As companies extend commitments to remote workforces, cybersecurity teams need to address new risks while helping create business value in the next normal.
As the COVID-19 pandemic swept across the world, most organizations made a quick transition to a remote workforce and a more intense focus on serving customers through digital channels. This created a rapid surge in demand for digital capabilities, products, and services. Cybersecurity teams, for their part, were largely successful in taking on a dual mission of supporting business continuity and protecting the enterprise and its customers.
The digital response to the COVID-19 crisis has also created new security vulnerabilities. Attackers seek to exploit the gaps opened when telecommuting employees use insecure devices and networks. Threat actors also use known attack techniques to exploit people’s COVID-19-related fears. For example, Google tallied more than 18 million malware and phishing emails related to the novel coronavirus on its service each day in April. It also reported identifying more than a dozen government-backed groups using COVID-19 themes for these attempts.
The COVID-19 pandemic and the efforts to contain it have had serious economic and business consequences. These are affecting core dimensions of the business environment, from digital strategies to operational and enterprise risk appetite. Supply-chain configuration and business interactions with regulators are likewise being reshaped, as are the ways we think about the very nature of work. A Aura survey of digital sentiment revealed that most employees who are now telecommuting do not expect to return to the workplace soon. Seventy percent of those responding believe that the ability to continue telecommuting will factor into their next job choice.2 Customers express similar sentiments: 75 percent of respondents using digital channels as a result of the COVID-19 crisis say that they will continue to do so.
Chief information-security officers (CISOs) and cybersecurity teams will need to approach the next horizon of business with a dual mindset. They must first address the new risks arising from the shift to a remote digital working environment, securing the required technology. They will also need to anticipate the next normal—how their workforce, customers, supply chain, channel partners, and sector peers will work together—so that they may appropriately engage and embed security by design. The new context of changing customer and employee behavior and a constantly shifting threat landscape must also be considered.
The pandemic response has underscored the vital role that security plays in enabling remote operations, both during and after a crisis. As companies reimagine their processes and redesign architecture amid the COVID-19 response, cybersecurity teams are being perceived anew. They must no longer be seen as a barrier to growth but rather become recognized as strategic partners in technology and business decision making.
Addressing risks and fortifying gains
Throughout the crisis, cybersecurity leaders responded with a focus on three activities as companies shifted to new processes and technologies: assessing and knocking down hot spots, fixing and mopping up operations, and fortifying incremental digital gains. Efforts in each area occur simultaneously and are ongoing. Cybersecurity teams may only just be arriving at the point where they are fortifying initial incremental gains; they may also have to reevaluate prior efforts as new technologies or processes are introduced. Here are some of the experiences in these three areas companies and cybersecurity leaders have shared with us.
Assessing and knocking down hot spots
As employees began working from home in less secure environments and, in many cases, with less secure personal equipment, security teams have had to remediate immediate operational, process, and technology gaps related to the pandemic-induced response and the shift to remote working. Leaders have had to address training gaps, lead virtual all-hands meetings, and call on workers to maintain digital hygiene, such as patching their computers and updating mobile software.
For example, a large financial-services company was able to support its remote workforce swiftly by distributing Wyse thin-client terminals to all call-center staff for secure remote connections. Some initial issues with bandwidth and performance were resolved by performing virtual-private-network (VPN) split tunneling as well as upgrading firewall infrastructure. The company also enabled remote patching to all end-user devices by upgrading all its AnyConnect remote servers.
A financial-services company supported all of its call-center staff in working remotely and connecting securely by providing them with Wyse thin-client terminals.
In another case, a large bank adjusted several security policies in response to the COVID-19 crisis. The company ran more frequent awareness campaigns (with tailored pandemic-themed content), resulting in a 95 percent improvement in employee click rates during monthly antiphishing tests. Additionally, the organization introduced restrictions on USB connections and put critical patches on a 30-day cycle.
Fixing and mopping up operations
In the early days of the pandemic response, many companies were forced to accept new risks, including reduced control standards, to keep operations going. As employees and customers became accustomed to the changes, companies evaluated these residual risks and tightened controls.
For example, to catch up with a surge in adoption of various cloud-based collaboration tools, a large telecommunications provider accelerated the rollout of new cloud-aware monitoring capabilities within its security-incident and event-monitoring (SIEM) tool. Additionally, it reviewed its security and monitoring controls for third-party vendors to ensure that restrictions that had been temporarily lifted were put back in place.
Along the same lines, a large bank conducted threat modeling on its new collaboration tools that employees had been using, including unauthorized tools introduced during the shift to remote working. The bank also updated security controls or replaced products based on acceptable-risk thresholds.
