Staying secure during COVID-19
The conditions resulting from the pandemic may mean there are greater risks to the security of your organisation. CPNI wants to assist in mitigating any increased threat at this critical time. This page provides links to CPNI and NCSC guidance to help organisations to mitigate security threats at this critical time.
We recommend that your organisation reviews your current processes against the guidance below. Any new processes should be implemented at a reasonable pace, taking into account your normal business and risk management process.
Returning to the Workplace
The CPNI COVID-19 Workplace Actions campaign is a behaviour change campaign that we have developed for use within our own organisation. We developed the campaign to help encourage the right behaviours in our own premises and meet the paramount need to ensure that we can deliver our mission whilst keeping our employees as safe as possible.
This is not a standard CPNI security behaviour campaign and it has also been produced primarily to meet our own needs and operating environment. However, we believe many other organisations are in a similar position to ours or will be over the next coming few months. Organisations will need their employees and visitors to undertake the correct social distancing and hygiene behaviours effectively in order to continue operating or to return to a position of where their missions can be delivered safely. This is vital both to the re-opening of the economy and delivery of key services.
New guidance has been produced to help organisations mitigate per sec risks during the ease of lockdown. The guidance identifies that disaffection in the workforce is a key factor in insider risk and therefore focuses on the need for a refresh of per sec risk registers, the important of senior leaders in providing reassurance, the need for good communications regarding changes to security policies and procedures, a requirement to kick start the workforce by providing training, realistic job objectives and appraisals, whilst adjusting employee monitoring to meet the new working environment and putting in place a rigorous exit procedure for those leaving. The guidance encourages organisations to recognise how to use this opportunity to refresh and embed security messaging whilst reassuring staff on health, safety and welfare.
The current COVID19 situation is an unstable one and organisations are dealing with considerable pressures to adapt to a changing world, leading to uncertainty and feelings of vulnerability in the workforce. These feelings can lead to growing discontent and disaffection if not addressed by the organisation. One way to do this is to ensure that organisations are keeping their workforce fully informed of changes; but it is difficult to know if the message is getting across. Therefore, CPNI have developed a communication assessment toolkit, which allows organisations to gain feedback on the extent and quality of their communication strategy. The feedback will allow organisations to adapt or enhance their strategy to guarantee that staff are receiving information on change policies that is clear, relevant and timely; thereby avoiding inaccurate speculation and mistrust.
Protective Security and Managing Risks
COVID-19 has had a large impact on most businesses, affecting not just business operations but also security operations too. For some organisations the threats facing the organisations are also likely to have changed.
Good risk assessment is critical to establishing what threats an organisation might face and therefore what security mitigations are appropriate to put in place. The Pandemic has shown so far that some of these security threats may have changed and organisations could be more at risk. Protective Security during Covid-19 provides general guidance on risk assessment and security planning during the crisis.
CPNI has drawn together important security considerations for businesses in financial distress, including those in insolvency or administration, either directly or as a third party. This guidance note covers people, information and property, highlighting how to protect your most important assets, with links to further CPNI advice. Guidance is also provided for client organisations, delivery organisations and insolvency officeholders, providing direction to relevant CPNI advice, to help ensure security is maintained during insolvency or administration processes.
Currently most organisations will have a larger number of people working from home than normal, which introduces additional risk. Encouraging your employees to take personal responsibility and to think and act in a security conscious way is crucial at this time. This can help prevent incidents and breaches from happening.
We have issued high level guidance on good personnel security during a pandemic where usual security practices are either suspended or changed to reflect different working patterns. Where security staff resource is limited, consider deploying it across the various roles normally undertaken in a manner that has greatest impact in terms of reducing risk. In order to do this, it is important to take a strategic view of security risks and priorities.
Ways of reducing security risk that could be considered may include:
- Limiting the number of operational entrances/exits and working hours
- Securing and preventing access to non-essential areas
- Procuring only from key trusted suppliers
- Minimising vehicle movements onto sites
- Ensuring sensitive information is destroyed appropriately
During COVID-19, poor employment screening processes could enable an insider to recognise the value in being able to access sensitive information or equipment. Having a strong security culture will act as a deterrent to insider activity by ensuring the workforce have a good understanding of security awareness, and ensure they understand how to report concerns where they notice behaviour of concern. The way in which you employ people may also have changed during this period. As restrictions have been put in place for personal interviews as a response to the COVID-19 pandemic, it is increasingly likely that interviews for either recruitment, HR, vetting purposes or even line managers will be required to be undertaken via a telephone or online. CPNI have produced guidance which is designed to make interviewers aware of tried and tested best practice, as well as recommendations from latest academic research.
