Company News

The Security Approach to Dealing With COVID-19

Trenton Scott Higareda, VP CTI Consulting

The increase in cases of the disease COVID-19 – caused by the novel coronavirus SARS-CoV-2 – has the potential to cause major disruption to commercial entities, federal/state/local agencies, residential communities, medical facilities, and other organizations with security operations. To assist security managers at all levels, we examined the topics below. The key to protecting personnel, organizational assets, and operations during an outbreak or pandemic is preparedness, and the time to prepare is now.

Coordination and Communication

Not all entities have the policies and procedures in place to deal with the security issues created by an outbreak or pandemic event. Some may have to be developed “on the fly.” Coordination with your organization’s management, Legal, HR, and IT departments (and Emergency Management if you have it) is critical to the success of those policies. Ensure your organization has the most up-to-date contact information, including emergency contacts for all personnel. This may include personal mobile device numbers and email addresses where permitted. Establish lines of communication or phone trees for passing along information in an emergency, and make sure your personnel know who they are to contact if they are having problems.

Staff Members Working from Home

Be aware that not every role can be performed remotely, and separation of duties must still be employed to prevent fraud, waste, and abuse.

The risk of data loss is increased in a work-from-home scenario, so telework policies should always address proper use and physical security of organization-owned equipment, safeguarding of sensitive data, and secure systems access. Avoid sending sensitive documents over unsecured email without encryption, and avoid using free services. Instead use paid collaborative/sharing software (such as SharePoint, Slack, GoToMeeting, etc.) or secure file delivery services that encrypt data in motion and at rest. Share encryption keys through text or other messaging app, never by email. Also consider the use of paid virtual private networks or virtual machine clients to access company systems, and always use two-factor authentication for accessing these services – including email. If your system uses two-factor authentication, it will be much more difficult for a bad actor to compromise it in a phishing attack.

Note: all government-classified material or Sensitive Security Information is subject to regulatory handling and storage procedures; strict compliance should be maintained even in a COVID-19 scenario.

Phishing and Email Scams

Reinforce your organization’s policies and procedures dealing with suspected phishing attacks and phony emails that seek to take advantage of COVID-19 fears. Such emails may come from what appear to be official sources from inside or outside the organization, charities seeking donations, or sellers of sanitizing products or medical supplies. Make sure your remote staff know that they should never respond to an unsolicited call or email from someone claiming to be IT, accounting, payroll, or HR without verifying it through their supervisor or security. You can also use video software such as Skype/Teams, WebEx, etc. to pass along information “face-to-face” if needed. When in doubt, your staff should report suspicious emails and links to management, security, or another designated department.

Travel

Where possible, the organization should seek to limit staff travel to international destinations, to areas which are subject to travel advisories or restriction, or to areas where COVID-19 has been deemed endemic. They may find themselves quarantined, locked down in a foreign country, or otherwise prohibited from returning home. Encourage staff members who must travel to have alternate plans in case of transportation disruptions or reductions in the number of flights, and foreign travelers should register with the Department of State’s Smart Traveler Enrollment Program (STEP) before embarking on a trip. Have established lines of communication and procedures for personnel requiring assistance while on travel to avoid phishing and email scams.

Guard Forces

If you employ the use of guards to protect your assets, the possibility of a labor shortage will create additional problems. Screeners especially may have concerns about repeated exposures from being close to members of the public who may be sick or handling their personal items such as keys, wallets, and cell phones. Provide personnel with gloves and hand sanitizer at screening stations, and encourage guard personnel to wash their hands often and regularly disinfect screening areas. The CDC does not advise for healthy individuals to wear masks, and they may not provide adequate protection depending on the type, but use them at your own discretion.

If your guard force personnel do fall ill or decide to stay home, you should have plans to operate with a “skeleton” crew which is able to address the minimum security requirements for patrols, screening, and posts. You can reduce the number of perimeter gates, but be mindful of fire code compliance for occupied areas of buildings and offices which will require a certain number of portals to always be accessible for emergencies. If you are able to close off sections within the building or facility, that should help alleviate those requirements. However always check with your local compliance authority.

Security Systems

During times of crisis, video surveillance and video analytics can be a force multiplier. Consider programming changes to surveillance of areas where guard presence may be reduced. Increasing the number of areas covered at your monitoring stations may increase the workload for your personnel; stress and fatigue may cause some events to be missed which will defeat the purpose of increased reliance on video. So, ensure those personnel have adequate breaks and supervision.

Access control system programming can also be revised to address changes in security requirements. You may need to bring in technical expertise from the vendor if you don’t have it in house. It’s better to do this sooner rather than later to avoid delays – the vendors’ companies may also be experiencing work shortages as well.

Resist the temptation to allow remote monitoring, as this may create back doors into your system. Once intruders have penetrated it, it will be extremely challenging to find and remove any malicious code they leave behind.

Supplies and Deliveries

Delivery schedules may be disrupted, and supplies may become limited in a worst-case scenario. If possible, consider moving assets or supplies you want protected to more secure areas where you can control access more effectively or concentrate your security efforts. If your organization stores items that are in demand, such as disinfectants, hand sanitizer, medical supplies, or other sought-after goods, the threat of theft by outsiders (or insiders) can be mitigated by limiting access, implementing strict inventory controls, and adding video surveillance where possible. Increase security presence and supervision at loading docks or delivery portals when shipments arrive.

Visitors

For facilities that do not serve customers or the public, consider reducing or eliminating visitor hours. For those facilities that do, you may be faced with anxious or irate individuals depending on your organization’s mission. Medical offices, pharmaceutical companies, health agencies, and stores that sell supplies such as masks, hand sanitizer, and other in-demand items may be at additional risk. Assess your capabilities to deal with threats from angry or panicked individuals, and develop workplace violence procedures to close the security gaps. Ensure that non-security staff members are briefed or trained on those procedures. If you are unable to provide certain items, services, or information you can place signage which is visible to outside observers.

In a reduced staffing situation, there is increased potential for crimes of opportunity by trespassers as well as malicious insiders. Ensure that all personnel are trained in security awareness, safe challenge procedures, and the reporting of suspicious persons or acts to security or management.

Conclusion

Security professionals take pride in being prepared for emergency operations. While the situation presented by COVID-19 is a challenge not often seen, security managers can take the necessary steps to meet it. By working closely with organization management, we can help ensure that both continuity of operations and efficient recovery are possible in adverse conditions.

Comments are closed.