COVID-19 Security Response Tactics and Strategies to Consider for Business Resumption Plans
Created by Dan Sauvageau, SEC Subject Matter Expert.
1. Preparing for Re-EntryThere are many things for a company to consider prior to re-entry to its workplace, but arguably one of the first is how to do so in as safe a manner as possible for all employees. The term "employee" is used to broadly cover employees, contractors, interns, or anyone who accesses the workplace on a routine basis. Once plans are solidified for the employees' safe return to the workplace the company can focus on undertaking the necessary longer-term efforts to mitigate the risks of a further business disruption or closure due to a possible future virus outbreak. Local, state, and federal government guidelines are the first ones to consider when moving to a phased business re-opening, but such guidelines are designed to be general and for a diverse set of industries and institutions. Government guidelines will lack the specificity that companies will need to fit their unique business requirements, workplace environment and culture. Government guidelines are also meant to be the minimum requirements or hurdles to overcome; a company always has the option to do more and go above and beyond to ensure the safety of their employees while regaining momentum for its business. Employees will count on and expect their companies to do everything possible to ensure their safety in the workplace or while on company business, and companies have a duty-of-care responsibility to not let them down.
Symptom screening - Aside from the myriad of reactionary company policies and practices developed by companies thus far into the crisis, symptom screening of people prior to returning to the workplace is a logical first step to consider. The objective is simple - keep the infected out to avoid further infections; however, the means to do that are complex. A company has many options to consider when it comes to screening its employees. Here a just a few approaches that some companies are doing or considering:
If a company chooses to have its security staff perform screening and temperature taking of employees, vendors or visitors, the staff should be properly trained and equipped with CDC recommended PPE and would be well advised to only perform that work under the direction of competent and licensed medical health care provider. This option also comes with significant other risks and challenges that should be carefully considered by all company stakeholders.
If screening is done in the workplace, stations and queues may be set up to allow for social distancing and, where necessary or practical, with separate entrances for employees, vendors and visitors to facilitate throughput and allow for social distancing and some degree of privacy. Ultimately, a building's size, configuration, population, and use will determine what approach works best, and one should expect to modify their approach through some amount of trial and error. Security is typically well positioned with the access history tools, data and experience to estimate "normal" volume throughput in pedestrian entries to help inform decision makers on what approach makes the best sense for them.
A company may also ask their healthcare provider experts if two levels of temperature tests are prudent - infrared followed by a secondary, more precise temperature screen to minimize false positives. A trained, equipped, and experienced healthcare provider will know the best practices to employ and should be consulted. Security and their business partners should, however, be part of the planning process to assist the healthcare provider by understanding the business environment, organization, and its culture to allow for a streamlined, positive employee experience. Healthcare providers that offer such services are already being placed under contract or will be in extremely high demand as more companies develop return to business plans. The SEC suggests that security teams conduct their own due diligence and needs assessment when determining what health provider is best suited for them.
Secure internal web portal for incident tracking - Keeping track of individuals who have been out of work with symptoms, confirmed cases or quarantined from recent travel can be a daunting exercise for a company, especially one with thousands of employees. A secured, database-driven portal could be set up and made available to employees to self-report updates on their conditions or changes in health (e.g., recovering at home, in hospital, elapsed quarantine time, more recovery time needed). Professionally trained HIPAA HR staff or others could manage the portal and act accordingly on the information collected. As previously noted, Corporate Legal and/or HR would be important stakeholders to ensure all HIPAA rules are followed.
Discontinue unassigned seating and locking conference rooms - Inform employees ahead of returning to work that unassigned seating will be discontinued. Consider locking conference rooms or areas where large groups of people might consider gathering. Place signage on areas designated as off limits. Designate or render select fixtures inoperable in common use areas such as restrooms, cafés, or outdoor patios to allow for and encourage social distancing. More information on this topic is included in section 4 below.
