Take a look at this document from the Centers for Disease Control, which provides a plan for business to prepare for an influenza pandemic: http://www.flu.gov/planning-preparedness/business/businesschecklist.pdf
There are many threats to organizations, and we can’t worry about all of them. As an IT security professional, would you be concerned with the threat from a pandemic? What threats do you feel are worth considering and being prepared? Conversely, what kinds of threats should we be less concerned with? Does anyone recall hiding under their desk during the Cold War… was this a threat worth preparing for? Can you find any other documents from the Government that offer guidance on other threats?
A pandemic such as the flu, chicken pox and smallpox is a threat to IT security because if a few personnel gets sick and a few key people are out can cause information systems to be unprotected if they are not monitored or maintained for a few days or weeks. Now smallpox happening is very rare but flu has a season and can strike any time, so being able to backup systems and personnel is key so that IT security isn’t put at risk because of pandemics. Always be prepared for the flu and be less concerned with smallpox since it is not a major concern at the moment but expect the unexpected.
Hi Neil,
I agree with what you said that Pandemics such as Flu and smallpox are definitely a threat, but a big threat that organizations need to concerned of. In fact, Small Pox and Flu rarely happen. I was reading the article and it says that Flu percentage in the United States has dropped drastically. All that organizations need is to have backup plans for their key personnel so that in times of a Pandemic of any nature, their business operations don’t suffer and that they are able to have buffers. In fact, the concern for such Pandemics purely depends on the nature of the business too. Example, a mission critical business such as support can have a bit of impact, but that I again easily solvable.
I do think it is important to be prepared to respond to a pandemic event, however with any incident, it is important that you consider the likelihood of occurrence and the impact to the organization and to the IT department. While it seems unlikely, it is important to prepare for an event that could make your entire staff unavailable in a specific geographic reason. This could include a pandemic event, a terrorist attack, a natural disaster, etc.
Some organizations have multiple geographic locations and headquarters and may plan to recover at alternative facilities with existing personnel. Others may need to plan to quickly recover at a vacant location and train all new resources. These events are important to prepare for, however you should always take a risk based approach to ensure the cost of your contingency program does not have a significant impact on productivity and profitability of primary operations.
Well put Jason. It really depends on the organization and where the risks are. If you have an organization that has many different sites throughout the globe, maybe departments will create a contingency plan at a local level for disease in the geographic areas. If for example, the company only has 1 or 2 sites that are located in a high-risk pandemic area, they would have a full blown contingency plan in case many people get sick. In the end, the company will need to conduct a cost-benefit analysis to determine whether or not the Risk is high enough to invest in a contingency.
Ahmed,
It is important to prepare for such events by creating a good plan to replace those important elements or create a system that makes the organization not dependent to few employees to process tasks.
Pandemic events such as flu and other heath issue can reflect the performance of any organization especially when it loses key employees that play big roles. It is important to prepare for such events by creating a good plan to replace those important elements or create a system that makes the organization not dependent to few employees to process tasks. The entire team has to be working together in the IT dependent to satisfy delay needs of the company, this will help to not lose all the employees in case of a pandemic event.
I think one way to prevent pandemic events is by not choosing locations that have a high risk to have pandemic events when you create the organization. Documents should be distributed to employees that explain step by step what should be done in case of such event. This can be a type of education for employees to know how to deal with these events. However, taking under consideration the cost is very important especially that preparing for pandemic events can be very costly.
I think what you described is the main concern from a business perspective and the primary measure to combat this threat is to have documented procedures in place for key functions. This along with cross training can help ensure business continuity when disastrous external events take place. At the same time, however, cross training can be a double-edged sword when it comes to SoG. The potential issue of one individual knowing all parts of a system is less likely in large organizations, but is something to be considered and balanced in smaller ones.
One of the problems IT security professionals face is a restricted budget. Many organizations can not afford to have a fully staffed SOC or even have the professional staff available to perform security duties. To offset the differences, organization have to prioritize the information system by assigning values to the information system assets. The value of each asset will differ based on how the organization utilizes the systems.