Fortifying security gains
As employees became comfortable working from home, companies began standardizing procedures for remote work environments and explored technologies to reduce long-term risk.
Some companies introduced stronger consumer-security and fraud-prevention controls. A large bank expanded its biometric- and device-based authentication for sensitive customer transactions across new, critical digital channels. The bank also accelerated implementation of a state-of-the-art, artificial-intelligence-based fraud-detection platform. As a result, incoming transactions could be analyzed in 300 milliseconds or less, compared with the hours this took before.
In another instance, a national insurance company updated policies and procedures to institutionalize the security controls required in a remote work environment. It established a new policy and standard to mitigate the risk of cybercriminals infiltrating the network through unsecured home printers. Except for approved business cases, all employees were restricted from printing remotely through personal printing devices.
Anticipating the next normal
As cybersecurity leaders are increasingly getting a handle on the first stage of the pandemic, CISOs are now shifting to anticipating how the business environment will be affected by new conditions. They are adapting to incorporate these expectations of the next normal into both current cybersecurity activities and long-term cyberrisk strategies (Exhibit 1).
Secure the workforce in new ways of working
The COVID-19 crisis has fundamentally changed ways of working, as many companies are extending the remote-working policies that became necessary during the pandemic (see sidebar “A case example on securing the workforce”). Organizations could emphasize the following cybersecurity initiatives:
A case example on securing the workforce
A global bank believed it was impossible to exfiltrate sensitive information from its environment. A targeted test on end-point and data controls, however, found more than 70 security gaps, with a large number directly related to the remote work environment. The virtual private network’s always-on design, for instance, had many loopholes that could be exploited. Weak two-factor control relied on personal identification numbers and passwords rather than device, token, or biometric authentication. Data-transfer rules were in monitor mode instead of block mode, and internet-access rules were in “blacklist” mode (blocking suspicious sites) rather than allowing preapproved sites). In one instance, a customer’s personally identifiable financial information was altered using a cypher, and more than 20,000 records were extracted without detection and blocking.
The following issues were discovered:
More than 70 gaps were identified in the effectiveness and coverage of the security architecture, including prevention, detection, and mitigation capabilities.
Despite the bank’s belief that exfiltration of sensitive information from its environment was impossible, 16 ways to do so were discovered.
Dynamic security. Static, network-based security perimeters will no longer be sufficient. The security dynamic among users, assets, and resources must be the new focus. Define identity as a perimeter with scaled-up capabilities in identity and access management, privileged-access management, multifactor authentication (based on devices or biometrics), key management, and heuristics based on log-on behavior. For assets, consider a strategy using a software-defined perimeter and enhanced network segmentation (using logical microsegmentation through next-generation firewalls). Protect end-point assets and utilize real-time anomaly detection with end-point-detection and -response systems. Protect data assets through enhanced block-mode data-loss-prevention tools and utilize a model of preapproved sites as a default for external access.
Cloud-based tools and infrastructure. The need for greater agility and flexibility will accelerate the use of the cloud. Restrict localized data storage for the remote workforce and transform end-user infrastructure through increased adoption of virtual desktop and desktop as a service. Support the increasing shift to a multicloud environment and cloud-based services through access controls at points where policy is decided and enforced; implement a cloud-access-security broker.
‘Contact aware’ workforce privacy. Heightened security will require new agreements with employees. Factor in the implications of workforce privacy and employee consent to introduce contact-aware tools, such as contact tracing and temperature taking, in the workplace (as enabled, for example, in the API for contact tracing that is integral to the recent iOS 13.5 update).
People defense. Companies will need to extend their operational defenses as working from home becomes standard. Roll out insider-threat-detection programs and explicit policies for a safe remote workplace. These could include restricted remote printing and prohibited sharing of company devices with family members. In addition, companies could consider helping employees manage stress levels, offering support in the current circumstances. Protecting employees is not just a leadership imperative: it will also reduce vulnerabilities created by worker anxiety.
Remote cybersecurity operating model and talent strategy. The new ways of working will have implications across the enterprise. Rethink the cybersecurity operating model and continuity plans for physical-location-constrained operations, including automation opportunities. Derisk by design and further embed in application-development processes the principles and capabilities of DevSecOps—the linkage among development, security, and operations. Use the imperative of remote working as an opportunity to gain access to a broader pool of cybersecurity talent where there is an existing gap in local talent pools.
An insurance company restricted all its employees from printing remotely through personal printing devices except for approved business cases.
