All Posts in Policies and Procedures

|In: Policies and Procedures|Last Updated:

COVID-19 was declared a pandemic on March 11, 2020 by the World Health Organization.

That was the disease. Disinformation about COVID-19 reached pandemic proportions on March 12, 2020, as assessed by yours truly.

The COVID-19 pandemic has entered a strange phase, in which the risk of contracting the virus, driven by ever more contagious variants, continues to oscillate in waves. At the same time the risk of hospitalization and mortality from the virus has plummeted, thanks to near-miraculous achievements on the part of the biomedical research community in the form of rapidly developed vaccinations and effective treatments.

The COVID-19 disinformation pandemic, in contrast, continues to induce inflammation. Its etiology: the production of “alternative facts” and spurious statistics designed to appeal to those who subscribe to a good-guys/bad-guys worldview.

Example: The perception that being vaccinated doesn’t reduce COVID risks continues to be popular among a certain class of opinionator, armed with persuasive-looking but flawed statistics and positioned for high visibility in the popular media.

Revealing the flaws in their statistical reasoning depends on opinionators whose highest-visibility platforms are publications such as Scientific American – not where most citizens flock to develop their opinions. See the graph that follows (spoiler alert):

Credit: Amanda Montañez; Source: Centers for Disease Control and Prevention

Nonetheless, for several reasons it’s time for organizations to revisit their COVID-19 policy. First and foremost, as of this writing and as noted above, the combination of currently available vaccines and clinically valid treatments – and yes, I mean Paxlovid, not quack therapeutics like Ivermectin – have made the consequences of an employee violating your COVID-19 policy less dire than they were in the early stages of the pandemic.

Second, as compared to 2020, the power dimension of the employer/employee relationship has shifted significantly in employees’ favor. As a practical matter, terminating an employee for violating policy probably harms the employer as much or more than the employee.

And third, the logic of targeting a policy to a single specific malady is increasingly tenuous.

The original purpose was to help create and maintain a safe work environment. But even before COVID-19, contagiously ill employees who came in to the office endangered their colleagues – not as severely as COVID in the pandemic’s early days, but of severe enough discomfort and debilitation to matter regardless of the specific malady.

Shortly before the first COVID-19 vaccines were released (late July, 2021) I suggested this COVID-19 policy:

All employees who:

  • Enter our facilities …
  • Enter a client’s facilities …
  • Perform any of their responsibilities face-to-face with colleagues regardless of location …
  • Enter our facilities …
  • Enter a client’s facilities …
  • Perform any of their responsibilities face-to-face with colleagues regardless of location …

… must be fully vaccinated. Refusal to comply with this policy can result in termination or reassignment to a position all of whose duties can be performed remotely. If the result is reassignment the company reserves the right to adjust compensation to make it commensurate with the new position’s pay structure.

This policy applies to all employees and contractors, other than those who can perform all work remotely.

What should change?

Mandating vaccination made sense when vaccines were effective against the most prevalent variants, and when the consequences of failing to comply concerned employees more. But that ship has sailed and there’s no point in pretending otherwise.

Also, as mentioned, broadening policy beyond COVID and only COVID would mean requiring employees to be fully vaccinated against everything that’s contagious and for which we have effective vaccines. This just won’t fly, regardless of the wisdom of being fully vaccinated.

Bob’s last word: Encouraging employees to be fully vaccinated is a matter of helping them stay healthy. Our arsenal of safe and effective vaccines is one of the blessings of modern medicine.

But mandating them? For better or worse the time for that has come and gone.

The alternative: Instead of mandating vaccination, requiring all contagiously ill employees to stay home makes all kinds of sense.

It makes all kinds of sense, that is, if their employer makes PTO policies more generous, so that ill employees no longer have an incentive to show up for work at the office, giving the gift that keeps on giving – a disease.

Bob’s sales pitch: Need help thinking through a situation you or your organization is facing? That’s what I do, and if you read KJR on a regular basis you should have a pretty good sense of the perspectives I bring to such things.

And you can get my help in increments as small as an hour.

Just let me know what you need.

