New measures to control the risk from Covid-19 can impact your organisation’s security, warns Mike Sopp.
The Covid-19 pandemic is a new hazard for the workplace, requiring organisations throughout the UK to apply revised risk control measures to protect employees and others from the virus.
As with any new hazard and the subsequent risk control measures, the existing risk profile of the organisation — including the security risk profile — can be affected.
UK Government Covid-19 Secure guidelines note that organisations should consider the security implications of any changes they intend to make to current operations and practices in response to Covid-19, as “any revisions may present new or altered security risks which may need mitigations”.
Security risk evolution
The Centre for the Protection of National Infrastructure (CPNI) states that the pandemic “may mean there are greater risks to the security of your organisation” and that “the threats facing the organisations are also likely to have changed”.
Although the CPNI normally advises national infrastructure operators, it is taking a wider role “to help those organisations who are currently or could become key to the crisis recovery efforts”.
Working closely with the National Cyber Security Centre (NCSC), the CPNI is providing tools and guidance products to help government, infrastructure and businesses adapt their security position as the Covid-19 crisis progresses.
The CPNI emphasises that security risks will evolve with the easing of lockdown and an eventual return to some form of business as usual.
According to the CPNI it is essential to “reassess security risks as each of the phases develops” to help the leadership of an organisation to:
ensure security measures continue to be fit for purpose
identify where security policy may need changing
understand opportunities and requirements for security to support the business
highlight vulnerabilities due to changing working practices
ensure equipment and personnel are in place to support future phases
engage staff so measures are understood and operated as intended
plan for efficient removal of temporary or re-implementation of previous measures
review current risks as the environment changes.
To assist organisations with reviewing security, the CPNI has produced a security management “pandemic self-assessment checklist”. The purpose is to help the organisation understand its strengths and weaknesses with respect to organisational security assurance during a pandemic such as Covid-19.
Based around the Plan-Do-Check-Act process, the checklist asks a series of questions in relation to indicators of good practice. Indicators include whether:
a security risk assessment related to the changed circumstances of the pandemic has been carried out
changes in security practices have been communicated to staff
the organisation's security posture and risk appetite has been reviewed
the need for new services, new software, new IT controls, has been evaluated and requirements decided upon with security in mind
additional or alternative protective security measures have been identified and implemented where usual security practices are no longer adequate
effective policies and procedures have been introduced for managing personnel who are being furloughed or made redundant
review of new or revised security practices has been included as a standard item in senior leadership meetings.
According to the CPNI, there are three key areas that will need to be addressed in terms of security and the pandemic: personnel, physical and cyber security.
Following lockdown, many organisations will still have large numbers of employees working from home and conversely, fewer employees in the physical work environment.
Implications of this could include:
increased numbers of employees using new technology for long periods and possibly for the first time (unaware of cyber threats)
employees using their own technology and equipment for work purposes (without necessary security protocols)
employees using work equipment for unauthorised purposes
fewer on-site employees to be aware of on-site security breaches
individuals in the workplace taking advantage of relaxed security protocols for their own benefit.
In addition, organisations could be facing significant business disruption and financial hardship, leading to employees being furloughed, pay cuts and even redundancies. Employee unhappiness and the breakdown of trust in employee/employer relationships in these circumstances could also create security threats.
The CPNI recommends that organisations “conduct a personnel risk assessment before proportionately adjusting security policies and procedures to accommodate new working practices both for remote workers and on site”.
Risk control measures will be based primarily upon awareness training. This will encourage appropriate behaviour among the workforce to prevent accidental security breaches. The CPNI has produced useful guidance and recommendations for risk control, including:
providing guidance on what is allowed when working remotely regarding use of IT
repeating security guidance frequently as a reminder of good practice and threats being faced
advising how to communicate securely by email, mobile, conference calls, etc
advising how to work securely from home where there are others sharing the same space.
If fewer employees are present on site to observe and enforce good security behaviours, a greater reliance upon technical measures to prevent deliberate or accidental security breaches may be necessary.
In addition, it is worth reminding staff frequently about both the physical and technical security measures that should be adopted. This includes when and how to report security concerns.
The CPNI states that “recognising signs of disgruntlement from within the workforce” is essential. It then recommends that employers:
develop a clear vision of what the future work environment will look like so as to provide certainty with open, honest and respectful communication
encourage collective decision-making involving employees and their representatives to give a feeling of control over the future.
Physical security and guarding
According to the CPNI, “the physical security and security operations at sites will likely have to adjust to accommodate a different balance between health considerations vs security measures”.
Key areas for consideration are:
security guarding issues such as searching/screening, receiving in-bound goods, depleted service provision and communicating if wearing a face covering
access management and control including control of the public, use of access control systems and physical security measures.
Certainly the application of Covid-19 secure requirements could influence the above. For example:
how to undertake searching and screening while maintaining social distancing
receiving goods that would normally be subject to screening
reduced guarding provision due to self-isolation and illness
increased queuing and waiting times for public
touch points on access control systems
one-way systems requiring a previously secure door being left open
ventilation requirements resulting in internal secure doors being open.
The CPNI has produced various useful guidance documents in relation to the above. Again, the starting point should be a review of the security risk assessment and associated operational security requirements.
The greatest chance of Covid-19 transmission will occur when people are in close physical proximity, such as when a security officer is conducting a manual search of a person and/or their belongings.
The CPNI states that “it therefore must be a principal aim of any new or adapted measures to reduce the frequency and duration of these searches if possible. This can be achieved by shifting the focus of the process onto screening for threats and searching only in instances where a threat is suspected.”
This could involve having to use additional technology such as metal detectors. Where physical searching is required, employers will also need to consider if personal protective equipment is needed for security personnel.
Other measures to consider will include:
touch points such as pin-pads and biometric pads will require additional and regular cleaning
security/entry cards should be cleaned regularly by the card holder and employees reminded not to put them in their mouth temporarily while they rearrange belongings
employees reminded not to physically “tap” proximity cards on readers (they work up to 10cm away)
introducing social distancing in queues and protection for those queuing, eg from traffic when outside
increased security at doors that are normally secured.
According to the CPNI, “one of the biggest threats that has emerged during the pandemic so far is the use of online phishing techniques by hostile actors to exploit concerns about Covid-19”.
The CPNI/NCSC has produced guidance to support employers in defending against such attacks. In addition, they have produced guidance on working from home. This suggests a number of factors to consider, including:
preparing employees for working at home by ensuring they have the tools to work from home (software as a service application), are trained in their use, and have appropriate guidance and support
ensuring devices are encrypted, can be remotely locked and have secure access, and do not allow removal devices to be attached
provide briefing to employees on how to recognise potential malware and phishing emails, etc
if allowing employees to use their own devices, ensure cyber security forms part of any bring-your-own-device (BYOD) policy and procedures.
The Covid-19 pandemic has the potential to change an organisation's security risk profile, either through the need to introduce Covid-19 secure guidelines or through economic impacts. Organisations should review their security risk assessments and ensure the security measures are adapted to take account of changes in the risk profile.
Key areas of focus include the impacts in respect of personnel security, both in respect of the materialisation of accidental threats and malicious employee hostile action.
Cyber threats are on the increase. Employers need to ensure their IT systems are protected and that employees follow all necessary procedures to prevent cyber-attacks.
Security management should be kept under review as the pandemic situation changes.
For guides, checklists and advice, see the:
range of in-depth topics in the Security and Emergency Planning section