Secure the customer journey through the shift to digital business
Customers should be offered a secure and seamless digital experience—especially first-time users or those who are not tech savvy. As customers demand greater choice in their interactions with companies and expect greater digital availability, cybersecurity teams can add value by helping their institutions reimagine the secure customer journey (see sidebar “A case example on securing the customer journey”). Several cybersecurity levers should be prioritized here:
A case example on securing the customer journey
An insurance company realized that providing a secure journey for customers required abandoning an internally developed customer-authentication solution. The solution was difficult for customers to use, often resulting in session time-outs during a transaction. One-time passwords took too long to get to customers during peak hours, and a cumbersome application of security controls significantly increased friction. Key customers chose not to utilize this service at all.
The company developed the following approach:
More than 50 in-scope security controls were identified as part of the customer journey.
Nine new user personas were identified to enhance the customer security experience.
Frictionless customer-security experience. Advance capabilities on customer-identity and -access management, including the use of a single customer identity across all digital channels and of omnichannel authentication. These capabilities enable users to move a transaction among web, mobile, and call-center channels with minimal friction. Define customer personas, associated priorities, and potential pain points. Develop plans to address those pain points through customer-security design.
At scale. Test cybersecurity controls (such as log-on controls, bot mitigation, network security, and firewalls) and monitoring to understand whether they can continue to perform at scale. Determine whether there is adequate redundancy in high-volume environments without adverse impact on user experience.
Privacy by design. Treat customers as partners in security, involving them in an education and awareness campaign. High-value customers in need of greater tech awareness can be offered free antivirus and identity-monitoring services. Controls on customer-data usage and customer consent should also be applied. Develop plans to respond to and recover from customer-data breaches, and build them into the organization.
Advanced analytics. Integrate security in fraud controls and vice versa. Feed security data (including log-on, device-binding, and jailbroken-device information) to heuristic risk-model engines that can improve authentication or stop a fraudulent transaction.
Rethink supply chain and third-party risk
Companies must consider third-party and channel-partner cybersecurity levels as carefully as they consider security policies for employees and customers. It is critical to assess supply-chain-continuity and -resilience controls against the permanent changes to ways of operating (see sidebar “A case example on securing the supply chain”). Organizations could emphasize the following actions:
A case example on securing the supply chain
A global consumer-packaged-goods company determined that its cyberrisk-management processes for third parties were only being applied to vendors that were a part of the IT-procurement process. This exposed the organization to cyberrisks presented by other types of vendors (for example, non-IT vendors, strategic partners, and acquisitions). Risk assessments were refreshed inconsistently or were nonexistent for many third parties, such as the ones that came through acquisitions. The company discovered that half of its third-party vendors (10,000 in total) did not go through the IT procurement process and therefore did not complete third-party cybersecurity assessment.
Expand assessment coverage. Expand assessment coverage to review all vendors and potential shadow third-party services—and not only those for IT services. Assign risk tiers to vendors, deciding which are most critical to operations and have the greatest access to vital information; calibrate assessment scope correspondingly.
Update controls for third-party-security controls and build joint cyberresilience. Revise security-assessment controls for third parties to account for their remote operations. For example, companies could formulate vendor-continuity plans for offshore vendor centers that have physically restricted “clean rooms.” Such restrictions may disrupt operations when the vendor workforce has to work remotely. Where possible, integrate critical third-party logs into enterprise security monitoring and alert systems for coordinated monitoring and response.
Secure partner collaboration. Secure remote-collaboration tools with partners. Take into account potential security implications in the business conditions of key partners. For example, a white-label credit-card partnership with a retail partner would be affected if the partner goes bankrupt. After bankruptcy, the white-label credit-card issuer may see increased incidents of insider threat or fraud.
Plan for geopolitical challenges. Include geopolitical cybersecurity implications for critical vendor management, such as how countries may enforce full access to any data processed by a locally registered vendor.
Sustain increased sector collaboration
During the pandemic, peers and industry sectors collaborated in new ways, and companies worked with regulators to enable the transition to new ways of working. These partnerships must be strengthened to support processes that will change significantly after the pandemic. For example, the use of telemedicine has expanded exponentially during the pandemic and will likely reshape how healthcare is delivered. This will require companies to collaborate with regulators to formulate appropriate approaches to privacy and other regulatory-compliance requirements. The Industry Information Sharing and Analysis Center (ISAC) and other industry bodies are destined to play an even larger role in reducing the barriers to sharing information across companies and building joint resilience. The topic was explored in a recent survey on cyberresilience conducted by the Institute of International Finance and Aura.