Proactive communication - Communicate to employees as to what they can expect to experience on day one of their re-entry experience so they can be prepared, understand, and gain comfort in the actions your company is taking to protect them. This may help reduce their anxiety and that of their loved ones by detailing all the measures your company has taken and will undertake on a go-forward basis, such as cleaning protocols, social distance markings, building occupation limits, entry screening, and package handling.
Consider creating "wellness coordinators" - To assist with reinforcing messaging and mitigation efforts being taken as part of the overall re-entry experience, companies may consider developing a system whereby designated individuals across enterprise HR functions and/or business units serve as wellness coordinators. Similar to having knowledgeable, trained employees serve as emergency/floor wardens to assist in a fire or other building emergency, wellness coordinators who are trained and versed in the company's unique COVID-19 measures and protocols could be a force multiplier for the HR, Facilities and Security departments. These coordinators could serve as knowledgeable ambassador points of contact for the broader employee population - adding clarity to communicated messages or funneling questions and concerns of co-workers to the proper individuals with responsibilities to address an issue. This approach would supplement other avenues such as intranet web portals or microsites for employees to voice concerns or comments. It would also add a human dimension to the communication process. As with any delicate matter involving employee privacy, Corporate Legal would be an important stakeholder to ensure privacy and HIPAA and other privacy laws are followed.
2. Re-entry logistics for employees, vendors, and governance considerationsMake hygiene apparent and accessible and cleaning visible - Ensure hand washing signage reminders are ubiquitous throughout the workplace, not just in restrooms. Hand sanitizer or disinfecting wipes should be readily accessible and re-stocked at all entrances, exits and throughout highly trafficked common areas. Place disinfecting wipes or disinfectant near all commonly used office equipment, e.g., printers and copiers, and other high-touch surface areas. Consider adding periodic checks of these stations to security's patrol duties to avoid employee frustration and reduce risk if they run empty.
Instead of relegating housekeeping staff duties to off hours, make them visible and available throughout the day, especially in the early days of return to business. Frequent cleaning of common areas and high-touch surfaces will help put employees at ease. Employees should see cleaning taking place and smell it in the air. The early days of re-entry will all be about gaining employee confidence and trust for the sanitary nature of their work environment, and these duties will likely fall on the shoulders of lower-paid vendor staff. It is important to pay close attention to cleaning and sanitization practices. Without question, some employees will be looking for gaps and perhaps even taking pictures of practices and areas they are critical of or find concerning.
Vendor controls and oversight - For many companies, on-site vendors are essential partners in allowing a business to carry out its important day-to-day operations. However, a company has little if any control over the outside practices, behaviors, and policies of the vendor staff they use and who enter their workspace. Ahead of re-entry would be a good time to understand and validate what measures, controls, policies, and procedures vendors have for their employees. After all, their presence and behaviors will impact a company's ability to maintain a safe and healthy work environment. Perhaps the Procurement department, which is best positioned to know every vendor contract, could coordinate, and take ownership of this task. In many companies the Facilities and IT functions often have the greatest number of vendors, so that may be another logical place to start.
Strict guidelines may be needed for vendors, especially those with unknown, limited, or questionable benefits or practices to mitigate virus spread. For example, a company can incent its sick employees to stay away from the workplace by offering generous paid sick or quarantine leave or extend work from home abilities. What if a vendor does not extend this or similar benefits to its employees, especially those who live paycheck to paycheck, and they come to your workplace sick for fear of missing out on pay? Every effort should be made to ensure service staff, especially housekeeping, food, and other close-contact service functions, are not spreading virus through their normal duties. This is especially important for the housekeeping staff who are entrusted with vital cleaning and disinfecting duties. The importance that trust has on the employee experience and their perception of a safe/healthy workplace cannot be overstated here. It would be a serious impact to business operations and employee trust if that critical vendor who chose to ignore or not reveal their symptoms came in and infected others in a critical operation, or if a housekeeper responsible to clean and sanitize workspaces was instead contagious and spreading virus, making people sick and causing a workplace shut down.
