Staying secure during COVID-19
The conditions resulting from the pandemic may mean there are greater risks to the security of your organisation. CPNI wants to assist in mitigating any increased threat at this critical time. This page provides links to CPNI and NCSC guidance to help organisations to mitigate security threats at this critical time.
We recommend that your organisation reviews your current processes against the guidance below. Any new processes should be implemented at a reasonable pace, taking into account your normal business and risk management process.
Returning to the Workplace
The CPNI COVID-19 Workplace Actions campaign is a behaviour change campaign that we have developed for use within our own organisation. We developed the campaign to help encourage the right behaviours in our own premises and meet the paramount need to ensure that we can deliver our mission whilst keeping our employees as safe as possible.
This is not a standard CPNI security behaviour campaign and it has also been produced primarily to meet our own needs and operating environment. However, we believe many other organisations are in a similar position to ours or will be over the next coming few months. Organisations will need their employees and visitors to undertake the correct social distancing and hygiene behaviours effectively in order to continue operating or to return to a position of where their missions can be delivered safely. This is vital both to the re-opening of the economy and delivery of key services.
As such we decided to provide our campaign on the CPNI website for other organisations to adapt and use should they chose to do so. The campaign toolkit comprises of step-by-step guidance on how to run and implement the campaign and a suite of downloadable, editable print and digital posters and other materials such that you can adapt.
The CPNI COVID-19 Workplace Actions campaign was developed rapidly within a two-week period to coincide with our planned staffing increase. As such we have not yet undertaken any evaluation of the campaign and are continuing to refine and evolve as we roll it out internally. It has been based on our sound and established behavioural science approaches and aligned with current Government advice. To this end this is very much a ‘living’ campaign that we will continue update on the CPNI website.
Please do register your interest in using this campaign by emailing us on [email protected] so we can keep you informed of updates to the campaign as it evolves.
Please also email us to provide your feedback on the campaign, in particular:
- Is this campaign of use to you? If so why?
- Are there any additional materials that may be missing that you may need?
- Is there anything else we can do to improve guidance or the campaign?
Protective Security and Managing Risks
COVID-19 has had a large impact on most businesses, affecting not just business operations but also security operations too. For some organisations the threats facing the organisations are also likely to have changed.
Good risk assessment is critical to establishing what threats an organisation might face and therefore what security mitigations are appropriate to put in place. The Pandemic has shown so far that some of these security threats may have changed and organisations could be more at risk. Protective Security during Covid-19 provides general guidance on risk assessment and security planning during the crisis. The Protective Security Management Systems (PSeMS) is an assurance system for organisational security. This version of the PSeMS checklist provides Security Managers a set of protective security statements, specific to the current Pandemic crisis, to help assess the new security posture of their organisation identify where gaps are and what mitigations they may need to put forward for Senior Management approval.
CPNI has drawn together important security considerations for businesses in financial distress, including those in insolvency or administration, either directly or as a third party. This guidance note covers people, information and property, highlighting how to protect your most important assets, with links to further CPNI advice. Guidance is also provided for client organisations, delivery organisations and insolvency officeholders, providing direction to relevant CPNI advice, to help ensure security is maintained during insolvency or administration processes.
Secure Your People
Currently most organisations will have a larger number of people working from home than normal, which introduces additional risk. Encouraging your employees to take personal responsibility and to think and act in a security conscious way is crucial at this time. This can help prevent incidents and breaches from happening.
We have issued high level guidance on good personnel security during a pandemic where usual security practices are either suspended or changed to reflect different working patterns. Where security staff resource is limited, consider deploying it across the various roles normally undertaken in a manner that has greatest impact in terms of reducing risk. In order to do this, it is important to take a strategic view of security risks and priorities.
Ways of reducing security risk that could be considered may include:
- Limiting the number of operational entrances/exits and working hours
- Securing and preventing access to non-essential areas
- Procuring only from key trusted suppliers
- Minimising vehicle movements onto sites
- Ensuring sensitive information is destroyed appropriately
The Passport to Good Security provides valuable advice on senior level governance and risk management, which will help in the current climate.
