Last updated: 19 March 2020


Following any crisis event, boards, executives and steering committees alike will need to obtain as much timely information as possible. Information data sources are often decentralised and data may be located in legacy systems or at various physical sites. It is important to determine not only where the information is located, but also how various data sources reconcile and interact with each other. In response organisations should locate, catalogue, preserve and quarantine that information in a timely manner. Steps you can undertake to map your data include: 

  • Briefing meetings: meet with senior management to understand the facts and identify at a high level, the systems that will need to be mapped and the nominated experts and end users who are to be interviewed for each system.
  • Conduct interviews: meeting with your nominated experts and end users to gain an understanding of your core systems, processes and procedures as well as data points. If you staff or systems are highly decentralised you may have to send out a questionnaire to a wider group of staff and contractors.
  • Preserve: if data has been identified as critical and may be required to be used in a litigious matter in the future you should take an electronic snapshot of that data at a point in time.
  • Reporting: prepare a Data Mapping Audit Report including a summary of core systems, ranking system importance, outlining risks and providing a recommendation of the next steps to be taken regarding collection methodology, and undertake follow-up meeting to discuss findings and recommended next steps set out in the report.

IT services and cyber security

During self-isolation and precautionary measures imposed by COVID-19, IT services staff should re-evaluate their policies and guidelines in relation to staff working from home and the potential safety risks. In particular, teams may need to introduce mitigations for the risks imposed by the virus.

  • Staff working from home will face new security risks relating to their home network. Older models of home networking equipment may be especially vulnerable to attacks which a typical Enterprise IT infrastructure will be unable to detect remotely. Guidelines in purchasing appropriate hardware and patching network hardware such as routers is appropriate.
  • It may be appropriate to provide security software such as virus scanners or, in some cases, hardware to staff working from home. Some freely available security software solutions have privacy policies which may leave company data exposed.
  • A set of home security guidelines can mitigate risks while using a home network for work purposes. Consider steps such as disabling Wi-Fi in the home to secure sensitive data and encouraging staff to avoid putting their work devices on large networks shared with multiple devices. Staff may also want to consider fresh installations of operating systems, and other measures. In-office policies and standards related to password complexity and the like can also be extended to home networks.
  • For employees remotely accessing a company network, it would be recommended to put in place an appropriately configured Enterprise VPN solution with security features such as multi-factor authentication enabled.
  • In the case that remote desktop technology needs to be exposed to the internet, ensure every security feature reasonably possible is enabled such as firewall restrictions, secure access technologies, and multi-factor authentication.
  • Providing COVID-19 communications guidelines can reduce the risk of COVID-19 and current affairs themed social engineering attacks such as email, phone, and text message phishing on employees. Staff should be encouraged to rely on specifically selected news and communication channels related to COVID-19. It should be made clear which services will not be used.
  • As staff continue to work from home, malicious threat actors will vary strategies to exploit staff in the home office. If it is not in place already, IT departments should consider regular releases of intelligence relating to new tactics and threats to keep employees activated as a line of defence.
  • Consider extending penetration testing and vulnerability auditing to specifically target employee home networks and remote working infrastructure as a priority.

During COVID-19, ordinary off-boarding of employees or customers may occur relating to contract termination or expiry. IT departments should be wary of risks to the personal safety of these employees or customers; particularly where the staff member or customer is reliant on the business infrastructure.

  • Internet service providing businesses may wish to extend services with remote customers or staff in instances that would normally result in service termination. Staff or customers may be reliant on services for safety, both psychological and physical.
  • Staff may be reliant on business communication systems or services such as phones, email, or other services which would normally be disconnected at the end of employment. In some instances it may be appropriate to extend access to these services beyond employment to avoid interruptions to communications.
  • As part of IT off-boarding and on-boarding procedures, the impact of COVID-19 should be taken into account. Staff should be asked to consider making the business aware of their reliance on office infrastructure prior to exiting a company.
  • Employees may be part of an emergency communication network put in place by your business. Consider extending this network to past employees for a period of time after employment ceases.