Business Continuity – Your People & the H1N1 (Swine) Flu
By Michael J. Corby, CCP, PMP, CISSP
Global Health Issues Require a Careful Response
Once again, we are being challenged by the potential for a serious outbreak of a highly contagious disease. This time, the threat appears to have emanated from Mexico, and by all recent accounts, has spread from person to person through the air. The number of cases appear to be mounting in the US, Canada and elsewhere. Without throwing our entire organization into convulsions, how can we best prepare to withstand this threat? Even if the influenza outbreak does not replicate the global pandemics of the past, we need to do what is proper to avoid a steep decline in our ability to maintain our profitable and viable position. Overreacting can result in a “The boy who cried wolf” situation. Under reacting can result in extensive and prolonged employee absence or sharply decreased sales. How do we handle this latest challenge? In a word: carefully.
Communication is Crucial
A global issue such as an illness pandemic presents you with multiple challenges. If the threat materializes and many people are affected, you may lose a large percentage of key workers, your customers, clients and constituents will elect not to venture into crowded public places, and your vendors and suppliers may be required to substantially change their services.
On the other hand, if the threat remains only a potential, you risk causing a disruptive and possibly expensive response with no value. Obviously the best plan is one that has been tested over and over, but in the absence of this real experience, your best bet is frequent, factual communications.
Developing a well-orchestrated plan
Your response to pandemic threats should be well coordinated and specific. We recommend you take specific steps to developing your plan.
1. Provide Factual information. You can win public relations points by monitoring credible sources and dispelling gossip and rumors. You should look to reliable resources to maintain the latest facts including:
a.Centers for Disease Control (CDC) http://www.cdc.gov/swineflu/
b.World Health Organization http://www.who.int/csr/disease/swineflu/en/index.html
c.The ASIS Swine Flu update http://www.asisonline.org/
Remember that as of the end of April 2009, a relatively few cases have been identified in the United States, all had a connection with recent travel to Mexico and most are mild. There is presently no pandemic crisis. Phase 5 means sustained human to human transmission across countries. To an individual, this is only as dangerous as the “ordinary” flu. It is receiving attention because people have minimal immunization to it.
2. Conduct a brief risk assessment. Do you or your suppliers travel to and from Mexico? If the condition escalates, what will be the impact on your employees, your suppliers and your customers? Will the need for your products/services increase or decrease?
3. Review your policies. If you don’t have a pandemic response plan, now might be a good time to start getting one in place. If you do have a plan, review it plan for needed supplies that have not yet been purchased, e.g. masks and hand sanitizers. How would you handle 30%-40% absenteeism for 1-2 weeks in the next 12 months? Consider family needs if schools and day care centers are suddenly closed for 1-2 weeks to prevent the spread of infection. Make sure employees are kept informed.
4. Educate employees and take precautionary measures. Make sure employees know the symptoms for flu and encourage them to stay home if sick, and to seek medical attention if symptoms are present. Provide extra cleaning and sanitizing supplies, especially for telephones and keyboards.
How can IT Security Help?
If you’ve done nothing to date to assure your organization can respond under the crisis conditions posed by a disease pandemic, your chance of a fully successful program are reduced. If you have already created a Business Continuity Plan that addresses the disruption of what we term the four key elements of business resiliency: People, Physical Plant, Process and Technology, this would now be an excellent time to issue a memo reminding everyone of the plan, the location of it’s latest version, and the names of the initial response leaders. You may even have the time and resources to conduct a “table-top” exercise of what will happen if the pandemic potential increases and the disease spreads as quickly as some may fear. We have worked with hundreds of organizations in the development of these plans and in monitoring and assessing the results of plan exercises. From our experience, we recommend the following minimum actions:
Appoint a Response Team Leader. This individual should be directly in control of all communication regarding the situation. From making the ultimate decision to invoke the response and recovery plan to approving all communication to the media, employees, suppliers, customers and civil authorities. This individual should be able to effectively coordinate web site and telephone system communications, advise and approve technology relocation or deployment plans, and direct the flow of materials and supplies to the locations where they can be best suited for a responsive continuous operation. Our background in this area can be a valuable resource for you to select, appoint and commission this individual.
Deploy Technology Resources. In most situations where communicable disease is a threat, people will not want to go to work in a crowded, populated office. In addition, commuting via public transportation and even using elevators presents a risky and undesirable situation. Many of your key employees can be just as effective working from the safety of their homes if they have the required computer, network access and telephone resources. Although the technology to do this is readily available, you may be competing with thousands of other company employees to set up systems and provide access codes to company resources. This is not a good time to relax security and privacy standards. Criminals are literally salivating for the opportunity to exploit the situation and gain access to valuable, sensitive or protected data. You face the risk of losing this data privacy and also the risk of a lawsuit initiated by these same individuals who now have the facts to accuse you of failing in your data protection obligations. We know how to do this deployment quickly, effectively and securely.
Monitor the facts and your business. As with other disruptive events, things can change quickly and dramatically. The spread of the disease itself can change in the blink of an eye and the need for you to provide a different response to your customers can change just as quickly. We have the knowledge and skills to help monitor the operating environment in time to affect change.
Over the past few weeks, I’ve spoken to many groups about their response to this flu outbreak or pandemic disease threats in general. The most common response is that management has delegated to a medical advisor, either through the Human Resources department or through the company preferred medical provider. This is a noble response to help people defend from the flu, and help prevent it from spreading through the organization, but as we have seen in the business response to hurricanes, terrorism, snow and ice storms and other calamities, prevention aone doesn’t solve the problem. Business Continuity Planning (for Security purists, it’s the “Availability” in the C-I-A Security triad) provides a response the addresses resilience when and not if the situation materializes.
Nearly all successful Business Continuity Plans have depended on a well defined and tested process, known and followed by all employees under the guidance of a decisive leader. Is that you?
Ready – Set – Go!