bristol-Myers Squibb Company. “Direction from local health and government authorities on this matter takes precedent in certain markets. This has required new ways of working and has increased the use of technical capabilities and creative solutions to enable business to continue. The reported increase in cyber-related attacks has required an increase in awareness raising. In taking these actions, our priorities are to ensure the well-being of our colleagues and communities while continuing to deliver the medicines our patients need.”
Yet, not every employee can work remotely. David Fortino, head of Crisis Management Services for the Pratt & Whitney Global Security Team, says, “Many aspects of our company cannot be done remotely due to the manufacturing process or security requirements. Those that can work remotely have been empowered to do so across the globe. This led to process changes allowing employees to access all the tools and information they need to effectively work from home, while still ensuring the security of our systems and data.”
Was enterprise security prepared for the coronavirus pandemic? Some could ask: how could you be prepared for such an event that continues to wreak havoc on people’s health and safety, the country’s infrastructure and the global economy?
Lovell says, “Yale has a depth of talent coupled to an enormous institutional capacity that afforded an ability to pivot effectively to meet this crisis. There were certainly disconnects in operational logistics initially – as there are during any crisis – that were overcome through open lines of communication between key stakeholders and units. I would certainly envision adjustments to business continuity plans given that we now have gained, in the most unfortunate way, real-life experience in exercising parts of the plan.”
“One benefit that has occurred though, is a much better understanding of the roles played by each of Yale’s business units,” he adds. “Teleconferences occurring several times throughout each day caused many of us to cast aside incorrect assumptions as we began deeper dives into the nuts and bolts of daily operations that normally would be of no concern to those external to those units. Long standing siloes largely disappeared as hindrances to mission success. Now, there became a mutual reliance to ensure things got done seamlessly. I found myself having new respect for many individuals I often see, albeit without the stresses and tensions seen during a crisis, as we all navigated through some very stormy seas. Relationships that up to that point had been typical of any professional, working relationship grew into much more developed appreciation of professional competence coupled to better familiarity. These enhanced relationships will pay dividends far into the future.”
“We were well prepared,” adds Clay. “While COVID-19 is new, CoxHealth has regularly tested processes and plans to respond to situations involving infectious diseases. Our CEO was instrumental, not only in ensuring we had adequate measures in place to protect our patient population, employees and facilities, but in how the county and state responded to the pandemic. Our security officers knew we were going to face significant challenges, but remained flexible and positive, which helped calm the public and our employees.”
“Yes, we were prepared with our plans and supplies for a short term,” Behr adds. “The university HR policies have had slightly changes that will impact Public Safety for sick time and salaries. However, our officers and staff have continued to come to work. We have even started a training class for new 911 Dispatchers. The partnerships with business associates and medical research teams in the university have been positive as we continually together to identify and share PPE resources and maintain a safe and secure campus,” she says.
“From an IT perspective, we have spent much effort over the past few years to make our infrastructure more resilient with cloud-based solutions and applications,” Hollandsworth shares. “We’ve also invested heavily in communication capabilities (i.e. softphones), so that we have access to our office phones on our computers. I believe that once the pandemic is over, we will do a review, or ‘hotwash’ to see where we did well, and where we can improve.”
“We have learned how valuable our people are to us,” says Wanik. “You can have all the technology in the world, but if someone is not there to interpret it to the local environment; or a remote staff that understands the technology does not understand the local lay of the land or have established relationships there, then you have more problems than you think you do. Even though we use a ton of technology, it must be supported by background information and relationships.”
“I learned about humility,” adds Hauk. When you lack humility, you are unable to actively listen to anybody else. You don’t respect your ‘enemy,’ and when you don’t respect your enemy, you stop training hard. You start to cut corners, find shortcuts and eventually stop training, which is when you get caught off guard. The worst thing about lack of humility is that it prevents us from doing a solid and honest assessment of ourselves, and without that we will never improve.”
“We also learned that we must always push ourselves to prepare for the absolute worst (a lack of equipment, a loss of a key member of the team or number of staff, an overwhelming surge of patients) and then develop a plan to mitigate and address it,” he adds. “Even if that absolute worst seems to some individuals, including leaders, to be impractical, unfeasible, irrational, improbable, or far-fetched.”
“For me, it was communication,” Clay says. “We have increased communication with security leadership at other hospitals in the area to share information. We have also increased communication with our law enforcement partners and state fusion center to ensure there is a two-way flow of information. Additionally, we ramped up our internal communications. People want information, and I do not think you can over-communicate when dealing with a pandemic. Fortunately, we were able to provide regular status updates to our employees, which helps allay fears and dispel misunderstandings.”
“The most important takeaway is not a new lesson but a reminder,” says Eddie Ankers, Director of Corporate Security for NTT Global Data Centers Americas, Inc. “Communication and collaboration are some of the best strengths any business could have. We in the data center community have worked diligently with local, state and federal emergency service providers, utilities and supply vendors to ensure seamless operations in the event of a natural or man-made disaster. This pandemic has provided insight about how we can be better prepared. It has brought to our attention the importance of collective bargaining as a data center community, regarding essential safety supplies, having medical screening devices in inventory and maintaining a reasonable, yet effective inventory of personal protective equipment.”
“Business continuity plans are great, but preparation is enabled by recognition,” Veiock notes. “The biggest lesson learned throughout the company was the benefit of early activation of the crisis response team and launching those plans. While we didn’t necessarily have fully documented plans, we saw the coming storm, gathered and empowered the team and ultimately put the business in a position to be resilient and productive through this crisis.”
Fortino shares that “Working presently for a publicly traded global company and previously for FEMA has given me a twofold perspective on global preparedness and response. With the COVID-19 pandemic impacting all reaches of the globe simultaneously, the scope is unprecedented for both the public and private sector. Both are working to protect people and support the global economy. Lessons are being learned daily in how we partner to share our information and resources. Reallocating PPE like masks and Tyvek suits and the rapid retooling of assets to manufacture or assemble in support of the medical industry are great examples.”
“With the exception of hurricanes, whose predictability enables us to implement specific, event-focused mitigation and business continuity measures, Bridgestone Americas takes an ‘all hazards’ approach to business continuity planning,” Levine adds. “Based on lessons learned to date during COVID-19, we will likely create a similar event-focused plan for pandemics. Areas to be addressed may include, but not be limited to, stockpiling and positioning critical supplies, HIPPA and privacy refresher training for leaders and primary responders, triggers to escalate response measures, HR policies, contingent medical personnel and subject-focused subcommittees. In addition, the automated tools we have developed to support our processes during the current pandemic will also be incorporated.”
“Teamwork has been essential for our business continuity plans and operational responses to be effective and efficient,” adds Bob Messemer, CSO for Nielsen Holdings. “What I have enjoyed seeing these past several months is how several members of our team have exhibited great leadership and accomplished amazing results resulting in a new appreciation for our security team members from the newer corporate executives.”
Messemer adds another key lesson is that just as the proverbial phrase “culture eats policy,” so too does “principles trump playbooks.”
“Clearly communicating our principles to regional leaders and entrusting them to make the right decisions with our guidance empowers the organization to make decisions faster and allocate scarce resources more efficiently,” he notes. “Building relationships in our profession really count, as well. The personal contacts we make at events sponsored by Security magazine, ISMA and ASIS and our involvement in the public-private alliances, such as the FBI’s Infragard program, are invaluable to exchanging valuable insights. We can all learn from one another’s experiences.”