My Experience During the COVID-19 Outbreak in China

by Yan Liu, Managing Director, atsec China

During the period of the novel coronavirus (COVID-19) outbreak in China, I, and many others, have cancelled parties with family, friends and colleagues—even during the traditional Chinese Lunar New Year. We have also decided to work remotely with atsec colleagues, customers, and partners. This gave me more time to think and learn, and I wanted to write something about my experience during this unique time.

I don’t believe that my education and knowledge can provide too much help for others regarding the current epidemic situation. The major contribution for changing the situation will be made by health organizations and centers for the control of disease.

Though there is a lot of information and many perspectives available through public media, I would like share my personal experience as well as the experience of the company just to keep a sort of public record of the event. This could also be regarded as a lesson-learned for our Business Continuity Plan, especially for other similar small professional service businesses like atsec.

1.     Safety and Health are the Only Priority
On January 26, 2020, the second day of Chinese Lunar New Year, we learned from the news of the breakout of COVID-19 in Wuhan, and that the situation was getting worse. After a conversation with a few colleagues, we informed the whole atsec China team that it would be better to work from home and reconvene after the Chinese New Year holiday, though we did not set a date when to come back to the office.

As of today, the whole atsec China team is still working from home.
We put the working-from-home plan into effect immediately, knowing that some of our colleagues still stay at their hometown in order to see their families during the Chinese new year, and it would not be safe to meet or take public transportation.

It was unknown at that moment, when life would go back to normal. At the same time we were putting our plan together, the government ordered a delay in returning to work after the New Year holiday and suggested that everyone stay home and avoid contact with others in order to better control the spread of the disease.

We are confident that the virus will be defeated, the problem is that nobody really knows how long it will take.

There were no traffic jams on the road, and no children playing in the park. Communication is mainly online.

On February 2, 2020, at 20:20 (note the sequence), a colleague suggested we take a group photo of the atsec China team in the cloud. As one colleague said, we looked serious but strong.

I then considered reporting the status of our safety to our other atsec colleagues outside China, as they might have been worried about us as well.

As I hesitated to start, we started to receive message and greetings from all our atsec colleagues around the world. The first message was from our CEO: “Please use all possible precautions. If you think you need to have all the people working from home and avoid using public transportation to come to work or customer meetings please do that.”

I assured him that our China team and families were safe at home. I also mentioned to my colleagues in other countries to please stay safe and take care, although the center of the virus outbreak was (at that time) far away from other countries.

As days go by, the team has had quite a few talks regarding the potential adjustment of scheduled
meetings.

2.     Home Office: Work remote, Work Smart!
Based on our experience and the nature of the business, working from home did not represent a major challenge. The team is used to working from home from time-to-time, though it meets regularly in the office for meetings or on-site testing.

Our policies and procedures for “working from home” needed just a slight update. All our security measures were already in place during normal operation including, but not limited to, account security management, VPN access to critical assets, encryption and decryption during communication, disk encryption, security of personal devices, and more.

No changes were required from all other colleagues from Shenzhen, Shanghai, and Guangzhou, who are already used to working remotely.

We did put off our regular face-to-face weekly and monthly meetings and moved to regular online meetings starting February 2, 2020.

During this time, we realized we miss each other.

Throughout the course of our online meetings, we shared our experiences on how to work from home more efficiently.

The following diagram, though it does not include details, represents the way we plan to work remotely.

A few members of the team would be open for video conferencing during online meetings, and even dress formally while video conferencing with customers.

An internal training server was established within atsec China in order to allow all employees to study the most recent information shared by other team members based on each person’s own schedule. We have also organized internal training and an exam for one of the recent security standards.

We used this situation as an opportunity to improve our internal methodology, tools, service level, and how we can provide assessment services to our customer efficiently (remote and/or on-site work). We have more time to improve our know-how and work on new qualifications.

From our colleagues’ reaction we all realize how confident the team is in working efficiently and securely from home, though at the same we are looking forward to being back in office soon.

3.     Industry impact
In the long term, we believe that this event will have very little impact on our industry and services. On the contrary, we think more attention will be given to security implementation, compliance, and assessment.

Public safety and security are different topics, though both use the same Chinese symbol “安全”. However, after this event, we think China and society overall will put more emphasis on topics such as: business continuity, incident (or emergency) response, compliance to regulation and standards, overall quality, and more.

In the short-term the outbreak might impact industries such as catering and tourism (hotels, airlines).
Cash flow might become an issue, especially for those small and mid-size companies which normally keep only a limited cash flow for running the business (e.g. less than three months). They might need loans in order to survive during this unique period. Things might be easier for companies which might have a better way to manage cash and have a long-term business plan. atsec China, has always managed to have a considerable cash flow and there will be not an issue.

Our business focuses only on independent security assessment and consulting services, and there will be no need for financial support from any organization. On the service side, most of our customers (e.g. payment service providers, merchants, banks, software vendors, etc.) have already started working with atsec remotely.

Although on-site work is necessary, most of our assessments and consulting services can also be provided remotely via interview, observation, and evidence examination. We have also improved our methods of working with customers via remote communications.

Normally from two to three days, up to a week, of on-site work is needed for a normal compliance assessment project. I expect a more efficient on-site communication practice could be considered after this period in order to save effort and cost for both the assessment team and assessed entities.

I have learned that most companies will probably consider reducing costs (e.g. their recruitment plan could be adjusted) in 2020. But so far few entities have considered reducing the budget for information security.

In addition, good habits of diligence and frugality are always a good thing.

4.    Face to face meetings vs Webinar
Face-to-face communication is always important in our business. atsec China planned to organize the 2020 China Payment Security Workshop in Chengdu on the 27th and 28th of March. Starting in November 2019, our team has set preparations for the event such as guest invitations, conference locations, hotel, transportation, presentations, and more.

In the middle of February, we cancelled the event and changed to an online event providing training free of charge. The first online training will be held on the 28th of February, 2020. We will provide an overview of the Payment Card Industry (PCI) security standards family, the Software Security Framework, and share our experience on PCI Data Security Standard (DSS) compliance. The next training will be on the 13th of March, 2020, with topics ranging from PCI 3DS, to PIN security and Point-to-Point Encryption (P2PE).

We have decided not to attend an industry meeting organized in Europe in the beginning of March. We are unsure whether a member of the atsec China team will be able to attend a conference later in April. I am looking forward to more face-to-face communication and meetings soon after this period.

Final Comments
We are expecting this uncomfortable situation to be resolved before summer so the atsec China team can celebrate the atsec 20th anniversary with the rest of our atsec colleagues in Europe.

Last and not least, I would like to express my appreciation for all of colleagues, family members, friends, customers, and partners who have given me support and courage during this difficult beginning of 2020. Last and most importantly, I want to take this opportunity to thank all the medical workers, who are currently helping patients, fighting the disease and protecting our health. To them I would like to express my heartfelt gratitude and highest respect.

Written by Yan Liu
Midnight, 24 February, 2020, in Beijing