With the confusion and evolving information deluge prompted by the Coronavirus outbreak, this is an important time to examine some IT practices and procedures and determine what can be done to provide services and security during such crises. A good starting point is CISA Insights for Coronavirus risk management.

For those organizations that haven't thought out a telecommuting plan in case staff need to telework for an extended period of time, now is a good time to determine which systems work and which systems don't work for telecommuting. 

Some of the important questions

• What extra security risks are entailed with remote staff?  If staff are taking laptops home, your office firewall is no longer protecting them.
• Do you have adequate remote connections to the office?  If not and all staff connect remotely, services and productivity may suffer, and staff without connections might be subject to forced leave time.
• Is your telephone system fully mobile? Consider options to have your major help numbers answerable by teleworking staff.
• Is each staff member provided with laptops that they take home daily as a regular policy? It doesn't help if all of your staff are suddenly tasked to work remotely and half of your staff leave their computers at the office.  If you're trying to keep your staff mobile-ready, you want a policy that ensures that they have their laptops home every night.
• Do remote staff have access to all systems needed to keep them productive and keep the critical systems running?  Consider how systems need accessing and design secure connections to them through your VPN.

Security is also at higher risk during crises.  The current Coronavirus concerns greatly increase the chance of a staff member falling for a phishing attack.  Security awareness training is more important than ever as the first line of defense to keep your systems secure.  A Coronavirus phishing email can turn into a major ransomware attack, and now you're dealing with two crises instead of one. 

Are your systems as secure as you think they are?  Do you have backups, and are they safe from the same hack?  More than one organization had its main files encrypted by ransomware, then the same 'bad actor' accessed the backups and deleted them.  Don't let Coronavirus concerns cause a different but more dire IT concern through increased ransomware risk. 

If you don't have a current security awareness training program, this is the time to push for it and implement it as soon as feasible. What you can do immediately is follow the cybersecurity recommendations in the CISA Insights article, but you should elevate that to full security awareness training AND testing as soon as possible.

Do you have emergency contact systems in place for employees to contact in case of emergency?  If you have the budget, you can also incorporate an emergency contact system for citizens as well.

This is also the time to test your backups, which means also testing data restores. Do you have a current business continuity plan in place for IT?  Now is the time to review and update it if needed.

Many organizations don't take into account third party supply chain issues. Supply chain vendors are any outside vendors that you depend on for daily operations. It could be your hosted website, your financial system, equipment, and fuel providers, etc.  What happens if any of these are affected by their own staffing issues?  Even if you believe your organization to be fairly secure, your vendors' security affects your organization, if they host staff or citizen information or financial data.  Consider implementing third party security monitoring to help alleviate these concerns.  You need to know if your vendors are a risk for your organization.

Many of the priorities of the Coronavirus crisis are also everyday IT concerns, so use this time to not only prepare for this crisis, but build the tools and systems you need for every other day.

FEMA has a template for business continuity plans related to a pandemic.  Also see ICMA's web page for Covid-19 updates and resources.