Cybersecurity road map for the next normal
Organizations adopting a dual cybersecurity mindset will need flexibility in determining cybersecurity priorities according to business needs. Obviously, priorities will differ from sector to sector and company to company. For many companies, the economic slowdown caused by the crisis will restrict appetites to invest in cybersecurity; for the many others that have experienced a dramatic increase in online traffic during the pandemic, increased funding may be needed to secure new online channels at scale.
CISOs will have many different levers to apply and opportunities to consider, so they should plan their security strategies to best align with business strategies and priorities. These may have changed because of the pandemic. They can consider three factors in setting security plans: opportunities, parameters, and time frame.
Opportunities. The cybersecurity opportunity will be determined by the transformation in the cyberrisk appetite triggered by crisis-driven business change (such as remote work and increased customer traffic). The cybersecurity team can anticipate and embed needed security capabilities, at the right level of maturity, by working with business partners. The business will help identify opportunities where the organization can leapfrog current security capabilities and set an optimal cyber pathway to support further business growth.
Parameters. Companies will have to set limits, prioritizing essential security initiatives and connecting the priorities with available resources. Given the current operations and business environment, security teams will especially need to account for project capacity and underlying business economic conditions while prioritizing efforts. CISOs should agree with business stakeholders on the scope of critically needed cybersecurity initiatives and then work with business, finance, and IT partners to develop joint business cases to ensure rapid funding and completion.
Timing. Cybersecurity leaders should clearly articulate time frames for all cyber efforts, balancing quick wins to reduce immediate operational risk with longer-term efforts that account for strategic shifts in the business portfolio. The cyber road map should align with business timelines and the pace of digitization.
shows some initiatives undertaken by a North American financial-services company as part of its cybersecurity plan.
In the next normal, cybersecurity will be embedded into new processes and technologies as a strategic imperative rather than as an afterthought. It is therefore more important than ever that cybersecurity leaders understand the ongoing changes in how their business is creating value. With such understanding, these leaders can dynamically modify priorities to reflect new business requirements, opportunities, and constraints.
The COVID-19 pandemic has changed consumer and business behavior in dramatic ways. Cybersecurity teams have generally performed far above expectations in fulfilling a dual mission of addressing new risks and anticipating the next normal. As they continue to enable changing business priorities while ensuring an appropriate level of control, the cybersecurity teams—no longer “requirements recipients”—will become full partners with business, risk, and IT stakeholders. In the next normal, cybersecurity leaders will not only protect their organizations at scale but also make security, once and for all, an integral part of delivering business value.
Cybersecurity’s dual mission during the coronavirus crisis
Chief information-security officers must balance two priorities to respond to the pandemic: protecting against new cyberthreats and maintaining business continuity. Four strategic principles can help.
The extraordinary efforts of many organizations to protect workers and serve customers during the COVID-19 pandemic have also increased their exposure to cyberthreats. Large-scale adoption of work-from-home technologies, heightened activity on customer-facing networks, and greater use of online services all present fresh openings, which cyberattackers have been quick to exploit.
Jim Boehm on cybersecurity and the coronavirus crisis
The overarching challenge for chief information-security officers (CISOs) and cybersecurity teams will be protecting their institutions while enabling operations to go on without interruption. For example, cybersecurity teams at companies that provide web-based services to consumers must adjust their security programs to match scaled-up operations while securing a massive shift to work-from-home tools. At the same time, CISOs must make it possible for security-team members to look after themselves and their families during a health crisis.
Addressing these diverse and sometimes competing needs at once won’t be easy. But recent conversations with cybersecurity leaders suggest that some governing principles are helping them meet the challenge. This article recommends four such principles: focusing on critical operating needs, testing plans for managing security and technology risks, monitoring for new cyberthreats, and balancing protection with business continuity.
How the response to COVID-19 has increased cyberrisk
As organizations and people have curtailed travel and in-person gatherings, they have shifted a great deal of activity into the digital realm. Workers and students are staying home, using videoconferencing services, collaboration platforms, and other digital tools to do business and schoolwork. In their free time, they are going online to shop, read, chat, play, and stream. All these behaviors put immense stress on cybersecurity controls and operations. Several major vulnerabilities stand out:
Working from home has opened multiple vectors for cyberattacks. A broad shift toward work-from-home arrangements has amplified long-standing cybersecurity challenges: unsecured data transmissions by people who aren’t using VPN software, weak enforcement of risk-mitigating behaviors (the “human firewall”), and physical and psychological stressors that compel employees to bypass controls for the sake of getting things done. The more that homebound employees struggle to access data and systems, the more they will attempt to use risky work-arounds (exhibit). Cybersecurity teams will need to secure work-from-home systems and test and scale VPNs and incident-response tools. In addition, they may wish to revisit access-management policies so that employees can connect to critical infrastructure via personal devices or open, internet-facing channels.
