No Business As Usual: Lessons Learned During the COVID Pandemic

Every person and every business has been impacted by the COVID-pandemic in one way or another. Humans and (most) businesses are surprisingly resilient and adapt to challenging environments relatively quickly. Flexibility and new approaches are required to overcome obstacles and deal with new situations.

This unprecedented global pandemic has taught all of us many lessons, some rather painful. The question is whether some of these lessons have a long-term impact on how we interact and conduct business, or whether it’s a short-lived experience. In general, I believe it’s fair to assume that we won’t go back to the ‘old’ normal but rather develop a ‘new’, hopefully better and advanced normal.

From a security and risk management perspective there are a few aspects to take a closer look at.

 

#1 The need for reliable business partners in a global economy

If nothing else, the pandemic has taught us how much we all depend on each other, both in private and in business. The vast majority of businesses today are international in scope. Businesses rely on overseas partners in practically all aspects of corporate activities, i.e. production, supply chain, logistics, sales and distribution etc.

During the pandemic these international business relationships have been put to the test. Can you rely on your business partner? Do you really know enough about who you are dealing with?

Many companies found out the hard way that their decisions related to foreign business relationships was based on insufficient information and lacked the depth to make a detailed risk assessment. The need a concise third-party management policy and for in-depth due diligence on potential or existing business relationships has never been more apparent than today.

#2 It’s not just financial risks

Experience shows that corporate decision-makers have a tendency to focus on legal and financial risks. This is what they’ve been trained to do. However, taking a more holistic approach to risk integrates other non-financial risk factors like operational, human and reputational aspects.

There is no one-fits-all solution. Every business is unique and requires a unique and dedicated approach. Trade and travel restrictions vary tremendously from jurisdiction to jurisdiction and change constantly. A high degree of flexibility is needed and will also vary depending on the industry sector.

Besides a holistic all-risk approach and flexibility it has also proven vital to think in alternatives and back-up solutions: reliance on just one source or business partner for a crucial aspect of business operations is never a good idea. Even if not implemented, it’s always a good thing to have pre-planned and vetted alternatives.

#3 Preparedness

There is this old saying in crisis management: Prepare for the unthinkable. Admittedly, almost no one outside some public health expert circles really saw this crisis coming. And in the very early stages many companies were hesitant to acknowledge the impact the crisis would have on their business operations. But those companies who had at least some sort of pre-planned crisis management in terms of policies, procedures and training were quicker to adapt and mitigate the impact. With an existing crisis management organization and based on other crisis scenarios these companies were able to adapt faster and develop an appropriate response plan.

As a consultant I have heard the statement “this will never happen to us” far too often. I can only hope that this crisis has taught all of us the lesson that no person and no business is immune from bad things happening, no matter how ‘unthinkable’ it might seem at the time.

#4 Leadership

Managing any type of organization has its unique challenges even when everything runs smooth, which is hardly ever the case. But during a crisis like the one we’re experiencing now, businesses don’t need just good managers, they need good leadership. Providing true leadership to an organization demands experience, a certain skill set and character to deal with the organizational and human aspects during a crisis. And to be really effective it requires trust, a trust that has been built and earned over time.

#5 Viruses don’t know borders – neither does Crime

It’s amazing how fast fraudsters and criminal organizations have adapted to the new situation and exploited it to their advantage. While the pandemic brought a decrease in some organized crime activities, i.e. drug or human smuggling, it presented new criminal opportunities in other areas.

Millions have been defrauded from Governments and the public health sector in almost any country around the world: selling counterfeit masks and PPE at ridiculously overprized conditions; offering fake vaccines; exploiting Government-funded help programs by using thousands of fake personas; etc.

White collar crime, fraud and corruption, cyber-crime and cyber-extortion aimed at businesses, business email compromise and cargo theft have all seen a significant increase during the COVID-pandemic.

The COVID-pandemic has exposed many flaws and short-comings in business operations. It remains to be seen to what extent corporate decision-makers will take this as “lessons learned” in the truest meaning of the word and prepare their organizations for the next crisis – because it will come.

Business Security – More than Cyber Security

In December 2014 Wired Magazine published a short article titled “The Business of Security is Business”. Although predominantly written from a cybersecurity perspective, I like the title and the article definitely raises a couple of good points.

In the last 15 years we have seen dramatic changes in the geopolitical landscape and a highly dynamic and constantly changing threat environment, both with significant impact on global business.

Today, security risks are definitely on the agenda of corporate executives. With media reporting large-scale data breaches and cyber-security threats almost on a daily basis, IT security has become one of the top priorities for corporate management.

However, there should be no mistake that a comprehensive corporate security program needs to address risks that go beyond technical and IT security issues, i.e. prevention of fraud and corruption, insider threats, terrorism, economic espionage, crisis management, travel security, etc.

Concepts like “Enterprise Risk Management” or “Total Business Security” provide a more holistic perspective on the threat landscape trying to implement security aspects into all corporate processes and operations.

Security is a Management Task
Corporate security managers need to clearly communicate what the impact of any threat is on the business. They need to translate security requirements into a language that CEO’s, CFO’s and other corporate decision-makers understand. A successful corporate security manager needs to be a business manager with a specialization in security. The business of security is business!

Corporate security goes beyond cyber-security
Business security is more than IT security. With all the attention (and budgets) cyber-security gets corporate security managers should make any effort to take a broader understanding of security and build a comprehensive security program that provides a more holistic protection of physical assets, personnel, information and know how, and commercial interests.

Build a security program for real life
It can be a daunting task to keep up with all the security threats and implement a smart protection program, especially if an organization is operating globally. Many computer-based tools are offered on the market to assist in this effort. With all the software tools and dashboards corporate security managers are well advised to make a very careful selection of exactly what tools they need and what these tools actually provide to handle real-life situations. Tools can be a useful support but it is neither the objective nor sufficient to fill a database with lots of data and information. Have a reality check once in a while.

Learn from others (their mistakes and successes)

Here is the good news: Although in today’s world corporate security is a challenging, complex and interdisciplinary task it can be done. Most likely, it has been done before. Nothing is more appropriate than to learn from the experience of other professionals and organizations, both their failures and their success stories.

Why don’t they listen to me?

A couple of weeks ago I had the opportunity and distinct pleasure to speak at a corporate management conference. A global company had gathered their top 300 executives from around the world to discuss business matters and the road ahead. I had been granted a 45 minute slot on the second day to talk about security issues. There was no preset topic the company wanted me to address. After a few conversations with the VP Security and some senior executives I decided to talk about the role a modern security function can play in a global organization, the potential for integration of security into the overall business strategy and especially the need to effectively communicate with each other.

I titled my presentation “Why don’t they listen to me?”. I’ve heard this question over and over again from many corporate security managers. In a lot of cases there seems to be a disconnect between the business and the security function. Security mangers describe their difficulties and frustration to get senior management’s attention and buy-in for pressing security matters. Likewise, many business managers elaborate on their perception that the security managers have little understanding of the business requirements of their own company and try to implement policies and procedures that are perceived as an additional burden for the business.

Communication professionals will tell you that whenever you hear the phrase “Why don’t they listen to me?” you have a core communication problem at hand. As a corporate security manager you should not expect your senior executives to speak your language. You need to speak their language. And getting their attention is easy if you describe the impact a security issue has on the business.

My best advice: Don’t tell your boss about just another security problem. Tell your boss about the security issues that you have identified, how you have prioritized them based on business relevance and impact, and most of all tell him what your solution is. And if you’re really up to speed you might even offer some options how to respond to a specific risk together with an estimate how the different options will impact the organization.

Most executives are usually well aware of the many problems facing an organization. What they want and what they need is someone who provides a solution. As the expert in the field of security it is your job not just to identify areas of concern but to find options and solutions.

In most publications about security you will find reference to today’s multi-dimensional threat landscape. However, in reality it seems that many organizations deal with it in a very narrow focus, allocating resources almost exclusively on cyber security. This could be a recipe for disaster.

Yes, the business world is facing a multitude of threats and risks, cyber security just being one of them, albeit an important one. Any responsible security manager will need to educate his audience that a comprehensive and effective corporate security program needs to address all threat dimensions.

There is no security risk, there is only a business risk.