In recent weeks, organizations around the world have had to quickly get up to speed on how to handle unforeseen events. The coronavirus has affected virtually every aspect of life and has forced many businesses to change their basic operations in ways virtually no one could have predicted.This has been a lesson in the need for disaster preparedness and can also prove to be a teaching moment to improve preparedness plans at the ground level and for the future.Building a security preparedness planWhen a crisis such as a pandemic or hurricane hits, CISOs and other security leaders need to consider these factors when helping to create and execute a preparedness plan.1. Disruption from reduced staffA crisis such as the current one can lead to a reduction in IT and security staff because of peoples\u2019 inability to get to work for various reasons. One solution for the short-term is to tap outside help such as a managed security service provider until things get back to normal. As such, being prepared to hire third parties when the need arises should be part of the plan.Help can also come from within. \u201cA new pandemic situation creates challenges with employees or contractors not being able to work in normal working conditions,\u201d says Selim Aissi, senior vice president and CISO at Ellie Mae, a software company that processes mortgage applications.\u201cAlso, some of the employees may not be able to do any work because of illness, family conditions, transportation, or plainly not being able to work remotely because some technology challenges,\u201d Aissi says, adding that the CISO\u2019s disaster task force should identify and prepare for all possible scenarios to prevent business interruption.Such a task force should be in place as part of the company\u2019s overall cyber resiliency program, which should also include disaster recovery, business continuity and crisis management, Aissi says. \u201cThe task force should already have been meeting, discussing their plan, testing against that plan, and updating the senior management of the company way before this specific pandemic crisis,\u201d he says.2. Need to secure remote workersSuddenly, countless more people are working from remote sites such as home offices. They all need to have secure access to networks and data.Keep in mind that remote work might be the new normal, not only for the security team but for peers and business partners, says Drew Osborne, a former CISO and now an independent security consultant. CISOs should review controls and aggressively monitor remote access tools, Osborne says. They should also implement a review of usage behavior, if they have not already, and monitor it closely. Remote access is probably a good candidate for any available capacity IT might have in reserve, he says.Adversaries, including hackers and organized cyber criminals, take advantage of disasters because people tend to react to their lures when they are working remotely under new conditions, and because humans tend to react to urgent requests, Aissi says.\u201cWe have seen a huge increase of COVID-19 themed malware attacks, phishing attacks and even ransomware,\u201d Aissi says. CISOs need to ensure that all network connections that remote employees use are secure, access to company networks is limited to multi-factor authentication, and monitoring of remote network connections increases.3. Need to secure new systemsOrganizations will need to secure any new online and internal systems and services brought in to address the crisis. They could bring on new services, applications or third parties to meet emergency needs, Osborne says. The security team should expect to be called on to provide security controls, perhaps with reduced staff. Prioritization and efficiency are key.Security\u2019s role should be not so much to enforce rules, but to provide secure solutions. This is especially true in a crisis, Osborne says. Prioritize efforts where the organization has the greatest risk, the most critical applications, and the most sensitive data.4. Vulnerabilities that might emerge among partners or suppliersOrganizations need to be aware of what\u2019s happening with their key business partners such as suppliers. Given this, part of the preparedness plan should address communication and collaboration with partners.\u201cIt is critical that the company requests information about pandemic-readiness from all of its critical vendors,\u201d Aissi says. \u201cTypically, the classification of such critical vendors is done by a dedicated third-party risk management program\/team in the CISO\u2019s organization.\u201dThe plan should also cover how to deal with customers. \u201cCustomers should be informed about the level of readiness of the business against any potential disruption caused by the pandemic situation,\u201d Aissi says.5. Need to update training programsOrganizations might need to make changes in their security awareness training programs, due to phishers leveraging the crisis, for example. Consider a focused campaign on crisis-related security concerns, such as phishing attacks masquerading as crisis-sensitive communication, Osborne says.Reconciling gapsOrganizations will undoubtedly notice gaps in the crises they have planned for and the one they are experiencing today, Osborne says. It\u2019s a good idea to keep a journal or otherwise document everything enterprises need to improve on between now and the next crisis.Good communication between security and the lines of business is key. \u201cCISOs need to stay in close contact with business personnel at all levels of the business to understand how the crisis is affecting systems and people,\u201d says Amy Worley, a managing partner with Berkeley Research Group.\u201cAre communications networks responding as expected or are they slow or unstable?\u201d Worley says. \u201cBe prepared for \u2018bad guys\u2019 to exploit a crisis, and make sure the business is ready for cyber attacks such denial of service or crisis-related phishing scams.\u201dCISOs will want to continue to educate executives about these risks and how to mitigate them, even as senior leaders may be focused on their immediate revenue concerns, Worley says. \u201cWork with internal communications teams to make sure employees understand how to use security enhancing technologies like VPN connections and two-factor authentication, while working remotely,\u201d Worley says. \u201cWith people moving quickly to maintain business processes, coworkers may forget about or deprioritize privacy and security\u2014unless they are reminded about it in the crisis communications.\u201dPreparing for the futureSecurity leaders and teams can use a crisis as a learning experience so they can be better prepared in the future. \u201cLearnings could be about providing better communication, enabling the necessary tools for remote employees, or simply dealing with employees getting infected,\u201d Aissi says. \u201cIt is always a good practice to perform a \u2018lessons-learned\u2019 exercise after a pandemic. The learnings should be openly discussed, documented, and tracked.\u201dThe opportunity in a crisis \u201cis to learn what works and what doesn\u2019t in your crisis plan,\u201d Worley says. \u201cNote what goes well and what needs improvement as the crisis unfolds. Did you need more bandwidth to support so many virtual meetings? Were too many employees without laptops or docking stations? Were there successful phishing attempts?\u201dSecurity executives should make it a point to get input from other stakeholders about their experience. \u201cOnce things are back to business as usual, take the documentation and turn it into executive education about ongoing crisis mitigation needs,\u201d Worley says.