After the value is determined, the organization can start identifying threats to the information system being analyzed. These threats can come from internal (employees) or external (criminal) vectors. The threats should be judged based on possibility of occurrence and damage to the organization. These, again can be different based on the organization and cultural environment.
A pandemic event would be in IT security would be a virus or worm infecting IoT devices, and using them as an infection point to pass along the virus. As an organization, I would worry about a pandemic event but it would be more focused around the company culture. The last thing I would want as an IT security employee is a viral “I don’t care about security” mindset. This mindset is a virus that can easily spread throughout the organization. The tone at the top is the root cause of this virus. It is passed down to every level of the organization and is very difficult to get rid of when the employee is infected. The employee may even take this virus home and infect their family members, who will pass the same “I don’t care about security” viral infection to their workplace.
The example I recall was the terror color level used after 9/11. The U.S. government would adjust the level based on the intelligence it gathered. Red was high, Green was low, and three other shades to identify the middle levels. I thought this was amusing, because just like hiding under the desk to protect against nuclear explosion, people living on rural farms in the mid-west were buying gas mask in fear of chemical attack. So… The probability of a desk saving you from nuclear explosion is the same as a terror organization attacking a 20 ache farm in Kansas with chemical weapons.
The entire whole thing is based around the emotion “Fear”. Fear will make us spend money on stuff we don’t need. Fear will have a single person stock up their apartment with food because of a blizzard, that never comes. This is why cyber security companies stock prices have increased over the last 6 months. Fear is driving up security profits.
Fred,
I think one way to prevent pandemic events is by not choosing locations that have a high risk to have pandemic events when you create the organization. Documents should be distributed to employees that explain step by step what should be done in case of such event. This can be a type of education for employees to know how to deal with these events.
I would be concerned about a pandemic first as a human being, then as an IT security worker. I would worry more about the upkeep and maintenance of our core IT infrastructure – how long would our telecoms last if nobody showed up to work? Hours? days? Weeks?
As an aspiring IT security professional I see the biggest threats as:
1) AI – Skynet?
2) Malware – Wannacry could have been much worse, if that researcher in the UK hand’t registered the domain the shut it down
3) EMP or Solar Radiation event – A terrorist could knockout a large part of our infrastructure or solar radiation storm from the sun could do the same
4) Related to above, but the threat to our power grid. There has been some good reporting on this issue ( http://tedkoppellightsout.com/ Great book) but it doesn’t seem like much has changed, our national grid is woefully unprepared for an attack or disaster
I don’t think we should lose sleep over the threat of Nuclear War. I loved the Fallout games.
Quantum computing can certainly be classified as a threat, but it can also be seen as a positive, yes it will be a paradigm shift, but lots of opportunities will come with it – humanity is good at adaptation.
I found a good publication by DHS that has an analysis of current threats to infrastructure that the Government is working on addressing:
https://www.dhs.gov/sites/default/files/publications/niac-cyber-study-draft-report-08-15-17-508.pdf
Basically as all others stated here as more and more people get sick there is greater risks for people who have greater roles in the company to fall ill to sickness and will impact others because others won’t know what they did to perform those roles. As more and more people get sick it can potentially grind IT operations to a complete halt. To help prepare for cases like this it is better for people in primary roles to train a backup as a just in case scenario.
Other threats that should be concerned about more are any potential threats to current power grids and all.
As those that remember the Die Hard movie where they hacked into our national power grid and all that could be a very real threat and concern as doing just that could bring our entire country to a halt.
That is just one of the major things that could be impacted but any other major resource grid could be hacked and all as well causing major damage.
This is quite a subjective argument because the need to be concerned about a pandemic spreading largely depends on the nature of the pandemic and its impact on the employees. If a pandemic such as Flu renders the employees unable to work for many days, then I believe any organization or an IT security professional should be concerned because if employees are not working or are ill, then the question of who will protect the IT systems is to be answered.
