Take a look at this document from the Centers for Disease Control, which provides a plan for business to prepare for an influenza pandemic: http://www.flu.gov/planning-preparedness/business/businesschecklist.pdf
There are many threats to organizations, and we can’t worry about all of them. As an IT security professional, would you be concerned with the threat from a pandemic? What threats do you feel are worth considering and being prepared? Conversely, what kinds of threats should we be less concerned with? Does anyone recall hiding under their desk during the Cold War… was this a threat worth preparing for? Can you find any other documents from the Government that offer guidance on other threats?
The answer to this question, I think, lies within the resources of the business. A larger company has the resources to develop plans for something as specific and rare as a pandemic but a smaller organization might broaden the scope to a more generic “mass loss of life.”
I think the threat to IT is that in a pandemic situation there could be a large loss of life or at least a period where many employees are sick or even instructed to stay home. For that reason I think it’s important for the IT team to have people cross trained in different areas or maybe even have the ability to move onto a redundant system that might be serviced by staff outside of the effected health zone.. A critical piece of this is the communication. When did someone fall ill? What buildings were they in? If I was around them or in their building what do I do? Even if I wasn’t near them what do I do?
Overall I think you start to plan for the threats with the highest risk and largest impact first and start to work down to the things with the lowest risk and lowest impact. This prioritized list is made after conducting a risk assessment on the entire enterprise.
There are many threats to organizations, and we can’t worry about all of them.
– As an IT security professional, would you be concerned with the threat from a pandemic?
Yes I would be concerned as the primary impact of a pandemic would be long periods of employee absenteeism which would affect the organization’s ability to provide services. Therefore a business continuity plan would need to be in place to keep the organization going with a limited number of staff on site and a large number telecommuting. This means as IT we have to prepare for a significantly increase in bandwidth use due to telecommuting, VPN concentrator capacity/licensing, ability to offer VoIP and laptop/remote desktop availability. We also need to ensure we have the right and effective virtual meeting tools – video conference and desktop sharing apps.
As II we would also need to ensure we have an alert system in place based on monitoring of World Health Organization (WHO) and other local sources of information that can update employees on the pandemic.
– What threats do you feel are worth considering and being prepared?
Threats that have the potential to be a pandemic or catastrophic as these can impact the organization adversely. You cannot know which pandemic or disaster would happen next, but you want to have a disaster recovery plan and business continuity plan in place to address these. Would be aware once they start as they affect a large number of people. Such as in the cases of the Avian Flu, SARS and HIV.
– Conversely, what kinds of threats should we be less concerned with?
Outbreaks such as measles, and generally illnesses with a vaccine or cure would be of less concern. They are most unlikely to become a pandemic as long as adequate vaccination rates are kept. Outbreaks that are in another part of the world and not global such as Ebola virus of West Africa which can be contained through a strict travel ban.Generally you are looking at low risk events with little or no impact to the organization as of least concern.
– Does anyone recall hiding under their desk during the Cold War… was this a threat worth preparing for?
Yes, because at that time it was a real threat .People needed to know what to do in the event of a nuclear attack. ‘Duck and Cover’ made you aware that standing upright and uncovered set you up for serious injury and even death due to the first flash of a nuclear explosion.
– Can you find any other documents from the Government that offer guidance on other threats?
Bomb Threat guidance: https://www.dhs.gov/sites/default/files/publications/dhs-bomb-threat-checklist-2014-508.pdf
Responding to Biological or Chemical Threat guide: http://www.state.gov/documents/organization/19691.pdf
Mushima,
Great explanation and examples. I would agree that being IT Security professional, it is better be concerned about pandemic threat considering possible impacts that could arise from its nature. Business Continuity Planning or even having internal pandemic team are must have in order to promptly and effectively respond to pandemic situations and threats accordingly. The need to plan should not be negotiable as threat pose high risks of negative impact on personnel shortage. Furthermore, companies who have established BCP policies have better chance to be company of choice by employees, because it would show that company is truly carrying for personnel. It is all about people’s safety and therefore every company must have concerns about adequate policies to protect from pandemic threats.
Critical threats to be considered about would include Influenza and Emerging Pandemic Threats. While companies have BCPs, these plans may not be effective if they don’t account for extreme health impact assumptions and containment strategies projected for high severity levels of pandemic influenza.