Housekeeping staff should follow government health officials' guidelines regarding PPE while performing their duties and be instructed on the proper use and disposal of them. Also, they should properly dispose of other potentially contaminated items they use or come across in performance of their duties. Typically, the Facilities department will be responsible for ensuring the work practices of housekeeping staff, but they may not be around to ensure they are always carried out. Consider whether security can add value by serving as a secondary check and balance control measure to ensure that designated areas are cleaned and/or disinfected after hours and housekeeping staff are wearing PPE as appropriate. Security could capture their findings and share them with their Facilities partners to address non-compliance before larger problems emerge. This is a terrific opportunity for Security and Facilities to partner closely and demonstrate teamwork to employees and senior management for the benefit of all.
Consider having conversations with vendors now about whether they have plans to notify your company in a timely manner of any confirmed COVID-19 cases that occur among their staff who access your premises. Would you want to leave it to chance that a contractor who has COVID-19 symptoms and calls in sick to their company will proactively also notify your company? Consider working with your Procurement and/or Legal partners about adding addendums to existing contracts emphasizing new or additional COVID-19 controls and measures that your company deems important and that vendors must follow while on property to avoid virus spread resulting from their behaviors.
Shipping/receiving/packages - While health experts consider the transmission of the COVID-19 virus from package surfaces to be low compared to social contact and droplet spread, the risk still does exist, and measures should be evaluated against the company's risk tolerance. Consider allowing any inbound packages to remain untouched for a period of time until surfaces are considered free of viruses according to published CDC or equivalent health agency guidelines. If parcels are deemed important, adopt disinfecting procedures for parcels in accordance with healthy agency guidelines. Discontinue internal hard copy mail services until the pandemic risk is over. Ensure shipping/receiving and internal mail staff are properly trained and understand established guidelines and restrictions concerning package handling. Post external signage (multi-lingual as appropriate), instructing infrequent delivery personnel of the established measures and controls in place prior to them entering your facility or offloading materials. Greater care and more stringent measures may be appropriate for packages destined for high security and critical areas such as data centers, GSOCs, R&D labs, trading floors, wire transfer rooms and executive offices.
Leverage existing plans, or start plans, to create virtual GSOCs to create flexibility in the event of future outbreaks. If virtual GSOCs do not exist, re-arrange existing workstations to increase social distancing. Some GSOCs are built atop a raised floor which may make rearrangement easier. Split work teams and have them perform at-home self-assessments of symptoms prior to workday shifts to prevent spread and contamination of this critical function. Designate the GSOC and all critical areas frequented by people as regular disinfected areas for housekeeping staff to address. See the SEC's COVID-19 GSOC & General Security Risk Mitigation Checklist.
3. Ways to best leverage security teams and their toolsMost corporate functions are not available or on-site on a 24x7 basis like security. Yet business partners such as HR and Facilities have already been and will continue to be deluged with employee calls concerning questions about COVID-19 plans, policies, controls, and measures. Many expect COVID-19 to be an ongoing crisis/challenge to manage well into the year 2021. Such a long-tailed event will no doubt create fatigue across teams. The more cross-functional support and collaboration there exists amongst business partners, the more enduring and resilient people and teams will be for the marathon journey that lies ahead. Let's look at some ways Security can assist and continue to add value in the long term.
Companies that have already experienced confirmed COVID-19 cases in their workplace are reporting that important contact tracing requests from health officials is taking a huge amount of time and taxing their staffs, who are already stretched thin. Depending on your access system's capabilities, consider creating pre-programmed software shortcuts or routines to quickly assist with contact tracing if needed. Also consider ramping up with additional contract staff now - ahead of incidents requiring contact tracing when large numbers of people return to the workplace. If your visitor management system is not up to the task, make note of this and hold onto it for future capital requests. Records of all persons accessing a facility will also prove helpful should health officials need to conduct contact tracing for infected individuals and subsequent communications to building occupants about necessary appropriate actions and measures to be taken.
