General Security Risk Mitigation Strategies: COVID-19
The coronavirus disease 2019 (COVID-19) has spread rapidly across the globe. Security leaders, along with internal stakeholders, must think several steps ahead of this deadly virus and implement measures designed to mitigate risk to people and company reputation.
The collective knowledge of the SEC has put together a summary of general security-related action items to be considered to minimize risk and to begin implementing safeguards and measures that can mitigate or reduce risk. Relatedly, an SEC paper has been created that is dedicated to business resumption, which outlines what security leaders and other stakeholders should consider for an orderly return to work: COVID-19 Security Response Tactics and Strategies to Consider for Business Resumption Plans
The following considerations are provided with the understanding that not all companies have a professional security staff, or a Global, or even a local, Security Operations Center (SOC). We recognize that not all suggestions identified apply to all companies. However, whether you are the only security person at your company and wear many hats or you are the Chief Security Officer with a staff of security professionals, we all need to focus on risk mitigation in a most challenging environment. We must also contemplate what controls and measures we will need to put in place to reduce risk now, and ultimately plan for the return to the 'new normal' of business operations.
Now is the time to consider the daily tactical initiatives as well as the strategic path regarding the next steps that are right for your company. These steps must include aligning your strategy with the many new requirements imposed by federal, state, and local officials.
Note: This checklist should not be construed as a means to establish any legal standard of care or identify what reasonably prudent security precautions should be taken in any specific situation. The actions to be taken for individual situations will vary depending on the corporate culture and individual circumstances at the time. Ultimately, every individual must assess any given situation, choose a response and manage the consequences.
- Develop an Infectious Disease Preparedness and Response Plan, to include establishing plans and protocols with HR, Legal, Safety, and Operations that address an actual and potential infected building occupant. The strategies you generate should be cultivated from authoritative sources such as the WHO and the Centers for Disease Control and Prevention (CDC). Monitor and adjust your policies (as the guidance from these resources evolves and changes frequently.) Derive your information from these reputable resources and align your plans with their up-to-date recommendations; doing so will put you in a position of following the guidance and advice of the experts should your company be challenged regarding the response measures implemented.
- Collaborate with Legal to ensure workers' rights and employers' responsibilities that may apply to prevent occupational exposure to COVID-19 are followed in accordance with federal and applicable state guidelines (for instance, OSHA's Occupational Safety and Health Act of 1970, prohibits employers from retaliating against workers for raising concerns about safety and health conditions.) See related article: https://www.msn.com/en-us/news/us/thousands-of-osha-complaints-filed-against-companies-for-coronavirus-workplace-safety-concerns/ar-BB12K3Wu
- Develop procedures and protocol with Legal, HR, and others, when an employee makes a claim (under federal, state, or local regulations or laws) about safety and health conditions that do or could impact them, others, and the company brand.
- Identify alternate work areas (include coordinating with IT) multiple drops-in alternative areas for phone/computer/other that can be quickly occupied with all new equipment should the GSOC/building be contaminated.
- Identify a process and protocol with local hospital(s) should a building contract or be suspected of having contracted, COVID-19.
- If you are a tenant, coordinate COVID-19 response protocols with the property management team.
- There has been a sharp rise in domestic violence (spousal and child abuse), due to the pandemic. Team with HR, Legal, and others to ensure EAP resources and support are made available to those impacted.
- Devise a procedure and protocol with Facilities regarding HVAC and other air handling unit devices, regarding measures they will take to slow, or prevent, the spread of COVID-19, should it become necessary.
- Monitor and evaluate social media postings with Communications to ensure that you understand the pulse of employees and the public. It is essential to stay ahead of any negative postings about the company and to have the opportunity to address, immediately, any actual or potential adverse impacts to the company.
- Send policy and rule reminders to all employees about the remote use of information technology for the company and, if applicable, personally owned devices; update and distribute any new policies related to working remotely.
- Partner with IT; provide education and training regarding phishing, social engineering, common attack vectors, or vectors specific to your industry. Remember, the best hardware and software cannot prevent a person from clicking on a link that will compromise your or your customer's intellectual property and tarnish your companies name.
- Devise a law enforcement and emergency response call list. Maintain communications with local health department and emergency services to keep informed of the ever-changing conditions and response protocols.