Social-engineering ploys are on the rise. In social-engineering gambits, attackers attempt to gain information, money, or access to protected systems by tricking legitimate users. Companies have seen more malware-laced email-phishing campaigns that borrow the identities of health, aid, and other benevolent organizations. Scammers posing as corporate help-desk teams ask workers for their security credentials using text phishing (“smishing”) and voice phishing (“vishing”). Email fraudsters have tried to get executives to move money to fund vendors, operations, and virus-related-response activities.
Cyberattackers are using websites with weak security to deliver malware. With the creation of new domains and websites to spread information and resources to combat the coronavirus, attackers are exploiting the weak security controls on many of these sites to spread malware via drive-by downloads. A common approach hides readily available malware (such as AZORult) inside coronavirus heat maps or early-warning applications. In one instance, a threat actor targeted a public-sector entity by embedding malware in a pandemic-related document and disguising it as an official communiqué from another part of the government. Once installed, such a malicious application steals a user’s confidential data (for example, personal information, credit-card information, and bitcoin-wallet keys). Some malware applications launch ransomware attacks, which lock a user’s system until they pay a certain amount of money to the attacker.
Public-sector organizations are experiencing acute pressure. A large government entity in North America suffered from a distributed denial-of-service attack aimed at disrupting services and issuing misinformation to the public. A major hospital in Europe was hit with a cyberattack that forced it to suspend scheduled operations, shut down its IT network, and move acute-care patients to another facility. And a department of a local government had its website encrypted by ransomware, preventing officials from posting information for the public and keeping employees from accessing certain files.
As the COVID-19 outbreak progresses and alters the functioning of our socioeconomic systems, cyberattackers will continue their efforts to exploit our fears and our digital vulnerabilities. To remain vigilant and effective, CISOs will need new approaches.
How to address the challenge: Strategic practices for chief information-security officers
While many CISOs and other executives have drawn on their experiences with past crises to respond to the early stages of the COVID-19 outbreak, the pandemic’s vast scale and unpredictable duration are highly unusual. There is no playbook that CISOs can open for guidance. Nevertheless, the CISOs and senior cybersecurity managers we have spoken to have found it especially helpful to follow four practices:
Employees on the front line will play an especially important role in keeping the organization safe as normal on-premise security measures become less relevant.
Focus. Security- and technology-risk teams should focus on supporting only those technology and security features, capabilities, and service rollouts that are critical to operations. Examples of focus areas that may justify a surge in capacity over the coming weeks include maintaining security operations, mitigating risks of remote access to sensitive data and software-development environments, and implementing multifactor authentication to enable employees to work from home. Organizations should also reiterate to employees their safe remote-working protocols and their procedures for threat identification and escalation. Employees on the front line will play an especially important role in keeping the organization safe as normal on-premise security measures become less relevant.
Test. If your organization has security- or technology-risk plans of any kind—such as plans for incident response, business continuity, disaster recovery, talent succession, and vendor succession—then test them right away. If your organization doesn’t have adequate plans in place, create them and then test them. You must determine whether your organization’s risk-response approach is effective and efficient. Eliminating risk events is impossible, but you can reduce the exacerbated risk associated with a poor response.
Monitor. Consider mustering all available resources to help with monitoring, which enables risk response and recovery to begin. Areas for stepped-up monitoring can include remote monitoring of collaboration tools, monitoring networks for new and novel strains of malware, and monitoring employees and endpoints to catch data-related incidents before they result in operational risk.
Balance. Cybersecurity teams are likely to receive a flood of urgent requests for cybersecurity-policy exceptions that will allow teams elsewhere in the organization to get work done (for example, to approve the installation of new apps and allow the use of USB drives). While CISOs might be inclined to deny such requests for the sake of preventing undue risk, they must also bear in mind the importance of maintaining business continuity during a fluid and challenging time for their colleagues. To support continued operations, CISOs may need to tolerate slightly higher risk in the short term by granting waivers or temporarily relaxing some controls. An accommodating approach will encourage colleagues to make intelligent risk trade-offs. That said, CISOs shouldn’t allow these exceptions to weaken an organization’s risk posture permanently. If CISOs grant waivers or relax controls, they should establish formal evaluation and review processes and implement time limits to force periodic reevaluation or limit the exceptions to particular user groups.
The COVID-19 crisis is a human challenge above all else. Everyone is juggling professional responsibilities with important personal ones. The coming weeks and months are likely to bring more uncertainty. By adhering to the practices we described—focus, test, monitor, and balance—CISOs can fulfill their responsibilities to uphold their institutions’ security and maintain business continuity while also meeting their obligations to their teams.