The risk of malware and computer viruses being introduced into company equipment used while working from home in a less controlled environment may have increased. Consider partnering with your IT department and use access systems to disable badges (i.e., block access) of individuals who need to have critical equipment scanned for virus or malware before it returns to the building and is connected to the network.
4. Staggering the workforce and staging the workplace differentlyJust as some employees experienced anxiety returning to work in high-rise buildings or flying on planes following 9/11, some will have anxiety or concerns about returning to a workplace filled with people compared to the controlled environments of their homes for the past six or more weeks. Look at how businesses that are deemed essential, like grocery stores and pharmacies, have evolved their controls to limit virus spread in recent weeks, such as shortening store hours, setting special times for the elderly to shop, limiting the number of people allowed in a store, routine disinfecting and social distancing inside and outside. The workplace may consider employing similar measures that limit spread and make employees feel more at ease. Hands-free access control systems such as facial biometrics have existed for some time, but their throughput limitations or cost were often prohibitive. Eventually, these and other technology solutions that enable touchless controls will become more practical and less expensive. Since perimeter security and access controls are the domain of security departments and often require physical contact, security leaders should be vigilant in researching practical hands-free or soc called "friction-less" solutions suitable for long term use. Now may be an opportunity to try out virtual receptionist and self-serve, voice-enabled kiosk assistance stations.
Consider the following measures that help address and or complement government guidelines for phased re-openings and/or your company's other needs:
It's important to ensure frontline supervisory staff and all full-time and contracted service support staff such as Security, Facilities, etc. are well informed of any changes ahead of re-entry so they can properly support, communicate, and help employees comply.
Leased space - If you occupy leased space as a tenant you may have no control over the cleaning or hygiene practices in place for common areas such as lobbies, building reception, stairwells, and elevators. Also, a tenant may have little if any control over the quality of work, cleaning supplies used, or procedures employed by the housekeeping staff for your immediate office environment. Given these limitations while still being responsible for the safety and health of your employees in the workplace you might ask yourself the following:
Now is the time to review your lease agreements and enter into proactive conversations with your landlord to understand and request specific measures when it comes to routine office cleaning and disinfecting work areas, both as a matter of routine and after it is known that someone was symptomatic and/or confirmed for having the COVID-19 virus. If you are not an anchor tenant, determine where your company stands on the prioritization scale for requesting disinfecting of workspaces in a time of need or high demand. Inquire if the landlord has a practice to notify all tenants if they are made aware of confirmed COVID-19 cases among tenants, vendors, or their own staff. It is better to know what is in place or lacking before the rumor mill gets started or you are caught off guard by employee questions on the topic.
5. Post-business-resumption risks and preventive measuresBusiness travel - Once business re-opening phases commence, companies will have a need to resume business travel to check on suppliers, service clients, and generate new business. With reduced commercial routes, fewer direct flights, continued interest in social distancing, and a desire to avoid airport congestion, private aviation may become more popular among travelers for critical business needs. A company may consider which roles are travel critical, such as sales, business development, manufacturing, and executives and inquire if they plan to use commercial or private aviation. If private or charter aviation is used more frequently, the security department should look into whether their current automated travel tracker systems do or do not track employees on such flights.
Regardless of whether travel is undertaken on commercial or private aircraft, it will be important to remain current and vigilant on continued travel bans, restrictions, and changes. Once travel restrictions are eased or lifted, a company should closely monitor the appropriate government travel advisories, WHO and CDC guidelines, and third-party global risk providers as health officials caution against the emergence of a second pandemic wave and/or virus "hotspots" which could catch business travelers off guard if not kept properly informed. Particular caution should be placed on allowing travel to developing countries that reported few initial outbreaks of the virus, since some countries may have adopted internal policies to not test for the virus or have insufficient tools and protocols for tracking virus spread.
