What are the crisis management implications?
Richard Stephenson CEO YUDU Sentinel
Organisations have always faced threats: Data breaches, industrial espionage, terror attacks and more. Sometimes attacks are existential, others are more easily handled. To fight back firms typically had at their disposal a retinue of staff in the office ready to swing into action. Not anymore.
The pandemic is having a fundamental impact on the way we work. Organisations need to give some serious thought as to how they manage threats when the new normal means a large proportion of their workforce will be out-of-office. How do you a fight a cyber-attack when only a handful of staff are present?
There has been a slow drift to flexible working for many years. A senior executive recently told me the change towards home working took six months rather the six years he was predicting prior to the pandemic.
When Coronavirus hit and lockdown started, those jobs that could be done remotely changed almost overnight. One day you were in the office, the next you were trying to figure out how to conduct Zoom calls from the bedroom.
Over the years plans for extending remote working, based on efficiency, were presented to boards but often remained unapproved. Now the data is in and in many cases, firms are seeing a rise in productivity with staff often happy to be part of this new workplace revolution. Though a US executive added a note of caution when he said: “we don’t think productivity is a big problem, but a sense of belonging is”.
The mighty headache that flexible working is causing is reserved for landowners and property companies.
Barclays CEO, Jes Staley said: “The notion of putting 7,000 people in a building may be a thing of the past” and predicted the bank may in future only use a small proportion of the skyscraper they occupy in Canary Wharf.
The City of London police commissioner, Ian Dyson, said the thirty biggest employers in the Square Mile would only be bringing between 20% and 40% of their staff back to their offices over the coming months with the rest continuing to work from home. With the current rise in Covid cases, even those figures look optimistic.
Outsourcing giant Capita is closing 100 offices and Twitter has told staff they can work from home permanently should they choose to do so.
We can therefore assume the change in working will be permanent but will vary in implementation. All staff being present at the office eight hours a day, seven days a week is a thing of the past. The future will likely involve flexible work patterns.
We may also see the rise of hub offices located in the suburbs where staff will meet several times a month. This idea has been touted since the 1970s as a solution to commuter transport congestion.
Crisis management implications
In 2019 the law firm DLA Piper was hit hard by the NotPetya cyber-attack. Staff arriving at their offices we greeted with a flip board telling them not to turn on their computers in an effort to stop the spread of the virus. Spanish firm Telefónica had staff running around their offices with loud hailers shouting the same message at bewildered workers.
Fast forward to Covid-induced remote working and these methods of communication would be impossible.
During a cyber-attack, an organisation’s normal communications are often disabled, but speed of messaging to staff during an attack is essential. How do you grab the attention of an atomised workforce? Mass notification must be ready to go at a moment’s notice. The best practice is for all staff to have an App on their phone that plays high-intensity alert sounds to get their attention. Differentiation from the clutter of common social media alerts is vital.
In the world before coronavirus (I’d say BC but that’s already been taken) offices were typically staffed with trained fire marshals, first aiders and crisis managers.
When an office is only partially occupied many of these specialists will not be on site leaving those present vulnerable if a crisis occurs. The best solution is training. Firms need to broaden the base of crisis management knowledge. Many companies are reporting a surge of interest in training which often helps make a workforce feel more connected.
Companies will struggle to know where their staff are at any one time, but wherever they are located the firm is legally responsible for staff well-being and safety. Lone workers may be particularly at risk.
It’s well known that cyber criminals are attempting to exploit the vulnerability of lone workers, so constant education on cyber hygiene is now a priority. Staff may be using their own devices which can create cyber security issues if the security configurations on their employee’s equipment are poor.
Should a lone worker spot a potential cyber-attack or become involved in an incident they must be able to alert and summon support and advice from their organisation. This could be done using their existing channels such as calls, texts and emails, but these are not emergency channels and responses can therefore be patchy and slow.
All staff should have the ability to trigger an alert from the App on their phone that notifies a response team at their company. This should be as simple as selecting the threat from a menu and pressing send. This avoids the use of misleading or confusing messages that can easily be posted in times of stress.
Who’s in the office?
On occasions, during an emergency, messages may need to be sent to individual groups, perhaps just those working at the office. But once again, how do you know who is where?
Businesses that use access cards to swipe in and out of a building should have this information but that may not be true of multi-tenanted offices if the data is lodged with facilities management.
Various solutions present themselves. Get staff to log into a crisis management platform. There are systems now available where employees merely scan a QR code and are immediately added to the ‘In-office group’. They are removed when they check out or after a default number of hours later.
Remote working means remote crisis management
Almost all medium to large organisation have developed business continuity and crisis management plans and playbooks. In some of the more regulated sectors it is a legal requirement. These frequently require key staff to assemble in the designated incident room. Post-Covid that is unlikely to happen.
Remote working means remote crisis management and that’s a tough call. This requires a big step up in communications and technology.
Training simulations for remote incident management will now have to be run as the default option. Access to real-time information and all incident response plans is essential but it is the collaborative communication tools that need to be mastered.
This requires reliable conference calls, secure chat channels, the sharing of images and documents, and the ability to connect with specialists within and external to the organisation. At the same time all stakeholders will need updating as events develop.
People come first
Truth be told we are all still figuring out what the world of work will look like in the coming years and what implications this will have for crisis management. But whatever happens it remains the case that people are an organisation’s prime asset and prime responsibility during an emergency.
To overcome an emergency people require clear, consistent and dependable communications whether they are working from home, from the office or the garden shed. Crises take many forms and ask hard questions. In an atomised world, connectivity is the answer.