|  6 min read

Addressing new security risks post-COVID-19: How enterprises need to re-imagine security

Addressing new security risks post-COVID-19: How enterprises need to re-imagine security Photo

A year in on the global pandemic, with vaccine deployments in full swing, and organizations putting new norm practices in place, it’s important that security leaders take a seat at the boardroom table and prepare for the next phase.

Enterprise organizations are moving beyond simply responding to, or even recovering from, the pandemic, and are now looking at how they can renew their strategies.

Source: Gartner 2020

Leveraging lessons from the pandemic, security leaders have an opportunity to re-evaluate risks and build out programs that address new stakeholders, leverage diverse technologies, and support newly emphasized duty of care mandates. 

In this vein, Traction Guest hosted a webinar with ASIS International discussing exactly how organizations might re-imagine security as they develop their security plans for 2021.

You can view this continuing education session on-demand here.

Following the webinar, a number of interesting community questions came up. We’ve summarized our perspective below and encouraged others to join the conversation. 

What are some of the criteria that organizations are basing return to work decisions on?  

What we use at Traction Guest (and this appears to be increasingly mainstream) is a trifecta approach:

  • It starts with understanding the government regulations around whether we can return to work or not.  
  • With that box checked, it then moves to what the rate of positivity is (the number of positive tests divided by the number of tests conducted). Each company board or leadership should determine what their comfort level is with that. 
  • With that box checked, it then becomes a matter of evaluating employee comfort and ability to come back. 

The latter is impacted by the degree to which organizations have put into place various new safety and security measures ranging from health/vaccine attestations, private ride services, hygiene training/enforcement, invite-first scheduling, etc.  

As a final consideration, and in light of recent survey data around employee concerns, it’s important that the criteria and mitigations be communicated effectively. Depending on the organization, this might mean executive discussions or employee newsletters, but the key is ensuring that staff understands that safety-related decisions followed a rigorous and defined process.

With transparency being a key principle, what level of organizational awareness is appropriate in terms of individuals that have contracted COVID-19?

You can be transparent about COVID within your organization without discussing exactly which employee may have contracted the virus. At the beginning of this pandemic (at a former employer) we built a dashboard that showed every facility, how many employees were suspected of having COVID, those who were confirmed to have it, and then the status of the decontamination, and other measures after the fact.  

Beyond the individuals impacted, you’ll want to work with your HR/EHS counterparts to ensure that your systems can support the broader goal of reducing spread. Beyond identifying infected individuals (which again can be done anonymously), you need to be able to quickly determine all personnel (and contractors) that may have been on-site with that individual in order to support contact tracing or outbreak notifications. 

Taking your security data and working with stakeholders (product teams, shift managers, etc.) to gather information on productivity or revenue lost due to a facility being down, will provide fantastic insights into how this pandemic has impacted your business—and it can write your security department’s ROI for you!

Some companies are considering a "hot desk" arrangement  (eg. employees sharing workstation facilities)—isn’t this a greater risk?

The notion of hot-desking, hotelling or even co-working arrangements was gaining quite a bit of traction even before COVID. It can be done and may see a resurgence with the shift to hybrid work structures, however, there are new considerations that must be addressed. It is critically important that you have some kind of tool or combination of tools to manage who is eligible to book a desk, how they book it, when it gets cleaned, and made available again for booking. Companies should also consider what is included in the workstation—for example, facilities might have a desk/chair, but might require each employee to bring their own mouse/keyboard. Additionally, physical countermeasures such as social distancing, masks, handwashing, and clear plastic shields should be considered, as well as appropriate training and reinforcement to ensure compliance. Hot desks and other concepts represent a great opportunity for security leaders to engage the CHRO (Chief Human Resource Officer), or related executives, to re-image the organization’s approach to new work realities.  

Have organizations increased the number of security officers on post or duty?

We have seen both a decrease in the number of security officers now that there aren’t as many employees in the building to tend to as well as an increase in some cases where the luxury of employee-based natural surveillance is now gone. Situations will vary greatly and may be further exacerbated by additional satellite locations (eg. new remote/dispersed work models), and new monitoring requirements such as safe distancing, etc.  

With an increase in remote workforce orientation, why is there an increase in demand/spend on physical security?  

During the webinar, we surveyed attendees and found that 50% were seeing long-term budget increases as a result of the pandemic. 

This may seem at odds with the shift away from ‘in office’ to ‘remote work,’ however, there is a few possible reasons for this. It starts with how physical security has handled this pandemic being upfront and center with the C-suite.  As executives look to allocate funds for COVID countermeasures, it’s been security folks are first in line in most cases.

The role of the security professional has started to change and perhaps working across many new stakeholders. We have to keep in mind that physical security is not just “guns, gates, and guards.” While the need for something like physical access control and a camera system may be lessened in facilities that are moving to a 100% remote method, security professionals still have a duty of care more so now than ever before.  The spend on building controls is being shifted into GSOC type applications to monitor intelligence around where the employees are actually working. 

Additionally, we see organizations incorporating new remote threats into their thinking—do employees have safe home environments, are they physically able to perform their duties, is their partner or roommate an ‘insider,’ etc. These complexities represent new ways of thinking and new opportunities for security leaders

With the move to hybrid or remote work models, what would you be foundational to consider in addressing this new structure?  

Leveraging a framework like ESRM (enterprise security risk management) from ASIS, is probably still the most important starting point. This provides not only a solid approach, but also support if you are contested down the road.  

We will need to reimagine what it means to keep employees safe when the concept of “facility” or “shift” changes to “anywhere” and “always.”  This is why security leaders will need to build (or strengthen) connections with HR leaders moving forward to understand the new hybrid realities and explore possible new areas of opportunity (or new threats) as part of their ESRM evaluation.  

How will employees react to the fact that now their ‘spare bedroom’ is a home office, and an extension of workplace violence?

As part of re-thinking our strategy and how we provide security, this area is ripe to be investigated and adjusted accordingly.  Now that the COVID emergency is starting to fade out, we can look at remote work programs, meet with our employees, and decide how far we can or should be able to reach into our employees' remote workspaces.  OSHA has weighed in on this several times in the past as well.  This is where transparency and your partnership with the HR stakeholder become critically important.  Some employees may find this a benefit and welcome it, some may choose not to work remotely because of this.  The employee population at large should be one of our stakeholder partnerships.  We should survey them as often as possible when it comes to these kinds of issues.

How has the COVID and post-COVID environment impacted your approach to threat management?

This has been a great partnership with our HR teams in our efforts to be as proactive as possible.  Whether it's giving additional vacation or holiday time, creating fun (remote) company events, or new measures to provide mental health support to employees—we’ve made a strong effort to be as proactive in this as we can in hopes we’ll see fewer issues downstream.

Should the personal smart device be instrumental in achieving future safety goals?

This is an issue many employers deal with—balancing the private lives of employees and their smartphones versus protecting the workforce at large.  I don’t think there is a one size fits all approach considering company-supplied devices versus personally funded devices, employee population size, and generational differences.  The smart device certainly harnesses great ability to aid in keeping employees safe.