As lockdowns lift, talk has turned to whether and how to track those infected with COVID-19, as well as those they might have had contact with prior to testing positive. Here’s how contact tracing works—and some of its benefits and limitations.
Contact tracing is a decades-old tool for helping control the spread of infectious diseases. It has been used successfully in efforts to contain Ebola, SARS, MERS, tuberculosis, and other disease outbreaks.1 It is now a critical part of the fight against COVID-19. In practice, contact tracing begins with those who test positive for COVID-19. Those with whom they have had close contact are then identified, as they may have been infected too. These contacts are notified and supported through a period of quarantine—until they develop symptoms, pass the window of risk, or are proven not to have been exposed. Widespread testing enables optimally effective contact tracing (Exhibit 1).
A cost-effective alternative to blanket lockdowns
Contact tracing enables a targeted approach: rather than imposing a blanket society-wide lockdown, authorities are able to isolate those potentially infected. Lockdowns are necessarily applied where the authorities do not know who has COVID-19. A highly effective program of testing, tracing, isolation of cases, and quarantining contacts can achieve similar benefits as a lockdown while allowing the vast majority of the population the freedom to conduct day-to-day activities. In a world where herd immunity and a vaccine are still far off, even a moderately effective contact-tracing program is an important tool for enabling countries to reopen society.
The cost of an effective contact-tracing program can be substantial. For the United States, for example, a recent cost estimate for one proposal was $3.6 billion.2 The relative societal cost of a full lockdown, however, is far greater. Contact tracing is most effective when it is supported by widespread testing and advanced isolation and quarantine approaches, but it can have significant impact on its own in limiting the spread of the disease.
Many countries seen as having had the most successful responses to COVID-19, such as South Korea and Iceland, made contact tracing a pillar of their approach. Most countries with high case counts, including the United States and Germany, have made contact tracing a priority for the reopening phase of their response. The case for a program of testing, tracing, isolation, and quarantine has been included in the strategies of the World Health Organization (WHO), Centers for Disease Control and Prevention (CDC), and other public-health organizations.
New programs, new considerations
For countries and organizations now developing contact-tracing programs, several important new considerations have emerged. First, nonsymptomatic cases make contact-tracing for COVID-19 more difficult, though still valuable. Second, some countries and localities are far behind others in their contact-tracing efforts. A further consideration is that the private sector will play a major role in the effort in many locations. Finally, effectiveness can be greatly enhanced by technological enablers, such as contact-tracing mobile apps, but these raise important questions about privacy.
Nonsymptomatic cases make contact tracing harder
Contact tracing is simplest and most effective when two conditions are met: a) all cases are symptomatic, and b) the presence of symptoms is perfectly correlated with the risk of transmitting to others. These conditions are approximately (though not perfectly) true of Ebola, which makes contact tracing an especially potent tool in fighting that disease. However, things are more complicated with COVID-19 because we know that the disease can be transmitted by people who will never develop symptoms (asymptomatic transmission) and by those who have not yet developed symptoms (presymptomatic transmission).
Of these, presymptomatic transmission is easier for a contact-tracing program to manage. When a person is diagnosed with COVID-19, identification of their close contacts should include those potentially infected in the days prior to the onset of symptoms. This condition increases the importance of rapid identification and isolation of cases and quarantining of contacts. It does not prevent the usefulness of contact tracing as long as programs move fast. In contrast, asymptomatic cases may never come to medical attention, making it harder to trace chains of transmission.
An influential paper recently estimated that 85 percent of transmission events originate from patients who have or will develop symptoms, compared to 15 percent from asymptomatic and environmental transmission.3 Since that paper appeared in March 2020, serological surveys appeared suggesting that the rate of asymptomatic disease is higher than originally recognized. Exhibit 2 summarizes the uncertainty surrounding the question of asymptomatic transmission.
More research is needed, but early modeling suggests that transmission can be reduced by tracing and isolating symptomatic carriers without significant delay, in a process potentially enabled by technology.4 In the meantime, many countries are concluding that the disproportionate weight of symptomatic cases in driving transmission makes the aggressive pursuit of contact tracing well worth the effort.
Many countries and jurisdictions are starting late
Contact-tracing programs begin with confirmed cases, from which chains of disease transmission are mapped and contacts are supported in quarantine. The process works best where cases are relatively few in number.5 Most countries that have deployed contact tracing successfully during this epidemic have maintained relatively low case counts. Some countries have in-depth experience with contact tracing from SARS, MERS, Ebola, tuberculosis, and other infectious diseases that disproportionately affect lower-income populations. Other countries have no such experience. Either way, however, to begin a contact-tracing program in an environment defined by hundreds or thousands of daily confirmed cases is a daunting proposition—especially since known cases represent only a fraction of the total.
We can, however, draw on the experience of the West Africa Ebola outbreak of 2014–16, which was the largest Ebola epidemic in history. Initial contact-tracing efforts could not cope with the scale of the challenge. Eventually, programs were built out and became a key factor in ending the outbreak. The number of cases of COVID-19 is more than 100 times that of the Ebola outbreak, but many of the countries worst affected by COVID-19 have far more resources than do Guinea, Liberia, and Sierra Leone, where Ebola was most concentrated.
The experiences in low-income settings are highly instructive. One important lesson is that the perfect must not be allowed to become the enemy of the good. A minimum scale is required for contact tracing to be effective, but a program need not identify and isolate every contact to slow transmission. COVID-19 will unfortunately be with us for many months to come, so countries should think of contact tracing as a medium-term investment. They will strengthen and improve their program over time, as one important tool in the overall set of solutions. The more effective the program, the fewer the sick, and the greater the level of economic freedom society will enjoy.
The private sector will play a bigger role than in prior contact-tracing efforts
Public-health institutions have led contact-tracing efforts in most past disease outbreaks. The global scale of the COVID-19 pandemic makes it a unique crisis with many parts. It has, for example, expanded into domains where the private sector plays a more prominent role in healthcare. To address the sheer number of cases in particular areas, authorities are assembling many partners, including from the private sector, in contact-tracing efforts. The use of technological enhancements is also drawing in companies with an array of specialized capabilities. Private healthcare organizations and employers are playing an important role in both testing and tracing. The complexity of those invested in controlling this pandemic creates both challenges and opportunities for contact tracing (Exhibit 3).
In the United States, contact-tracing efforts under way in Massachusetts and California are supported to varying degrees by private-sector companies, including private healthcare institutions.
In Massachusetts, a more centralized statewide effort is being rolled out, in which private and public partners have come together. Participants include the state’s COVID-19 Response Command Center, Executive Office of Health and Human Services, Department of Public Health, Commonwealth Health Insurance Connector Authority (CCA), Partners In Health (a nonprofit with global contact-tracing experience), Salesforce, local health departments, and others. The Massachusetts League of Community Health Centers, Blue Cross Blue Shield, and other groups are starting to support the contact-tracing plan directly.
In California, statewide tracing efforts were just announced, but around the state, collaborative efforts have already begun. On the testing side, the governor announced the creation of 80 to 100 high-throughput testing sites, working in partnership with OptumServe and other organizations. Also announced was a program to train up to 10,000 contact tracers. Kaiser Permanente, a managed-care consortium, and other private healthcare institutions are establishing facilities to process 10,000 daily tests. This capability will become a critical link in high-efficiency contact-tracing programs.
Prior to broader announcements, counties and cities in California began to act. In San Francisco, a number of organizations and institutions, public and private, have come together to support tracing, including the city health department, the University of California at San Francisco, and Dimagi, a tech company. Participants in these collaborative efforts are providing diverse support, including testing, tracing, training, technical guidance, and technology.
Globally, employers can be seen taking a more proactive approach to testing and contact tracing, to ensure the protection of their own workforces. This approach has been taken mainly by organizations and institutions with significant resources, such as Fortune 500 companies, those that must operate in congregate settings, such as universities or nursing homes, and those that operate essential services, such as pharmaceutical manufacturers or healthcare providers.
These efforts usually include HR or a central health team that encourages employees to self-report if they have symptoms or a positive test. The team swings into action in the event of a confirmed or presumptive case. It identifies and notifies other employees (and sometimes contractors, customers, or visitors) who may have been in proximity, making recommendations for isolation or quarantine. Some employers are considering treating employee families and even local communities. For employers designing such programs, they should consider how their efforts would best fit with the broader public-health effort against COVID-19. Other considerations include privacy concerns, legal constraints, and local regulatory compliance. On a practical level, planners would have to determine the data, technology, and people needed for identification, notification, and follow-up monitoring and support.
The promise and challenges of technology
In the context of contact tracing, technological solutions can increase productivity, limit exposure of the workforce, and lower costs. They can also increase the speed of response, which modeling shows to be critical to the overall success of contact tracing. In South Korea, for example, automated tracing helped reduce the amount of time spent on each case from one day to ten minutes. However, the technology has also raised privacy and civil-liberty concerns.
Around the world, technology is being deployed in all parts of the contact-tracing process, in identifying and notifying contacts, providing follow-up monitoring and support, and even alerting contacts when the status has changed. The following examples are simply descriptions of how technology is being used; we make no endorsements of particular uses, tools, or approaches.
Identification. Those afflicted with COVID-19 and their supporters are using technology to identify contacts, entering names into lists or using digital data to create such lists. Massachusetts uses a back-end system to enter and keep track of contacts. In Nigeria, surveillance officers and others are using a system developed for the contact-tracing of polio. On the higher end of the technology spectrum, some countries are using digital data in applications that help automatically identify contacts by GPS or Bluetooth technology. In some of these countries, like Iceland, the backbone of the response was still manual contact tracing. By the time the application was rolled out, up to half of the diagnosed cases had already been in quarantine, a good illustration of how digital and manual contact-tracing solutions can support one another. (Iceland is also supporting isolation cases digitally with an AI-powered remote-care app.) Apple and Google’s collaboration on a Bluetooth-based contact-tracing application program interface (API), to be released in May, will likely increase the attractiveness of more tech-enabled approaches to supplement current efforts.
Notification. Technology is also being used to notify contacts and to generate anonymized mapping to notify the public of high-risk areas. (This helps reach those without access to mobile apps.) Often the contact notification is directly built into the identification system, so those who are identified are automatically notified. Some technologies offer both notification and mapping functions, such as MIT’s Safe Paths. The MIT solution comprises both a smartphone application (COVID Safe Paths) and a web application (Safe Places). Digital contact tracing uses overlapped GPS and Bluetooth trails, which allow an individual to check if they have crossed paths with someone who was later diagnosed with the virus. On Safe Places, public-health officials can redact location trails and broadcast location information, with privacy protection for carriers.
Monitoring and support. A number of technological solutions are being used for monitoring and support. Some allow daily digital check-ins or compliance monitoring. Healthy Together, a support application used in the US state of Utah, allows individuals to input symptoms and can direct people to testing locations as well as share test results.
Among country-level responses, South Korea and China deployed high-tech solutions within centralized data systems, alongside significant human resources.
In South Korea, at-scale testing has been followed by rigorous tracing. The Korea Centers for Disease Control and Prevention, in collaboration with other government agencies, telecommunications, and credit-card companies, launched a COVID-19 data platform. Once a case is confirmed, officials work out the patient’s movements and contacts in great detail, through interviews, mobile-phone data, CCTV recordings, credit-card records, and other sources. The government shares major locations through text-messaging and making location data public, to help people avoid places where the virus is spreading. Millions have downloaded privately developed apps to help them view this location data, including Corona Maps and Corona 100m, which alerts users when they come within 100 meters of a location where an infected person has been.6 South Korea has also launched self-quarantine applications to monitor and support contacts under mandatory quarantine.
In China, the government introduced an app-driven access system to help ensure adherence to local regulations. This is the green-amber-red health-code system hosted by Alibaba’s mobile payments app and Tencent’s messaging app WeChat. Using both self-reported data, and data from authorities, the app segments users into three color codes: green (healthy), amber (contact with infected individual), and red (symptomatic or tested positive). Those with green classifications can travel freely, whereas those with amber or red classifications may face travel restrictions and quarantine or isolation requirements.
Some technology-driven approaches have raised privacy and civil-liberty concerns. Some applications will be generally noncontroversial, while others will raise concerns. Worth noting is that some privacy and civil-liberty considerations can be addressed through the design of technologies and the approaches through which they are deployed.
Organizations will have to think through the means by which they will identify individuals and gather, share, manage, and retain data. Bias reduction must be a priority, with due consideration given to disadvantaged groups, including those that may be disproportionately underrepresented or misrepresented by the technology used.
Consent can be an integral part of the process for identification and enrollment. Organizations can indicate directly what data will be collected and how it will be used. Developing data-sharing guidelines, minimizing data collection, and anonymizing and encrypting data can all be done in order to support privacy rights. Clear conditions can furthermore be established on how and when data will be deleted. With these considerations in mind, organizations can aim to use technology to enable a safer, more efficient, and faster response that could support reopening. It will be important to watch how these solutions evolve.
Many public-health assessments and much practical experience indicate that contact tracing has been an essential part of the most effective strategies to control COVID-19. As World Health Organization guidelines make clear, contact tracing is one of three backbone elements to its response to epidemics, along with widespread testing, isolation, and quarantining. There is more to learn as contact tracing is rolled out in additional locations, so leaders should build learning and improvement into their processes from the start. As localities develop and improve their own responses, they must negotiate a delicate path between the urgency of controlling the pandemic, the need for societies to reopen safely, and the privacy concerns that technological solutions continue to provoke.