• Home
  • Staying secure during COVID-19

Staying secure during COVID-19

Introduction

The conditions resulting from the pandemic may mean there are greater risks to the security of your organisation. CPNI wants to assist in mitigating any increased threat at this critical time. This page provides links to CPNI and NCSC guidance to help organisations to mitigate security threats at this critical time.

We recommend that your organisation reviews your current processes against the guidance below. Any new processes should be implemented at a reasonable pace, taking into account your normal business and risk management process.

Returning to the Workplace

The CPNI COVID-19 Workplace Actions campaign is a behaviour change campaign that we have developed for use within our own organisation. We developed the campaign to help encourage the right behaviours in our own premises and meet the paramount need to ensure that we can deliver our mission whilst keeping our employees as safe as possible.

This is not a standard CPNI security behaviour campaign and it has also been produced primarily to meet our own needs and operating environment. However, we believe many other organisations are in a similar position to ours or will be over the next coming few months. Organisations will need their employees and visitors to undertake the correct social distancing and hygiene behaviours effectively in order to continue operating or to return to a position of where their missions can be delivered safely. This is vital both to the re-opening of the economy and delivery of key services.

New guidance has been produced to help organisations mitigate per sec risks during the ease of lockdown. The guidance identifies that disaffection in the workforce is a key factor in insider risk and therefore focuses on the need for a refresh of per sec risk registers, the important of senior leaders in providing reassurance, the need for good communications regarding changes to security policies and procedures, a requirement to kick start the workforce by providing training, realistic  job objectives and appraisals, whilst adjusting employee monitoring to meet the new working environment and putting in place a rigorous exit procedure for those leaving. The guidance encourages organisations to recognise how to use this opportunity to refresh and embed security messaging whilst reassuring staff on health, safety and welfare.  

The current COVID19 situation is an unstable one and organisations are dealing with considerable pressures to adapt to a changing world, leading to uncertainty and feelings of vulnerability in the workforce. These feelings can lead to growing discontent and disaffection if not addressed by the organisation. One way to do this is to ensure that organisations are keeping their workforce fully informed of changes; but it is difficult to know if the message is getting across. Therefore, CPNI have developed a communication assessment toolkit, which allows organisations to gain feedback on the extent and quality of their communication strategy. The feedback will allow organisations to adapt or enhance their strategy to guarantee that staff are receiving information on change policies that is clear, relevant and timely; thereby avoiding inaccurate speculation and mistrust.

Protective Security and Managing Risks

COVID-19 has had a large impact on most businesses, affecting not just business operations but also security operations too. For some organisations the threats facing the organisations are also likely to have changed.

Good risk assessment is critical to establishing what threats an organisation might face and therefore what security mitigations are appropriate to put in place. The Pandemic has shown so far that some of these security threats may have changed and organisations could be more at risk. Protective Security during Covid-19 provides general guidance on risk assessment and security planning during the crisis.

CPNI has drawn together important security considerations for businesses in financial distress, including those in insolvency or administration, either directly or as a third party. This guidance note covers people, information and property, highlighting how to protect your most important assets, with links to further CPNI advice. Guidance is also provided for client organisations, delivery organisations and insolvency officeholders, providing direction to relevant CPNI advice, to help ensure security is maintained during insolvency or administration processes.

Personnel Security

Currently most organisations will have a larger number of people working from home than normal, which introduces additional risk. Encouraging your employees to take personal responsibility and to think and act in a security conscious way is crucial at this time. This can help prevent incidents and breaches from happening.We have issued high level guidance on good personnel security during a pandemic where usual security practices are either suspended or changed to reflect different working patterns. 

    During COVID-19, poor employment screening processes could enable an insider to recognise the value in being able to access sensitive information or equipment. Having a strong security culture will act as a deterrent to insider activity by ensuring the workforce have a good understanding of security awareness, and ensure they understand how to report concerns where they notice behaviour of concern. The way in which you employ people may also have changed during this period. As restrictions have been put in place for personal interviews as a response to the COVID-19 pandemic, it is increasingly likely that interviews for either recruitment, HR, vetting purposes or even line managers will be required to be undertaken via a telephone or online. CPNI have produced guidance which is designed to make interviewers aware of tried and tested best practice, as well as recommendations from latest academic research.

    It is important to preserve the trust already established with employees, despite serious disruptions caused by such events as the COVID-19 pandemic. Disruption can have a negative effect on how some employees perceive or trust their employers, especially in how the latter responds to the crisis. If there is a breakdown in trust and employees see limited efforts to support them during the crisis, some might seek to undertake unauthorised insider acts for their own benefit or even just to exact revenge against their employers. CPNI have released guidance to give employers hints and tips on how to keep the trust employees have in their employers and organisations.

    CPNI would like to draw your attention to personnnel security guidance to support line managers in return to workplace discussions. This guidance provides practical advice and tips to support the line manager in their responsibilities.

    Hostile actors and criminals may act anonymously online in an attempt to connect with people who have access to valuable or sensitive information. CPNI have released Think Before You Link which provides advice on the security risks of putting too much information about your employment on social media.

    Hostile actors and criminals may also seek to gather information about your organisation or event to inform their attack planning. CPNI have released guidance on how to promote protective security measures alongside any planned communications related to COVID-19.

    The Protective Security Management Systems (PSeMS) is an assurance system for organisational security. This version of the PSeMS checklist provides Security Managers a set of protective security statements, specific to the current Pandemic crisis, to help assess the new security posture of their organisation identify where gaps are and what mitigations they may need to put forward for Senior Management approval. 

    Virtual tours are a great way of helping attract people to your site and/or plan their visit. During the COVID-19 lockdown restrictions virtual tours can help maintain interest of potential visitors and keep them mindful of the site as a place to visit once Government advice allows. For advice on how to create virtual tours CPNI has published Security Minded Communication Guidance for Virtual Tours.

    Other guidance which will help you secure your people can be found here:

    Exit Procedures

    Physical Security and Guarding

    The physical security and security operations at sites will likely have to adjust to accommodate a different balance between health considerations vs security measures (some measures may be perceived to increase the spread of the disease), social distancing, non-availability of security personnel, changes in threats, vulnerabilities and risks to an organisation etc.

    Where security staff resource is limited, consider deploying it across the various roles normally undertaken in a manner that has greatest impact in terms of reducing risk. In order to do this, it is important to take a strategic view of security risks and priorities.

    Ways of reducing security risk that could be considered may include:

    • Limiting the number of operational entrances/exits and working hours
    • Securing and preventing access to non-essential areas
    • Procuring only from key trusted suppliers
    • Minimising vehicle movements onto sites
    • Ensuring sensitive information is destroyed appropriately

    CPNI has developed the following guidance to help organisations work through some of these issues:

     

    Did you find this page useful? YesNo
    Thank you for your feedback. If you have any further suggestions on how this information can be made even more useful to improve your experience, feel free to share details below.
    Thank you for your feedback. Sorry to hear that you haven't found this information useful. Please help us improve your experience and share how we can make this information more useful for you.