Non-critical threats could be those that are under control with vaccinations and don’t pose long term risks. Basically, threats that do not spread over a wide region.
Hiding under their desk during Cold War, for these kind of global threats such as war, it is worth it to be prepared. We never what may happen in the world and even though a chance for it to happen is very low, it is still better be concerned and prepared. The reason of importance for preparedness is that nuclear bombs are well known by military and government officials, but still stay unclear to general public of potential destructive capabilities. Department of Homeland Security is providing guidelines regarding this type of threat as well as pandemic outbreaks in the document “Prioritization of Critical Infrastructure for a Pandemic Outbreak”
https://www.dhs.gov/xlibrary/assets/niac/niac-pandemic-wg_v8-011707.pdf
As an IT security professional you cannot be concerned with a pandemic as a threat. Since a pandemic only concerns personnel and not systems, this however could affect the personnel that work with these systems. In a worse possible scenario other people could be obtained as temporary workers with similar knowledge.
Threats that are worth preparing worth are natural disasters that could affect data centers. If data for small business data center is not backed up properly a natural disaster could be devastating. This could completely discredit the company and destroy customer data. This is more important to prepare for and make sure that backups are made and are tested to work if something like a natural disaster were to occur.
I believe that the threat of a pandemic needs to be considered when creating contingency plans the same way as loss of employees is planned for in other disasters. The probability needs to be considered against other disaster types and the priority of planning for a pandemic should be appropriately assigned. If the organization view that the probability of a pandemic is low, the amount of time planning for a pandemic can be lower, but it should still be planned for. If a pandemic where to hit, a large part of an organization’s workforce could be impacted and the organization needs to have a plan in place for how to continue operations without these people. I would personally put the threat from natural disasters such as floods at a higher probability than a pandemic, and put more effort into planning for those types of threats than planning for a pandemic, but would still put some effort into planning for a pandemic. Many of the plans for other disasters can also be used for a pandemic. If a hurricane hits the town where you have operations, a portion of your workforce will be focused on fixing their own homes and not on going to work, so you would need to plan for how to continue operations without them, just as you would if they were effected by a pandemic.
As an IT security professional, I think I should be concerned with the threat from a pandemic since the absence of important employees would decrease productivities even cause delay of projects. Also, business should protect employees’ health and safety during their work time. Therefore, we will need to prepare a business continuity planning and disaster recovery planning.
First of all, the business needs to identify disasters. Then they can design plans for different types of disasters. Threats that can be less concerned should be common disease that can be controlled by vaccine but still can spread to people like flu. Business can order regularly flu shot for controlling this kind of risks. Unlike flu, other fatal disasters like wars, HIV, Ebola and etc. are very difficult to manage. I found an Emerging Pandemic Threats (EPT-2) program that was launched by U.S. Agency for International Development (USAID). EPT-2 builds on the lessons and knowledge from EPT-1 and brings heightened focus to places and practices that not only enable new microbial threats to “spill over” but also potentiate their spread. The program invests in “one health” policies that span public health, agriculture, environment, economic growth, and education. All of these sectors must be reached for the prevention and control of such threats. Business can use this for guiding during a global epidemic.
Pandemic Influenza and other Emerging Threats: https://www.usaid.gov/sites/default/files/documents/1864/PIOETFact%20SheetApril2013.pdf
Predict 2: https://www.usaid.gov/sites/default/files/documents/1864/Predict2-factsheet.pdf
IT security professionals should be prepared for pandemic events. Why? The sudden loss of key personnel would adversely affect the business. A pandemic event can disrupt a business in many ways like loss of personnel, absenteeism due to personal illness or family member illness, and contamination of equipment and supplies, if not addressed properly.
Not all pandemic threats would have the same consideration and priorities, just as not all IT risks must be mitigated the same way. Business Impact Analysis would have to be conducted to the determine the level of risk each threat will produce. For example, a Flu would probably pose more of a threat than cholera. New strains of the influenza virus are found every year, but the water treatment in US has made cholera and negligible threat. Another pandemic that should be considered in malaria and the Zika Virus. With global warming extending the “tropics” zones to part of the US, there are documented cases of these virus being carried to the US by mosquitoes.