- Explore whether you can establish policies and practices, such as flexible worksites (e.g., telecommuting) and flexible work hours (e.g., staggered shifts), to decrease group gatherings and increase the physical distance between/among employees and others, in accordance with applicable federal/state/local guidelines. Working remotely is perhaps the most effective response that can rule out the possibility altogether, of a person becoming infected: try to avoid in-person contact at every possible juncture.
- Create a COVID-19 response team to address and expeditiously consider, evaluate, and appropriately address actual or potential concerns. Quick, thorough, and detailed procedures and protocols are vitally important. Note: Please recall that there are OSHA and perhaps state guidelines that prohibit employers from retaliating against workers for raising concerns about safety and health conditions.
- Assess all workspaces and common areas that do not readily allow for appropriate physical distancing and devise interim measures that provide the recommended six feet of separation.
- Educate employees about COVID-19 specific phishing scam emails that have been designed to take advantage of the pandemic to compromise personal and company assets/information, to include "Zoom bombing" and other warnings issued by the FBI and other law enforcement.
- As an interim measure, and until a contact tracing program can be decided upon and implemented, require that all staff take their temperature at home just before departing for work.
- Devise an educational awareness campaign about COVID-19 mitigation plans to be in full swing (such as printed materials, email reminders), in anticipation of the resumption of business.
- Plan for an increase in mental health issues impacting employees and for a potential rise in workplace violence. Workforce reductions should be monitored closely, and "at-risk" cases should be given priority attention as soon as possible.
- Ensure a written protocol is in place should there be an actual or possible COVID-19 contamination. This should be a well thought out process and protocol, requiring a team to assess and address any concerns. No one person should have the authority to dismiss a possible or actual concern.
- Contemplate cyber and ransomware insurance policies to cover losses, notification costs, credit monitoring, defending claims from customers, and applicable regulators, as well as any fines or penalties.
- Require sick employees, or employees with sick household members, to either work remotely or stay at home.
- Partner with your procurement department and conduct due diligence checks to avoid fraud regarding new vendors who claim they can provide hard-to-get items. Items include personal protective equipment and other items in high demand. Often, in addition to the provider urging you to place an order immediately, combined with payment is required upfront, this combination of events typically results in a fraudulent transaction. These conditions of obtaining hard to find resources should be scrutinized and given careful consideration due to the vast amount of fraud due to the pandemic.
- Provide detailed instructions for the use (or restriction) of videoconference platforms such as Zoom and other online teleconference center services.
- Develop a contingency plan for key staffing shortages or consider how services offered may be adversely impacted and communicate any impacts before the resumption of business.
- Consider using drones to monitor key areas and when responding to alarm conditions outside the building.
GSOC Social Distancing/Hygiene/Cleaning
- Devise cleaning intervals for all keypads, biometric surfaces, and other vulnerable areas throughout the facility: stay abreast of updated and ever-changing cleaning and disinfection guidance.
- Consider having staff work virtually, or separate staff into at least two different physical work areas (and do not allow cross-contamination of spaces).
- If staff separation is not possible in the GSOC and all other workspaces, separate staff work areas 8 feet away from each other.
- Have cleaning supplies next to each phone/keyboard/work area and require full cleaning prior to, and after, each use.
- Issue headphones/keyboards, phones, etc., to each person. Prohibit equipment sharing.
- Do not allow non-staff in the GSOC (devise and promulgate the means of communicating with the staff other than face-to-face).
- Practice and communicate the requirement of handwashing after a person touches their eyes, nose, or mouth, and after blowing one's nose, coughing, or sneezing.
- Close as many entry/exit points as possible. Post "open door" maps at all entry/exit points.
- Schedule cleanings for GSOC (with focus on handled equipment and all surfaces touched) prior to, during, and after each shift change.
- Prohibit eating in the GSOC; provide a designated area for meals outside of the work area.
- Provide cleaning supplies (including three sizes of gloves). Consider mandating the use of gloves for the GSOC staff. Include a supply of facial tissues for each workspace.
- Devise a protocol should someone in the GSOC becomes infected or responds to a person who has or is presumed to have contracted COVID-19.
Increase Security Services & Bench Strength
- Devise a procedure using your access control system to permit those to enter the building (employees, consultants, contractors, vendors) that have tested negative per your contact tracing policy.
- Prepare for increased absenteeism by training/cross-training personnel for temporary duty reassignment to assure continuous coverage of essential duties.
- Run daily building/area access histories to inform management of building occupancy trends.
- Educate officers on techniques to minimize exposure to infectious disease, to include immunization and proper use of personal protective equipment such as wear, removal, and disposal.
