2020 AFPM Summit: Cybersecurity, business continuity top list of remote work concerns
Cybersecurity, business continuity top list of remote work concerns
ADRIENNE BLUME, Executive Editor, Hydrocarbon Processing
At AFPM's virtual Summit on Tuesday, a morning session on technology lessons learned from the COVID-19 pandemic featured Stephanie Franklin-Thomas, Director of Information Technology (IT) and Chief Information Security Officer (CISO) at Motiva Enterprises and Blake Larsen, Director of IT/CISO at Sinclair Oil Corp.
The speakers discussed how to apply cyber and operational technology (OT) industry best practices from the COVID-19 response to potential future emergency situations and the "new normal." Maggie O'Connell, Policy Analyst at AFPM, moderated the session.
Cybersecurity during work-from-home. Stephanie Franklin-Thomas noted that the pandemic has backed many companies into a corner as they look for ways to survive a potential downturn. The first questions that arise are: How can the business be kept running, and how can the staff continue to be employed?
According to recent industry surveys, 80% of respondents said that COVID-19 had impacted their business, yet only 40% recognized a cybersecurity impact. Approximately 73% of employees said they had not received additional cybersecurity training after transitioning to working from home full time, and only 34% of employees said they had been given IT security requirements for working remotely on their personal devices.
Blake Larsen commented that although there is a general view that cybersecurity is important, most survey respondents indicated that cybersecurity is not an issue from their point of view, but that there are opportunities for improvement.
Maggie O'Connell noted that COVID-19 has forced CISOs overnight from worrying about a couple of networks at company sites to a network in everyone's home. It is important to develop procedures to help employees understand that in this new normal, their home security networks are now the company's security networks.
Franklin-Thomas noted that the world has 4.2 B active internet users, 1 B of which have been affected by a data breach at some point. Many employees view cybersecurity as the responsibility of IT departments, but now more so than ever it has become everyone's responsibility.
OT is at greater risk than IT, she noted. Cyber risks impacting the supply chain are difficult to address, and many oil and gas firms are still unprepared for cyberattacks and security breaches. "This is a space where I definitely see opportunities for new ways of working in the future and for developing solid ways of working that address all the risks that an organization is willing to take on," Franklin-Thomas said.
COVID-19 and business continuity. Larsen commented that COVID-19 business continuity has been tested by the pandemic. It has forced businesses to execute key components of business continuity strategies. Questions have arisen on how to memorialize business continuity components that have surfaced during the pandemic, including policies, processes and protocols; technology and security; meetings and interactions; flextime; and personal appearance.
"Safety protocols [at refineries] may not have been clearly understood early in the pandemic outbreak," Larsen commented. "We learn that there have been many opportunities to locate and communicate accurate information. In terms of security, it has been observed that bad actors are finding vulnerabilities in remote servers and services in cloud providers, as well as on-premises solutions."
"Capturing the guidelines and the learning moments will be helpful as we prepare for other unknown future disruptions," Larsen said. Franklin-Thomas added that business continuity can look different in different places. On the Gulf Coast, for example, refiners and petrochemical producers must be on high alert during hurricane season from June through September. "This business continuity concern manifests itself in so much more than a tabletop," she noted. "So it's been really interesting to hear how different companies are looking at that exercise."
Remote work yields successful results. The pandemic has also created may "aha!" moments for businesses. These include the realization that much business and activities can be conducted remotely, which will reduce both travel costs and the need for office space. Many employees expect permanent or partial changes in working habits post-COVID-19 that are tied to the effectiveness of working remotely.
Work results observed during work-from-home during the pandemic has made many business leaders realize that telecommuting and remote work can and should be part of company policy. "In the aggregate, it appears that we have overcome the challenge of a pandemic by adapting to remote work, while also observing that the future will likely include more remote work capabilities than would have been considered had we asked those same questions back in February," Larsen said.
Franklin-Thomas noted that questions remain about how to determine employee efficiency during remote work. "Other things coming out of [remote work policies] deal with expanded data collection … Will employers start to look at when employees log in and off, how many emails they send per day, and how they are engaging? How will KPIs be built around that?" she said. "If we continue in this work-from-home scenario, is that an option to evaluate whether or not an employee is being effective?"
The pandemic has also motivated businesses to look at their employees as people first, Franklin-Thomas commented. "Working from home isn't easy for everyone … Understanding the dilemmas that workers will have in some work-from-home scenarios is another thing that organizations are beginning to comprehend, and how to create safe spaces for their employees to establish working-from-home norms and still be effective."
To achieve these goals, managers and employers have developed better communication skills, particularly since they are not meeting face-to-face in the office every day (FIG. 1). "If you had a culture that relied upon that physical interaction, that culture is shaken at the foundation by working remotely—but what we've learned is that companies, businesses and individuals adapt," Larsen said. "There's no such thing as staying still and doing the same thing day after day, year after year. If we've learned one thing from COVID-19, it's that we need to adapt and change."