It is important to preserve the trust already established with employees, despite serious disruptions caused by such events as the COVID-19 pandemic. Disruption can have a negative effect on how some employees perceive or trust their employers, especially in how the latter responds to the crisis. If there is a breakdown in trust and employees see limited efforts to support them during the crisis, some might seek to undertake unauthorised insider acts for their own benefit or even just to exact revenge against their employers. CPNI have released guidance to give employers hints and tips on how to keep the trust employees have in their employers and organisations.
Hostile actors and criminals may act anonymously online in an attempt to connect with people who have access to valuable or sensitive information. CPNI have released Think Before You Link which provides advice on the security risks of putting too much information about your employment on social media.
Hostile actors and criminals may also seek to gather information about your organisation or event to inform their attack planning. CPNI have released guidance on how to promote protective security measures alongside any planned communications related to COVID-19.
The Protective Security Management Systems (PSeMS) is an assurance system for organisational security. This version of the PSeMS checklist provides Security Managers a set of protective security statements, specific to the current Pandemic crisis, to help assess the new security posture of their organisation identify where gaps are and what mitigations they may need to put forward for Senior Management approval.
Virtual tours are a great way of helping attract people to your site and/or plan their visit. During the COVID-19 lockdown restrictions virtual tours can help maintain interest of potential visitors and keep them mindful of the site as a place to visit once Government advice allows. For advice on how to create virtual tours CPNI has published Security Minded Communication Guidance for Virtual Tours.
The risk to people from Vehicle As a Weapon (VAW) attack remains a real possibility during the COVID-19 pandemic. Social distancing measures will require authorities and businesses to guide customers in and around commercial premises and publicly accessible locations e.g. high streets. In order to minimise the risks to people, organisations and authorities can take practical steps to reduce the risk. CPNI has published guidance on protective security considerations for high street hospitality and guidance on protecting queues to counter attack this methodology. Additional guidance is on the Hostile Vehicle Mitigation page.
Other guidance which will help you secure your people can be found here:
Physical Security and Guarding
The physical security and security operations at sites will likely have to adjust to accommodate a different balance between health considerations vs security measures (some measures may be perceived to increase the spread of the disease), social distancing, non-availability of security personnel, changes in threats, vulnerabilities and risks to an organisation etc. CPNI has developed the following guidance to help organisations work through some of these issues:
- Security guarding
- Access Control
- Countering Drones
- High Street Hospitality: Protective Security Considerations
- Protecting queuing pedestrians from a Vehicle as a Weapon Attack
- CPNI has also published guidance on adapting existing search and screening processes to take account of physical distancing; this has been circulated widely to relevant sectors through government and police channels. Information on designing and delivering search processes can be found on the Search and Screening pages
- The 'Recognising Terrorist Threats - For the Security Professional' guide provides valuable advice for front line security staff on recognising threats and other attack indicators
- For appropriate physical security equipment please refer to the Catalogue of Security Equipment
- Practical guidance on things to consider when communicating with a face covering - The guidance provides some hints and tips on what can be done to maximise effectiveness of communicating when wearing a face covering such as a face mask, and some things that need to be considered when seeking to identify and resolve suspicious behaviour in light of the wide spread wearing of face coverings.
Related Advice, Including Cyber
There are other resources that will also offer guidance on dealing with the COVID-19 pandemic within your organisation. NCSC has produced a guide to working from home which gives information and guidance around the challenges of an increase in home working. They have also produced guidance on mitigating malware and ransomware attacks which provides information on steps to take before a malware infection has occurred and guidance to help organisations to select, configure and securely implement video conferencing services.
One of the biggest threats that’s has emerged during the pandemic so far is the use of online phishing techniques by hostile actors to exploit concerns about COVID-19. The joint CPNI and NCSC guidance Phishing Attacks: Defending your organisation gives advice on how organisations can defend themselves against cyber criminals.
BSI have published Safe working during the COVID-19 pandemic – General guidelines for organisations in response to the COVID-19 pandemic and the increased risk the disease presents to the health, safety and well-being of people in all settings, including whilst working and in the workplace.
The Government also have a website which will be updated regularly providing the latest recommended guidelines on what we should all be doing during the lockdown.
If you have any queries regarding the above or if you would like to know more specific information please contact [email protected]