- Address officer physical and emotional well-being; increased pressures and continued obligations in and outside of work; create additional awareness of employee assistance programs (EAP) resources available.
- Use CCTV and security patrols to audit and review housekeeping staff adherence to established cleaning protocols.
- Leverage GSOC 24x7 presence to collect and collate actionable news items and provide key stakeholders each morning with overnight developments.
- After hours GSOC staff can monitor the Overseas Security Advisory Council (OSAC), WHO, CDC, and other government health and travel updates to assist in assessing future restricted travel locations and add relevant information to morning reports.
- Leverage visitor management systems to track/record records of visitors/vendors who passed/failed screening.
- Partner with IT to you have a well-defined cyber-attack prevention plan that can be immediately implemented and acted upon.
- Use building cameras and patrols to monitor and enforce applicable social distancing guidelines promulgated by state public health orders, stay-at-home orders, and any prohibitions or the maximum number of people in group gatherings (both inside and outside company property).
- Do not greet building visitors face-to-face. Instead, post contact instructions at all entry/exit points and on company website.
- Perform security work from home or at an alternate remote location.
- Provide information about isolating a person who has, or is perceived as having, an infectious disease.
- Implement a mass emergency notification system (such as Send Word Now or Everbridge) to provide emergency notifications to employees/visitors, should this become necessary.
- Consider pay increases for essential staff due to the exigent circumstances created by COVID-19.
- Set up an independent cost center to track all expenses related to COVID-19.
- Partner with HR to leverage the GSOC to manage/field employee calls, leverage FAQs from past HR inquiries, and be the on-call 24X7 support center.
- Devise a plan with IT to address FAQs regarding safe return of computers into the workplace. GSOC serves as 24x7 central clearing point for cataloging computer equipment being scanned for malware, virus etc.
Virus Spread Mitigation
- Provide hand sanitizer/wipes at all entries, high traffic, common areas, office equipment, cafes, etc. Factor in that pilferage may occur.
- Minimize package delivery and eliminate inter-office mail. Establish cleaning and safe package opening procedures, (e.g., proper use of gloves, hand washing).
- Create and distribute awareness reminder of social distancing, hand washing/hygiene posters, CDC flyers, computer pop-up messaging specific to your business. Distribute these now and upon resuming business.
- Encourage staff to pack their own lunch. Coordinate safe foods with café and increase (possibly mandate) takeout orders in accordance with any federal or state guidelines.
- Balance security with safety; consider leaving interior doors open to common/non-critical areas to minimize surface contact, while maintaining full compliance with ADA, NFPA, and Life Safety Code.
- Increase the frequency of disinfecting patrol cars, locker rooms, break rooms, and other facilities.
- Review all areas where multiple touches typically occur each day and devise mitigation procedures for these surfaces (e.g., machines that dispense newspapers, coffee, and other items, as well as water coolers, elevator buttons, microwaves).
- Disable requirement for PINs to be used for non-critical internal areas of the building. For areas requiring a PIN, consider disabling the use or provide wipes at each PIN pad; post instruction to clean PIN pad and hands before and after entering PINs.
Critical Vendor Reliance
- Indoctrinate key vendors and any others regarding cleaning/separation protocols for entering/working in the GSOC.
- Contact key vendors now regarding business resumption plans and gauge their current staff levels and support capabilities.
- Open channels of communication with key vendors and providers to ensure continuity of operation discussions take place.
- Inventory supplies, stock, and other essential items to ensure sufficient amounts are on hand or are available from vendors now, for when business resumes.
- Order necessary inventory of cameras/card readers, etc., that require typical preventative maintenance or replacement.
- Assess critical vendors' contagious illness protocols and benefits as they pertain to their ability to service your account, to ensure vendors approach is consistent with CDC guidance.
- Assess housekeeping staff training about cleaning procedures, staff education (language abilities), equipment usage, and benefits, to allow ill staff to stay out of the workplace. Ensure the cleaning team is educated on the proper use, removal, disposal of gloves, and any other potentially contaminated items they use or come across.
- Consider sending a letter to all vendors outlining your expectations to be notified, in writing, should one of their employees working at your facility contract, or is suspected of having contracted, COVID-19.
For more resources see SEC's COVID-19 Security Related Resources
if you need assistance in COVID-19 strategic planning, response or recovery.
Download a PDF of the content on this page below: