From the way restaurants operate to how sports are played, many people expect life to operate a whole lot differently in the pandemic's aftermath. The big question for us, though, is what will the new normal be for those in cybersecurity?
"I think it's worth pointing out that there's only two ways security changes: a fundamental change in the business environment – because security is there for business – or if the threat changes," says Bryson Bort, founder of SCYTHE and GRIMM, and co-founder of the ICS Village. "On the first point, clearly business will be different going forward. I think we finally crossed a Rubicon for remote workers, which changes the threat surface."
He's not alone in seeing a dispersed workforce as a significant change agent.
"When we deal with the new normal, no company that I've talked with has plans to bring the full workforce back in 2020, if ever," says Kiersten Todt, managing director of the Cyber Readiness Institute. Even if some critical functions flow back into centralized offices, she explains, it's unlikely that every employee who worked in an office in 2019 will be back in that office in 2021. That will create a "hybrid" workforce for most enterprise organizations.
"How do we secure the hybrid workforce? We combine the remote workforce with the secure workspace," Todt explains. "Creating a unified cyber infrastructure that's secure across the hybrid environment is critical."
For that unified cyber infrastructure to be effective, it will have to satisfy a number of needs.
"We are still looking at the same fundamental issue: balancing user experience with security," says Anton Klippmark, product manager at BehavioSec. But, as other experts have said, those fundamental issues will be dealt with in a changed environment.
"Our new normal is that organizations can no longer have a standard definition and expectation that a workspace is where application access happens," explains Robert McNutt, CTO at Forescout Technologies. He says this shift in definition creates a shift in how organizations must approach protecting the enterprise.
Device Access on the 'Granularity of Our Human Nature'
The move away from the primacy of a central office "... places a large emphasis on [devices], which could be located anywhere in the world, instead of the building or network it came from," McNutt says. "[As a result], organizations will have to rethink their strategies for access control and identity assurance."
"In the digital world, we've focused more on trusted devices and IP addresses than validating the actual person behind the screen," he says, but that will need to change. "A new normal should be built more around granularity of our human nature instead of binary questions, like whether that particular device has been seen before or not."
It also should ensure every point of access can prove identity, compliance, and configuration assurance, McNutt adds. Any environment that sees two separate vectors – users and applications – coming together at a single point (or device) will see that device become the point of greatest strength (or weakness) in the infrastructure, he says.
The emphasis on devices reaches its zenith in an environment where the devices don't have traditional users: the Internet of Things (IoT.)
"All the things that have made devices insecure are larger," Bort says. "It's not the privacy of the webcam that's the problem – it's the fact that the webcam can be used as a pivot point." The webcam, then, isn't just secured for its own sake but because the small, headless device can so easily become a point of entry into the larger enterprise network.
The security landscape for the IoT has been evolving for some time, notes MediaPRO chief strategy officer Lisa Plaggemier.
"In a new normal, companies will design hardware and software with security in mind, not as an afterthought," she says, pointing out how, in the wake of a series of very public IoT exploits (including last year's Nest camera exploit), vendors have begun strengthening the authentication controls in IoT devices due to customer demand and regulatory pressure. "A new normal would mean security becomes a product attribute that companies market to consumers, and consumers seek it out in the products they buy."
Privacy Rights for Employees
Another attribute that employees working from home demand is respect for their data privacy. Recent years have seen privacy become a board-level concern, says Robert Waitman, director of Cisco's Security and Trust Organization, and the coronavirus pandemic has only accelerated the move of privacy into the "critical" category.
"The top three concerns are that data might be used for an unrelated purpose, that it might be shared without permission to third parties, and that data only be kept as long as it's needed," he explains.
Most of the attention to data privacy has been given to customer data, but the work-from-home movement has seen the attention expand to include employees.
"The employee protections are different than the consumers' [protections]," Waitman says. "At the core of it, though, employees are people, and so many of the same ideas and protections apply to employees."
Ultimately, experts agree that the challenges of the new normal also present an opportunity for companies to "get it right" when expanding their security and privacy practices to cover a widely distributed workforce.
"Building trust is critical – now's the time to be building trust," Waitman explains. "This is where companies need to pay attention."