I believe that the threats during the cold war was worth preparing for. Although a nuclear attack did not happen, it created a sense of urgency and preparedness for the nation if it did. The threat of a nuclear strike seemed imminent, especially during war times.
Occupational Safety and Health Administration – Guidance on Preparing Workplaces for an Influenza Pandemic : https://www.osha.gov/Publications/influenza_pandemic.html
There are many threats to organizations, and we can’t worry about all of them. As an IT security professional, would you be concerned with the threat from a pandemic? What threats do you feel are worth considering and being prepared? Conversely, what kinds of threats should we be less concerned with? Does anyone recall hiding under their desk during the Cold War… was this a threat worth preparing for? Can you find any other documents from the Government that offer guidance on other threats?
As an IT security professional, would you be concerned with the threat from a pandemic?
In my first role of an IT security analyst, part of my duties was supporting the remote access for the company and their vendors that worked remotely. One example that comes to mind is what I called “operation snow day” where I opened additional bandwidth from AT&T to allow access to the VPN. Typically we had 200 users log in on a normal basis but during operation snow day we had 10000 and the internet would become busy during business hours. If everyone was told to stay home due to a pandemic I would make sure that “snow day” was put in place before I went home like everyone else.
What threats do you feel are worth considering and being prepared? I feel being prepared for the real higher percentage situations such as power outages to a data center, ISP outage or a critical application can became unavailable.
What kinds of threats should we be less concerned with? Earthquakes, tsunamis and hurricanes. Things that only happen once every hundred years. I can talk about the preparations but could not practice it.
Does anyone recall hiding under their desk during the Cold War… was this a threat worth preparing for?
I do not recall having to hide under my desk for school, but I do remember the fire drills. The point to them were to where to go when a fire was in your building and where to meet a person of authority. Same procedures are built around earthquakes, tsunamis and flooding creating evacuation plans on how to get out of the area safely.
Can you find any other documents from the Government that offer guidance on other threats?
Hurricane procedure manual:
http://www.oas.org/cdmp/document/chaman/chaman.html
I would be concerned with a pandemic so long as it is occurring in the same geographical location and posed a threat to the organization. Pandemic’s can cause serious harm to an organization by incapacitating the employees of the company. Without the employees, the business can’t function as usual and can suffer serious financial losses as a result. If the pandemic won’t realistically affect your business (the Zika virus for example was huge on the news, but in reality was of little concern to most Americans) then taking precautions could be a waste of resources. However, in 2010 the swine flu swept through the United States and caused people to be out of work for considerable times. In a situation like this, where the pandemic is highly contagious and taking people out of work in a geographic location relevant to your business, it is necessary to manage this risk.
In general, anytime your organization decides on which risks to manage and how to manage them, you need to consider the likelihood of the event and the severity of the loss that would result from the loss. If a risk is highly likely and high severity, that risk would be a priority to manage. Likewise, if risks are high likelihood, low severity or vice versa, those risks would be worth managing. Conversely, if a risk is low severity and low frequency, it would be safe to accept the risk or put minimal effort into managing the risk.
As for hiding under the desk during the cold war, that practice was more psychological than practical. Realistically, the safety benefit of hiding under a desk in a nuclear attack is null unless you’re on the very outskirts of the shockwave’s radius. However, the practice provided peace of mind to many people despite how misguided it was.
An IT security professional must be concerned with pandemic as pandemics like influenza will be widespread, affecting multiple areas of the United States and other countries at the same time. A pandemic will also be an extended event, with multiple waves of outbreaks in the same geographic area; each outbreak could last from 6 to 8 weeks. Waves of outbreaks may occur over a year or more. Your workplace will likely experience:
Absenteeism – A pandemic could affect as many as 40 percent of the workforce during periods of peak influenza illness. Employees could be absent because they are sick, must care for sick family members or for children if schools or day care centers are closed, are afraid to come to work, or the employer might not be notified that the employee has died.