Prior to resuming business travel, a security leader and their business stakeholders should agree upon what factors could be used to determine when a destination is appropriate for business travel. A fully thought out and agreed upon set of controls and strategies should be devised, and a pre-trip safety briefing given to every traveler. Contingency and travel emergency plans should be revised and refreshed accordingly. The important difference with plans now versus pre-COVID-19 is that the security, safety and health infrastructure across countries may have changed, in some cases dramatically. Security leaders will need to ensure their travel security teams or services remain current with all the changes that a business traveler may encounter. For example:
Being a prepared traveler will be more important than ever. Security travel teams should equip business travelers with the most current information prior to and during their trip. It may also be beneficial to debrief early travelers upon their return from a trip to learn from their experience and identify tips and information that may not have been included in government or third-party global risk briefings. Debriefing travelers early on will also demonstrate a sense of care for the employee and perhaps yield useful information for future travelers to a region.
Maintain a contagious illness working group - After the current wave of the pandemic has passed, a company may want to keep a small team of internal stakeholders (e.g., Security, Safety, HR, Facilities, Legal and Corporate Communications) in an ‘on-call' status to manage virus issues, incidents and concerns that emerge or are raised by employees. While I was with my previous employer, we had contagious illness working group made up of HR, Security, Real Estate, Business Continuity, and Legal in place for over 18 years. Working dozens of small and larger-scale contagious illness incidents over such a long period developed muscle memory and a disciplined approach of trust, expediency, and professionalism when handling a variety of cases. When the COVID-19 crisis passes, maintaining a contagious illness team at the ready will help prepare a company for any future incidents, small or large.
Leverage employees' experience and suggestions - Consider keeping employees up to date with a company's efforts to manage COVID-19 until a vaccine and/or therapeutics are widely available. Also call on employees to share their inputs, suggestions, and concerns for ways they need to stay informed and engaged to help boost productivity and morale. The priorities of this crisis remain health and safety followed by business resumption, with the latter intrinsically dependent on the former. Employees are at the center of both priorities, and it is their experiences, real and perceived, that will help a company keep people healthy and return to business operations as efficiently as possible. A company's internal crisis team will benefit greatly by keeping the pulse of the employee experience throughout the coming months. This pulse will inform the crisis teams on what measures are working, which require modification, and where new ones are needed to navigate what will be a bumpy journey forward. Leveraging employees also emphasizes the importance the corporation places on those centerpiece focal points of trust, transparency, health and wellbeing of employees.
Prepare After-Action Reviews (AAR) - Because of the length of this crisis, smart companies will perform AARs at certain points throughout it and when it is finally over. Performing AARs on a recurring basis will help capture important details while memories are fresh. Aside from answering the usual "what worked and what didn't" questions, security teams may want to also consider the following:
It may also be beneficial as part of an AAR for a company to look back at what actions, controls, and measures Countries and individual U.S. states adopted as they passed through the apex of their pandemic curves. Creating a timeline of the macro issues of what happened externally and internal to a company with the benefit of hindsight may provide helpful markers to consider for the future.
Until we know what re-opening will look like for business, industry, or even society, it will be difficult to fully plan for longer-term strategies to mitigate and battle deadly future contagious illnesses. There is much talk amongst health experts, governments, and business leaders that we will not return to business as we knew it for quite some time. We may come to realize that avoiding future work stoppages from health crises - not only future pandemics, but perhaps even seasonal flus that pose a higher risk to vulnerable groups and for which there is no effective vaccine - will require us to employ many of the tactics we are using now to combat COVID-19. For example:
Pro-active campaigns for vaccines and proof of immunization for critical roles - Consider socializing the idea amongst internal stakeholders to push for more education and awareness and to consider making vaccines available to employees. Vaccines have been an increasingly polarizing topic amongst many groups, so this is not one to be taken lightly or without healthy debate amongst stakeholders to fully consider the laws, health considerations, individual beliefs and business needs. Consider the pros, cons, legal and other challenges of having critical function staff maintain immunization records and/or blood titers during outbreaks of contagious illnesses (e.g., coronavirus, MMR, and chicken pox) that could prompt closure or quarantine by health officials. Work with HR and Legal to ensure HIPAA, religious sensitivities, and other laws are respected. HR and Legal would also be knowledgeable of whether immunization records for critical functions constitute a bona fide occupational qualification for certain critical roles or circumstances.