While it’s important to have preventive measures with respect to alternate personnel or buffer resources to fulfil seats in times of a pandemic, I feel that there is no need to be concerned too much on that. If Risk strategies are carefully planned and executed, then the nature of concern would only arise during the time of the pandemic.
As an IT security professional, I would like to be cautious about common flu or seasonal flu that usually spreads a lot whereas I would be least concerned or rather put on low priority risks related with Pandemic Flu as it happens rarely.
Long story short, ‘Hope for the best, Plan for the worst’. This simple rule doesn’t necessarily make us to hide under our desks during any pandemic that strikes an organization. Rather, organizations need to brace themselves and have the right plans in place.
Bumped upon this interesting piece from the WHO (World Health Organization) that offers guidance on threats
http://www.who.int/influenza/preparedness/pandemic/influenza_risk_management/en/
Pandemic examples are, influenza and another health issue can mirror the execution of any association particularly when it loses key workers that assume huge parts. It is essential to get ready for such occasions by making a decent arrangement to supplant those imperative components or make a framework that makes the association not subject to a couple of workers to process assignments. The whole group must cooperate in the IT-ward to fulfill defer necessities of the organization, this will help to not lose every one of the workers if there should be an occurrence of a pandemic occasion.
I think one approach to forestall pandemic occasions is by not picking areas that have a high hazard to have pandemic occasions when you make the association. Reports ought to be circulated to workers that clarify well ordered what ought to be done if there should be an occurrence of such occasion. This can be a sort of instruction for representatives to know how to manage these occasions. In any case, mulling over the cost is vital, particularly that getting ready for pandemic occasions can be expensive.
This question is kind of unorganized. i mean pandemic belongs to what category. Typically, we make several big categories. Under those, there are several subcategories. If company is big enough, they will have dedicated people calculating how likely what threat could happen, they put more resource on them. For pandemic, it’s less likely happen compare to other direct threat.
As an IT security professional, would you be concerned with the threat from a pandemic? What threats do you feel are worth considering and being prepared? Conversely, what kinds of threats should we be less concerned with? Does anyone recall hiding under their desk during the Cold War… was this a threat worth preparing for? Can you find any other documents from the Government that offer guidance on other threats?
As an IT Security professional, I would be concerned with a pandemic threat as influenza and the many variants of related illnesses. It is very important to state that an organizations strength lies in its people being able to show up for work and carry out their assigned responsibilities. A sick work force will expose an organization so it is well worth it to plan for such threats ahead of time to strategize on ways to mitigate such risks and curb/reduce its spread. One threat that is of less importance to an organization is injuries to employees as well as something like internal fraud. These types of threats should not call for emergency preparedness as they are usually not so widespread as to cripple the operations of a business and can easily be contained and addressed.
As an IT Security Professional, I certainly would not be worried about a pandemic specifically for the reason Professor Green gives in the prompt for this question-we can’t be worried about all threats. In society, we have different groups that concern themselves with different threats, the protection against these threats, and recovery if a threat event happens. For example, we trust and hope that our government intelligence communities are doing their best to determine what threats pose the greatest risk and which are most likely to occur. Simultaneously, we trust and hope that medical and legal personnel will be able to handle the fallout if a threat event occurs. In the same sense, IT personnel cannot and should not concern themselves with medical emergencies in the same way that medical personnel should not concern themselves with a massive cyber attack. Yes, it is true that cyber awareness is everyone’s responsibility but this does not mean it is their main objective in fulfilling their job duties. For me, as an IT security professional, time spent worrying about the outbreak of a disease means less time spent detecting intrusion attempts.
despite the low chances of a pandemic spreading to the staff, any company, not just IT staff needs to be somewhat pro-active. Most companies require a flu-shot now, in my job upon hiring they verified if I had gotten shots for chicken-pox and small-pox. Many companies when they hire people from oversees make sure they have certain shots like polio, hepatites, tb shot etc. I work at a place where all information is confidential. If you want to have a secure IT staff and handle information through proper standards than I am all for having a proactive approach to pandemic sicknesses.