Now showing on CIO.com’s CIO Survival Guide:A CIO’s guide to guiding business change.” Because As CIOs re-think IT’s role in the enterprise, leading or facilitating business change is central to the conversation. Here’s one way IT can and should regain center stage.

Comments

|In: Industry Commentary|Last Updated:

Are you as tired as I am of movie and television series plots that revolve around super-hackers and super-counter-hackers?

It was bad enough when a bad guy sat down, cracked his (or, less commonly, her) knuckles, started typing, and five seconds later told the uber-bad-guy (no, not a tailgating ride-share-driver), “I’m in!” (Fair’s fair: In the first Die Hard movie the hacker needed a more reasonable hour or so.)

If you’re working on a hacking-related script, please: Have the bad-guy-hacker open a desk drawer, pull out a Post-It®, and type in the password written there. While in the real world this isn’t a reliable method … in a typical office the hacker would have to visit at least five desks … it would at least be plausible.

Accuracy would depict the hacker sending out a spear phishing attack, but I’ll make a concession, given that, unlike your average caper movie, in a hacker plot the process isn’t the point.

Which (in admittedly slow motion) gets us closer to the point of this week’s epistle. But to get there … my wife and I were catching up on a couple of television shows we enjoy. Both of their plots, back to back, were based on ransomware attacks. And no, I’m not going to identify the shows. My guilty pleasures are none of your business.

What is your business is protecting your organizations from ransomware attacks. On a pain scale of one to ten, where one is your level of discomfort following a vaccination and ten is what you experience during an anesthetic-free amputation, these rate about twelve.

What’s most shocking about the ransomware epidemic, both on television and in the real virtual world (now, now, don’t be like that!) is that they are, so far as I can tell, both more preventable and remediable than your typical write-up on the subject would suggest.

But only if you’ve prepared.

What follows are a few basics to get you started. Most are steps you should have taken even before ransomware became prevalent. Next week we’ll dig deeper.

Data can’t be infected. Data can be encrypted, making it inaccessible, which is what ransomware does. But except for macro viruses, data can’t be infected, because … it’s data, not executable. So make sure all of your data resides on different physical servers than your executables. That’s physical, not just virtual.

More important, make sure all of your data backups are read-only, managed by different, air-gapped physical servers.

More important yet, take frequent snapshots and preserve all journal files and change logs for an excessive period of time.

Ransomware discontinues business operations. So include recovery from a ransomware attack in your business continuity plan. Additional thoughts about this:

  • If you have two overlapping recovery plans to keep synchronized, they won’t stay synchronized.
  • Know how you’ll continue business operations during a ransomware attack. Improvisation after you’ve been attacked is considered industry worst practice.
  • As with the rest of your business continuity plan, an untested ransomware recovery plan isn’t a plan, just wishful thinking.
  • Hope wasn’t a plan before ransomware became a threat. It’s even more not a plan now.

Reinstall. Make sure you can reinstall, not only applications, but also the platforms they run on. Document every procedure required to rebuild every piece of your production environment, starting with the original installation files. That’s the only way you can be confident you aren’t recovering ransomware executables in your attempts to restore an uncompromised production environment.

Cloud due diligence. Review your cloud vendors’ ransomware recovery plans and make sure they’re up to your standards, especially with respect to data protection. Consider adding on-site, read-only, snapshotted, air-gapped data backups to your cloud architecture.

Bob’s last word: In addition to making sure you have a professional-grade ransomware response plan, rationalize your application and platform portfolios. If you do have to recover from a ransomware attack, recreating the production environment is polynomially simpler in organizations that have consolidated redundant applications and platforms, and whose platforms are sufficiently current that reinstallation will work.

Bob’s sales pitch: I don’t claim to be an expert on this subject (thanks to Mike Benz, who is, for reviewing it).

This isn’t intended to be either gospel or complete. Consider it a nudge, and guidance on where to start digging. If you haven’t been taking this threat seriously … take this threat seriously. It’s shocking how many IT organizations have succumbed to ransomware attacks with little or no preparation. The pandemic-level growth of these attacks is even more shocking, and we’re still at the pre-vaccine stage of dealing with it.

Safe behavior is the best defense. Make sure you’re practicing it.

Comments