Communications and on-going contagious illness awareness - Consider keeping active campaigns, awareness, and messaging in multi-media and multi-lingual formats as we move through COVID-19 phases and safe hygiene messaging into the future. Employees will have a strong interest in company actions pertaining to COVID-19-related workplace actions and will likely have a heightened concern and interest in all future contagious illness outbreaks impacting the workplace. Just as we prepare for seasonal natural disasters such as tornados, hurricanes and wild fires having a site with links such as helpful FAQs, travel advisories, internal policies, and hand hygiene will help keep people informed, vigilant, safe, and better prepared for endemic, epidemic and pandemic health issues.
Increased workplace and domestic violence spillover - According to the International Association of Chiefs of Police, many law enforcement agencies are reporting increased domestic violence since stay-at-home orders were issued. Will more domestic violence spill over into the workplace when stay-at-home orders are lifted? Will the increase in job losses, financial stress, mental disorders, post-traumatic stress disorder, and grief increase the potential for more of the following in the workplace?
If you do not have a documented workplace violence plan or existing program, now would be a good time to prepare one. If you have one, now is the time to refresh it. Security should remain informed of all trends brought about by this crisis with the potential to impact the workplace and should make stakeholders aware of them.
Potential for civil unrest - Globally and within the U.S., drivers for civil unrest can arguably fall into the categories of political, economic, and social. Though not currently a problem, essential supply chain (e.g., food and medicine) or utility disruptions could result from COVID-19 repercussions. Security teams would be well served to remain vigilant, looking for signals of potential unrest across regions globally and in the U.S. where they have operations. In the U.S. for example, federal stimulus money is not going to certain groups like the homeless. Would U.S. cities with large homeless populations and known active civil rights supporters be at a higher risk for protests and/or unrest? Could the cities that had high numbers of Occupy Wall Street protests back in 2011 be the likely locations for potential COVID-19-related unrest to occur? What about in countries with a history of civil unrest, large populations with fragile infrastructures or political institutions, or where U.S. multi-national corporations have significant operations?
Increased fraud, insider risk, product diversion, counterfeiting - Recently, U.S. Federal Agencies announced enhanced enforcement efforts to combat potential increases in transnational crime, drug and terrorist activities as criminal and terror groups look to exploit the COVID-19 pandemic for their benefit. Companies may want to increase their vigilance in monitoring known hot spots of past crime (traditional and cyber) for upward trends of fraud, counterfeit, and theft of their products and intellectual property. Combatting these challenges and efforts to protect a company's brand, customers and bottom line have become more difficult with COVID-19, especially as law enforcement agencies are stretched thin and forced to focus on higher priority issues.
In ConclusionThis is understandably a great deal of information to digest and by no means should be considered an exhaustive list of security, safety, and other business functions' items to consider when looking to construct tactical and strategic plans to manage the ongoing COVID-19 pandemic. Also, as was mentioned at the outset, every company's culture, business operations, and risk tolerances are different. Moreover, the laws, regulations and guidance coming from local, state, and federal governments are different and quickly evolving as everyone comes to grips with this novel virus. Assembling the proper stakeholder functions within a company, assisted with the right health and subject matter experts to formulate realistic and actionable plans that meet a company's needs and comply with applicable rules, regulations and guidelines, will best position them to be resilient and successful.
For more resources see SEC's COVID-19 Security Related Resources
Contact us if you need assistance in COVID-19 strategic planning, response or recovery at email@example.com
You can download a PDF of this page below: