In the wake of the SARS outbreak, the Iraq war and ongoing global unrest, technology and business analysts warn that companies must successfully address telecommuting, remote access and employee safety concerns within effective emergency-management and business-continuation plans.
The mysterious SARS virus has killed more than 100 and infected more than 2,600 worldwide. Meanwhile, Hong Kong hospitals are bracing for a worst-case scenario of 3,000 patients by the end of the month.
Severe Acute Respiratory Syndrome has led authorities to impose controls that have kept some employees from traveling to work. Those actions have included the closing of schools and applying strict quarantine regulations.
Thailand, Hong Kong, Singapore, South Korea and Ontario have implemented quarantine measures. According to UPI, officials in Singapore are now considering installing Web cameras in the homes of people under quarantine to make sure they don’t leave, and Vietnam said it might bar visitors from countries with evidence of the mysterious flu-like disease.
In the United States, there now are about 150 cases in 30 states, with no deaths.
President George W. Bush on Friday gave federal health officials authority to quarantine Americans who contract the illness. Officials said there were no immediate plans to use the emergency powers.
Steve Bittenger, an analyst with Gartner Research, reports that since 9-11, many enterprises have paid more attention to business continuity plans, but most focus on infrastructure and the ability to continue business by relocation or backup facilities.
“Few enterprises have addressed the type of crisis that results from a biological or health threat that affects employees’ ability to travel to the workplace,” he says.
In the current SARS crisis, employees in affected areas may not be able to travel to the workplace for the following reasons:
- Taking care of children while schools are closed
- Transportation shutdowns
- Travel delays
Gartner analysts say a basic checklist for supporting “teleworking” should focus on facilities and the workers themselves. Recommended are the following measures:
- Permit staff to work at home if uncomfortable with the risk of travel or the office environment.
- Have a single source (usually the human-resources department) disseminate information on the health issue and actions staff should take. This will save time, resources and confusion.
- Prepare plans in advance for acquiring, leasing or renting laptop computers, especially for staff that use desktops in their daily role. “A lot of companies are resisting the provision of laptops,” said Gartner research director John Girard. “They want employees to use their home PC. They’re giving full access to the company network from a home PC. That’s especially dangerous.” He cautions in such a scenario there can be no guaranteed security. The home PC may have spyware on it; it may not have the needed applications; and the user may be participating in illegal activities such as the downloading of music files.
- Provide remote access via Secure Sockets Layer (SSL) virtual private networks (VPN).
Many key analyst groups see SSL VPNs as the leading solution for remote access and extranet VPNs. They provide secure access to corporate data and applications via the Internet. Girard prefers the security, economy and ease of use of SSL VPNs as compared to Internet Protocol Security (IPSec) VPNs.
“SSL is supported in all browsers,” says Girard. “It supports 128-bit encryption and you can run strong authentication if wanted, including token.” SSL VPNs can give remote users access to Web-enabled applications while encrypting all traffic between the browser and server. The technology differs from VPNs based on Internet Protocol Security, which require client software to establish a secure tunnel between a remote user and the network.
“SSL VPNs … do not require client software that needs to be updated, managed and configured” says Zeus Kerravala, an analyst at The Yankee Group. “An SSL VPN costs about half as much to manage as [IPSec] and about a quarter the cost of a dial-up remote-access solution,” Kerravala says. Employees can use it to access the applications needed, while the company avoids the expensive and relatively insecure offer of total access to the company network.
Companies offering SSL VPN solutions include Nortel, Aspelle, Aventail, Check Point, Neoteris, Netilla and SafeWeb. Industry watchers say Cisco will offer SSL VPNs by year-end, probably through acquisition of a smaller player.
- Plan to support an increased amount of remote traffic in the event of a sudden increased need. Failure to make a realistic assessment of network “load” or traffic is common. Girard recommends emergency business managers make sure they have accurately estimated and conveyed emergency load expectations to IT personnel.
- Add a remote-access policy to disaster workforce planning and management procedures.
- Prepare and update contact lists for all employees. Set up call forwarding via office lines for employees that do not wish to disclose personal contact numbers to other employees.
- Provide calling-card facilities for long-distance calls, as well as remote-conferencing facilities.
“Telecommuting and mobile access can help enterprises cope with emergencies.” says Girard. “When disaster strikes, key company locations may go offline or be physically inaccessible. Remote-work capability will keep businesses operational.”
Girard emphasizes that such capabilities add to a company’s competitive edge in peacetime also.
Noting that during the Iraq war and current global uncertainties U.S. businesses are a target, Girard cautions that many businesses may not have made a realistic assessment of an emergency scenario and therefore may be at a disadvantage in crisis.
It’s a warning echoed by risk-management consultant Gordon Conroy. Conroy is a technical adviser at a risk-management consultancy firm in Jakarta, Indonesia. Previously, he was the project director for dignitary and athlete protection at the Sydney 2000 Olympic Games.
“The potential threat is heightened for any business from a country that has become actively involved in the war against global terror,” said Conroy.
“For this reason alone, citizens of supporting nations must be considered targets,” he warns.
Both Girard and Conroy emphasize the need for ongoing training. In addition to enabling enterprises and employees to work from anywhere, there also may be a need for employees to move out of danger zones.
For this reason, Conroy believes emergency training programs should include special safety training.
“There will be a very real requirement for development of programs designed as a proactive preventive measure to prepare employees to operate effectively in complex, remote and/or hostile environments to help employers protect their important human capital investment in these regions.” says Conroy. “Through specific and developed education programs, people can quite clearly reduce the risks they face and help themselves mitigate the risks of globalization by expanding the number of proactive tools available to their needs.”
Conroy indicates that this need to being proactive is contrasted with reactive stances taken when the first bombs fell in Afghanistan.
“There was a flood of requests for evacuation plans. Although it was known to be highly likely that the bombing would commence, businesses waited until after the fact to start putting plans into action,” he said.
Conroy recommends the following:
- Bomb Threat Management Plans – These should include the handling of suspicious packages and dealing with suspected anthrax mail so as not to shut down an entire business if something suspicious is received.
- Evacuation Plans for Expatriates – If the socio-political situation deteriorates to the degree where the safety and security of expatriate employees and their dependants is endangered, it may become necessary to implement security measures to ensure safe exit from the country. These plans should supplement detailed emergency evacuation plans for crises in the office or workspace.
- Journey Management – Any employee traveling internationally should be “tracked” by the business for obvious reasons. As well as basic airport and hotel security awareness, people traveling to areas prone to kidnappings should be prepared accordingly with a current country/area brief, as well as conducting kidnapping awareness training.
- Women In The Workplace – Address specific security issues faced by females in the workplace, as well as while traveling or working in complex or hostile areas.