Dealing With Viruses, Computer and Biological

In the wake of the COVID-19 pandemic, companies are increasingly calling on employees to work from home. Hospitals, clinics and doctor’s offices are preparing for massive numbers of infections, not only of patients but also healthcare workers. Colleges and universities are sending students home en masse. Sporting events are considering playing in empty arenas. Airlines and other travel sites are suffering massive disruption.

Computer security to the rescue!

Yes, you read that right. A good deal of the effective response to the COVID-19 virus will depend on infrastructure. Reliable. Ubiquitous. Adaptable. Secure infrastructure. For years I have been arguing that we are thinking about information security all wrong. We think of it as a cost—something we are required to spend money on (money that would be better spent on other things like big bonuses, right?) and we have to spend that money to be “compliant” with some damned law or government regulation. HIPAA-HITECH. GLBA. GDPR. CCPA. NIST. PCI-DSS. FERPA. Name your regulation. If all you want to be is compliant, all you will be is compliant.

Well-thought-out information security is not a cost—it’s an enabler. It’s what allows employees to get access through a VPN to sensitive files and documents remotely without increasing (well, without substantially increasing) the risk that the sensitive data will be exposed. It’s what permits access to data on smartphones, iPads and IoT devices. Security enables telework, teleconferencing and online collaboration. It provides the infrastructure for the collection and analysis of data, including data related to infections, spread and containment. It helps identify and secure the entire supply chain, even if that supply chain is disrupted. Security enables consumer access to business online resources such as online ordering, communication and consultation. If you are forced to work from home because of the virus, at least for many industries, this can be done with minimal disruption (provided you still have internet connectivity).

In preparing for Y2K, many New York City-based brokerages co-located facilities across the Hudson River in places such as Jersey City just in case there was a disruption come Jan. 1, 2000. There wasn’t. It seemed like a monumental waste of resources. Except that on Sept. 11, 2001, as the twin towers burned, the existence of colocation sites, hot sites and warm sites limited the disruption and allowed some business activity to continue. Cybersecurity includes cyber-resilience. And that’s resilience to all kinds of viruses—electronic and biological.

Certainly, the COVID-19 disruptions will impact business, and good computer hygiene will not be a panacea. The internet has its own supply chain which may be subject to disruption if there are massive societal disruptions due to the virus. But, for the time being, the mere existence of a secure business connection can help mitigate some of the impacts of physical and biological disruption. Good computer security, including DR/BCP, data mapping, remote access, authentication and access control, perimeter security and the like, enables us to respond effectively.

So stop looking at security as a necessary cost or a necessary evil. It is an essential component of any IT deployment. And hey, let’s stay safe out there!

Mark Rasch

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 168 posts and counting.See all posts by mark