Covid-19 and IT: How companies can counter a crisis in their own IT operations

published on 10 March 2020 | reading approx. time 3 minutes

Covid-19 has become a global entrepreneurial risk. First of all, it is a problem that affects people, but that will also have an impact on your business, directly or indirectly through affected employees, customers or suppliers. As a consequence, every com­pany is or will be affected. A central question is how Covid-19 affects your own IT operations and what needs to be done to minimise negative effects on value creation.

• Preparatory Phase »

• Crisis Phase »

• Post-Processing Phase »

Preparatory Phase

A key step in overcoming a crisis is for the company to prepare itself for the crisis. This includes a crisis manage­­­ment team, which is responsible for internal and external communication and for managing measures during the crisis. With a view to IT operations, a “partial crisis team” could be a good idea for IT.

It is important that an up-to-date risk analysis is carried out for IT operations. This includes a sufficient amount of information about the development of Covid-19.

• The risk analysis should focus on the loss of employees in IT operations as well as important function holders within the business processes (key users, persons performing manual and automated controls, etc.). Against this background, it is necessary to assess whether head monopolies exist without sufficient representation in IT and beyond, or whether, in the event of a loss of employees, IT operations or important IT-supported business processes can no longer be adequately ensured.
• The risk situation of the IT service providers supporting the value-added processes should also be considered
• A further important step in preparing for the crisis is the analysis of the crisis management measures already defined. These must be reviewed and, if ne­cessary, additional measures must be defined, prioritised and introduced.
• If the company is one of the companies covered by the IT Security Act (KRITIS), it can fall back on the existing risk analyses and update them if necessary.

In the event of an epidemic or pandemic, the massive loss of sick employees can severely disrupt operations.  The following preparatory measures, which can be helpful for coping in the event of a crisis: 

• In all cases, up-to-date documentation and the digital storage of evidence and protocols are the basis for shifting tasks to teams called in for represen­­tation. The question is therefore whether this data and information is up-to-date.
• The precautionary shift or obtaining an option to shift to service providers should be reviewed and considered.
• Today, in most cases it is possible to carry out in particular the administrative activities or also the support of the employees by the help desk “remote”. For this purpose, the employees must be equipped and trained with the necessary equipment for secure access to the company IT. Today, meetings can also be held relatively easily via Skype, WebEx or TeamViewer.
• If necessary, functions such as helpdesk can be relocated within the company or group. In some cases it would also be possible to involve key users more in 1st and 2nd level support tasks.
• Another measure can be the prepared use of alternative operating models such as cloud computing. Individual functions, sub-processes or even entire processes and systems are moved to the globally dis­tributed data centers of the cloud providers if their own data centers or operating rooms are no longer accessible.
• Employees who have critical IT authorisations should be given increased attention. Unexpected crises can lead to the exploitation of control gaps.
• In the event of a crisis, further crises should not occur. It is advisable to use the time now to test the effective­­­ness of data backups, replacement line capacities, etc. and to check the monitoring systems to see if there are any indications that faults exist. Malfunctions should now be eliminated in a timely manner.

Agile task forces for the crisis, which serve as a direct point of contact in addition to implementation, are also an important part of an IT emergency plan. Exactly because of the enormous chaos during a crisis, communication is an important instance to manage the crisis.

Crisis Phase

If, according to the definition from the preparation, the crisis occurs and one or more areas of IT are affected, the measures are initiated analogous to the defined emergency plans.

As a rule, it can be assumed that the contingency plans only partially cover or foresee the emergency that has actually occurred, so that the first action of the sub-crisis team is to analyze the current situation and derive options for action.

Depending on the severity of the course of events within the company, multiple emergencies could also en­danger the company's own ability to implement the emergency plans.

Post-Processing Phase

In addition to the effort required to return the emergency-related reorganisation measures to normal operation, the following also apply

• to include the individual crisis situation in the IT concepts and especially in the IT emergency plan as a lesson-learned solution,
• to restore the correctness with regard to the internal control system, the allocation of rights by the emer­gency operation, etc. and to check the successful production and
• to check whether the emergency measures have restored the level of data and information security to an optimal level.
• For this purpose, it is advisable to run an ongoing cybersecurity check for your own company and important business partners in the IT environment right at the beginning of the emergency.
  

It can be guessed that the company has a lot of catching up to do in the post-processing phase, so that the re­sources in the IT environ­ment may be lacking. In this case it is advisable to involve the crisis team of Rödl & Partner.