During COVID-19, poor employment screening processes could enable an insider to recognise the value in being able to access sensitive information or equipment. Having a strong security culture will act as a deterrent to insider activity by ensuring the workforce have a good understanding of security awareness, and ensure they understand how to report concerns where they notice behaviour of concern. The way in which you employ people may also have changed during this period. As restrictions have been put in place for personal interviews as a response to the COVID-19 pandemic, it is increasingly likely that interviews for either recruitment, HR, vetting purposes or even line managers will be required to be undertaken via a telephone or online. CPNI have produced guidance which is designed to make interviewers aware of tried and tested best practice, as well as recommendations from latest academic research.
It is important to preserve the trust already established with employees, despite serious disruptions caused by such events as the COVID-19 pandemic. Disruption can have a negative effect on how some employees perceive or trust their employers, especially in how the latter responds to the crisis. If there is a breakdown in trust and employees see limited efforts to support them during the crisis, some might seek to undertake unauthorised insider acts for their own benefit or even just to exact revenge against their employers. CPNI have released guidance to give employers hints and tips on how to keep the trust employees have in their employers and organisations.
Hostile actors and criminals may act anonymously online in an attempt to connect with people who have access to valuable or sensitive information. CPNI have released Think Before You Link which provides advice on the security risks of putting too much information about your employment on social media.
One of the biggest threats that’s has emerged during the pandemic so far is the use of online phishing techniques by hostile actors to exploit concerns about COVID-19. The joint CPNI and NCSC guidance Phishing Attacks: Defending your organisation gives advice on how organisations can defend themselves against cyber criminals.
The risk to pedestrians from Vehicle As a Weapon (VAW) attack remains a real possibility during the COVID-19 pandemic. Social distancing measures will require businesses to manage customers flows and numbers going into premises. In order to minimise the risk to queues of people, organisations can take practical steps to reduce the risk. CPNI has published guidance on countering this attack methodology in the Hostile Vehicle Mitigation pages.
Other guidance which will help you secure your people can be found here:
Physical Security and Guarding
The physical security and security operations at sites will likely have to adjust to accommodate a different balance between health considerations vs security measures (some measures may be perceived to increase the spread of the disease), social distancing, non-availability of security personnel, changes in threats, vulnerabilities and risks to an organisation etc. CPNI has developed the following guidance to help organisations work through some of these issues:
- Security guarding
- Access Control
- Countering Drones
- Protecting queuing pedestrians from a Vehicle as a Weapon Attack
- CPNI has also published guidance on adapting existing search and screening processes to take account of physical distancing; this has been circulated widely to relevant sectors through government and police channels. Information on designing and delivering search processes can be found on the Search and Screening pages
- The 'Recognising Terrorist Threats - For the Security Professional' guide provides valuable advice for front line security staff on recognising threats and other attack indicators
- For appropriate physical security equipment please refer to the Catalogue of Security Equipment
Related Advice, Including Cyber
There are other resources that will also offer guidance on dealing with the COVID-19 pandemic within your organisation. NCSC has produced a guide to working from home which gives information and guidance around the challenges of an increase in home working. They have also produced guidance on mitigating malware and ransomware attacks which provides information on steps to take before a malware infection has occurred and guidance to help organisations to select, configure and securely implement video conferencing services.
Virtual tours are a great way of helping attract people to your site and/or plan their visit. During the COVID-19 lockdown restrictions virtual tours can help maintain interest of potential visitors and keep them mindful of the site as a place to visit once Government advice allows. For advice on how to creat virtual tours CPNI has published Security Minded Communication Guidance for Virtual Tours.
The Government also have a website which will be updated regularly providing the latest recommended guidelines on what we should all be doing during the lockdown.
If you have any queries regarding the above or if you would like to know more specific information please contact [email protected]
Resources & Links
Returning to the Workplace
Protective Security and Managing Risks
Secure Your People
- Pandemic Security Behaviours
- Assured Automatic Access Control Systems
- Secure Destruction
- The Passport to Good Security
- Insider Threats in a pandemic
- Conducting interviews by telephone or online
- Preserving organisational trust during disruption such as a pandemic
- Think Before You Link
- Phishing Attacks: Defending your organisation
- Small Actions, Big Consequences
- Exit Procedures