While something like the swine flu currently originating out of Mexico is so low technology as to be incongruous with our modern concept of what types of things comprise enterprise security, the fact is that how an organization prepares for such an eventuality is a part of its security policy, too.
Much of the work in the area of security is building policies which codify how an organization recognize, assess, and respond to an incident which impacts the integrity, confidentiality, or availability of business operations. Part of this policy process should extend beyond the physical assets which the organization possesses to the flesh-ware which drive the business forward! Having dealt with the avian flu and SARS so recently in modern memory, this flu is on the heels of several other highly publicized waves that provided the impetus for large organizations to critically assess their states of readiness. With the public awareness of the potential contagions over the last few years, it is largely a number small and medium sized businesses which continue to operate without policies to address this area.
Overlooking the Threat
One of the challenges in security is to properly assess what the risk of any given impact is, thereby helping to determine how much of a company's assets (read: money) needs to be dedicated to counteracting the perceived threat. Generally, when examining these risks on an individualized basis, there are two components to look at: the likelihood of the threat coming to pass, and the scope of the impact were the threat to materialize. The former element of likelihood drives biological threats generally much further down the threat matrix despite the fact that the impact portion may have the same inherent cost as a major natural disaster on an office or region.
That is not to say that organizations have not looked at the threat but rather that some organizations look at a wide field of things that need to be planned for and rightfully make the decision that with the limited resources available, biological threats may not warrant more than a cursory inspection.
It is important to note that the two revious major epidemiological incidents in the United States well predate the advent of the technology age. [If you have an interest in the area, you may want to look at the Wikipedia article on the subject.] The most recent natural flu of note was H3N2 which reached epic standards in 1968-69, causing an estimated 34,000 deaths. Since that time, modern medicine has provided society with a far more comfortable age to live in with modern cases of deadly diseases contained to second- and third-world countries where facilities are not so advanced.
Given the early (in terms of computational development) nature of the most recent major epidemics, there is little precedent for the application of a "tested" method of continuing business operations in the face of a public health emergency.
Preparing as an Organization
Enterprise preparedness for public health emergencies starts with a solid policy which addresses the threats to the business that a sick employee base can pose. There are a variety of facets of this impact to consider and as such, the impacts and methods of impact are as unique as the structure and flow of the business in question.
- What kinds of different employee scenarios does your organization employ?
- Employees Housed in a Closed-Door Office?
- Employees in Cubicle Farms?
- Employees travelling to a single customer site?
- Employees travelling to many customer sites?
- Employees travelling to multiple enterprise offices?
- How are these functions performed?
- Is there a method that can be used to drive the same business mechanics while allowing an alternative arrangement that minimizes human contact?
- Conference calls
- Video Conference
- LiveMeeting
- Remote Access technologies (Terminal Services / Remote Desktop)
- Is there a cost to employing these strategies for the business?
- Lost Productivity
- Actual use of the technology (bandwidth, vendor cost, etc)
- What kinds of functions simply cannot be replicated in a reduced-contact environment?
- Employees which maintain physical on-site assets
- A "core" or "skeleton" crew of operators for on-site "presence"
- Delivery or Shipping
Common policies which are used to address these kinds of situations usually are maintained under a leave policy like "Public Health Emergency Leave" or as an operations plan "Public Health Emergency Operations Plan". Any such plan should be composed of a number of elements:
- Title
- Purpose
- What invokes the policy or plan?
- Who has the authority to invoke the policy?
- How will the policy invocation be communicated?
- How are operations modified to accomodate the public health emergency?
- Often this may be several "plans" within the policy that allow for different levels of operational modification.
- This plan also may be composed of several different strategies including a mix of telecommuting, leave policy, standards of conduct modification, attire and safety equipment provisioning, etc.
Organizations interested in building such a policy for themselves may be interested in the published policy of The Ohio State University, policy 617, "Disaster Preparedness and University State of Emergency".
Individual Security Preparedness
Assuming that your organization has such a policy, the individual employee's preparation for such a public health threat is mainly centered around understanding and staying in compliance with the enterprise policy.
A core first step in your preparation is to know if such a policy exists. Ask your HR representative or your Manager if they are aware of such a policy and how you will know if business operations are modified to apply the policy.
Read your leave or time policies, whichever your organization uses to understand whether your organization has specific provision for allowing you to use sick days in such cases or to invoke things like "liberal leave" if your organization supplies such a leave.
Make sure you know in advance how you might be able to modify your position to make alternative work arrangements. Even if your work does not formally have a policy on the subject, often you can work with your manager to determine if another work arrangement might be suitable such as logging in from home, altering customer meetings to be over the phone, or temporarily working in an area of the building which is less heavily populated.
Work to keep your workspace clean. Any kind of porous surface such as paper or cloth should be minimized. Keep your desk surface clean and plan on wiping down the surfaces no less than once a day with a Clorox or alcohol based wipe.
Keep baby soap or alcohol based hand sanitizer and lotion in an easily accessible area of your office. It is important to note that over-use of alcohol based sanitizers can affect your skin so if you choose to use such a sanitizer, you may also plan to use accompanying dermal maintenance products.
Avoid eating in common areas if at all possible.
If possible, politely and professionally avoid those in the workplace who may become sick and attend the workplace anyway. In-person meetings which provide dial-in numbers may provide an opportunity to limit that kind of contact.
At home, maintain a 72-hour kit as a standard part of your any-emergency preparation. Whether it be natural disasters or the absurdly remote chance of a serious public health outbreak, you need to ensure that you have enough supplies for your family to survive 72 hours or more without contact to the rest of society.
- 1 gallon of water per person per day
- Enough food for 3 basic meals per person per day
- It doesn't have to be super healthy, it just has to provide nutrition and basic satisfaction
- Enough pet supplies for 2 pet meals per animal per day
- At least 72 hours worth of clean clothing for each family member
- Appropriate to the season
- Geared for outside weather
- Battery or Hand Crank Powered Combination Weather and AM/FM Radio
Realize that the Media Sensationalizes the Threat
A final word about the threat of any particular public health news. As with any other security based news item, recognize that the media has a vested interest in "juicing up" the news stories that they share. As a result, you would be well advised to realize that the actual risk to your person may not be as high as the media is going to make it out to be. It is your responsibility to make the decisions affecting your personal health for yourself based on the information available to you and the policies of your organization.