Change in patterns of commerce – Consumers may try to shop at more online to reduce contact with other people, show increased interest in home delivery services.Thus internet and IT services become more prevalent.
it is important for all businesses and organizations to begin continuity planning for a pandemic . Lack of continuity planning can result in a cascade of failures as employers attempt to address challenges of a pandemic with insufficient resources and employees who might not be adequately trained in the jobs they will be asked to perform. Proper planning will allow employers to better protect their employees and prepare for changing patterns of commerce and potential disruptions in supplies or services
This Article seems helpful from the Government that offer guidance on other threats https://www.osha.gov/Publications/influenza_pandemic.html
As a IT security professional, I would be concerned with the threat from a pandemic, and I would put it in company’s continuity plan. A pandemic would be an economic disaster. It would have impacts on stakeholders, employees, partners, consumers, suppliers and communities, and thus disrupt company’s business operation and even the entire supply chain. Managing the threats posed by a pandemic is critical for business survival. It is necessary for companies to put the threat of pandemic in their continuity plan, and develop both medical and nonmedical risk mitigation strategies for pandemic. A contingency plan is also needed to respond and recover once a pandemic has infected employees or suppliers. In addition, companies can have a pandemic-tracking model to get information about the spread of pandemic and development of vaccines to act and respond quickly.
Besides pandemic, there are so many threats a company should concern, but whether they are worth to prepare will depends on threat’s probabilities, frequencies and severity, and company’s tolerance and appetite. Companies should develop a matrix to assess each possible threats. The threat with high probabilities, frequencies and severity must be concerned and prepared. For example, to a IT company in Florida, flood is a threat that it has to well prepare. On the other hand, threats with low probabilities, frequencies and severity can be less concerned and not worth preparing. Whether those threats in the middle need to concern and prepare will depends on company’s tolerance and appetite based on company’ size, type and preference. In this case, I think pandemic is a threat with medium probability and frequency, yet high severity that every company should concern and prepare. Similar threats include natural and man-made disasters. However, I think war would be a threat worth less concern. It has very low probability and frequently yet extremely high severity, but its probability and frequency may change over time. It can be hardly avoid, therefore company should focus on how to protect employees from attacks, such as providing training on protecting themselves form attacks.
As an IT professional it is still important to be prepared for a pandemic. It operations are normally required to remain in some kind of functioning state when a disaster strikes. Methods of communication are mostly IT related, particularly with organizations with offices that are a considerable distance apart. In my company, during several of the major snowstorms certain members of the IT department were put up in hotels so they could still work while the city was shutdown. Since there are several offices across the country, IT related issues were still required to be serviced by Home Office.
IT services is an important department when dealing with threats of many kinds. The government documentation on Preventing Violent Attacks on Government Facilities and Personnel talks about gathering information on suspected individuals which undoubtedly relies heavily on IT interaction.
http://www.secretservice.gov/data/protection/ntac/Preventing-Violent-Attacks-on-Government.pdf
As an IT security professional, would you be concerned with the threat from a pandemic?
As an IT security professional, you cannot focus on every threat that an organization faces daily, such as a pandemic. Although a pandemic would be a threat to an organization, I am sure it is not one that is widely planned for. Unless you live in an area that is common to certain diseases, a company should not expect most of its work force to end up getting sick at the same time. Although something like the flu can keep employees out up to two weeks, there is generally not a good chance for enough of your workforce to be out simultaneously to have an affect on the company. The flu only affects from 5%-20% of Americans each year.
What threats do you feel are worth considering and being prepared?
Threats that are worth being considered by an IT security professional would be threats that are due to external forces. These include events such as natural disasters, fires, etc. These events can be costly to an organization, especially without a proper DRP, BCP in place. This is why IT security professionals must update, and test the company Disaster Recovery Plan, and Business Continuity Plan at least yearly. These plans are more important if you live in an area prone to natural disaster, such as hurricanes, earthquakes, or tornadoes.
Conversely, what kinds of threats should we be less concerned with?
Physical Security is important, but one threat I would not be concerned with is a terrorist attack occurring on an organization, especially if it is in the United States. Terrorist attacks are extremely rare and isolated instances. The percentage of people that are injured or killed in a terrorist attack each year in the United States is less than those who are killed by deer. Although a major threat, something I would not plan for as an IT security professional. This is why I found the Cold War techniques strange. If the Soviet Union decided to drop a nuclear bomb, hiding under a desk would not do us too good.
Can you find any other documents from the Government that offer guidance on other threats?
When I worked for the federal court system, we had to watch videos and complete training each year if there was an armed gunman or potential terrorist attack on the building. The reason for this is because there are many federal judges in the building where I worked, also Timothy McVeigh bombed a government building in Oklahoma City, in 1995.