Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

6/19/2020
12:20 PM
Curtis Franklin
Curtis Franklin
Edge Articles
50%
50%

What Will Cybersecurity's 'New Normal' Look Like?

The coronavirus pandemic has forced changes for much of the business world, cybersecurity included. What can we expect going forward?

From the way restaurants operate to how sports are played, many people expect life to operate a whole lot differently in the pandemic's aftermath. The big question for us, though, is what will the new normal be for those in cybersecurity?

"I think it's worth pointing out that there's only two ways security changes: a fundamental change in the business environment – because security is there for business – or if the threat changes," says Bryson Bort, founder of SCYTHE and GRIMM, and co-founder of the ICS Village. "On the first point, clearly business will be different going forward. I think we finally crossed a Rubicon for remote workers, which changes the threat surface."

He's not alone in seeing a dispersed workforce as a significant change agent.

"When we deal with the new normal, no company that I've talked with has plans to bring the full workforce back in 2020, if ever," says Kiersten Todt, managing director of the Cyber Readiness Institute. Even if some critical functions flow back into centralized offices, she explains, it's unlikely that every employee who worked in an office in 2019 will be back in that office in 2021. That will create a "hybrid" workforce for most enterprise organizations.

"How do we secure the hybrid workforce? We combine the remote workforce with the secure workspace," Todt explains. "Creating a unified cyber infrastructure that's secure across the hybrid environment is critical."

For that unified cyber infrastructure to be effective, it will have to satisfy a number of needs.

"We are still looking at the same fundamental issue: balancing user experience with security," says Anton Klippmark, product manager at BehavioSec. But, as other experts have said, those fundamental issues will be dealt with in a changed environment.

"Our new normal is that organizations can no longer have a standard definition and expectation that a workspace is where application access happens," explains Robert McNutt, CTO at Forescout Technologies. He says this shift in definition creates a shift in how organizations must approach protecting the enterprise.

Device Access on the 'Granularity of Our Human Nature'
The move away from the primacy of a central office "... places a large emphasis on [devices], which could be located anywhere in the world, instead of the building or network it came from," McNutt says. "[As a result], organizations will have to rethink their strategies for access control and identity assurance."

Klippmark agrees.

"In the digital world, we've focused more on trusted devices and IP addresses than validating the actual person behind the screen," he says, but that will need to change. "A new normal should be built more around granularity of our human nature instead of binary questions, like whether that particular device has been seen before or not."

It also should ensure every point of access can prove identity, compliance, and configuration assurance, McNutt adds. Any environment that sees two separate vectors – users and applications – coming together at a single point (or device) will see that device become the point of greatest strength (or weakness) in the infrastructure, he says.

Trustworthy IoT
The emphasis on devices reaches its zenith in an environment where the devices don't have traditional users: the Internet of Things (IoT.)

"All the things that have made devices insecure are larger," Bort says. "It's not the privacy of the webcam that's the problem – it's the fact that the webcam can be used as a pivot point." The webcam, then, isn't just secured for its own sake but because the small, headless device can so easily become a point of entry into the larger enterprise network.

The security landscape for the IoT has been evolving for some time, notes MediaPRO chief strategy officer Lisa Plaggemier.

"In a new normal, companies will design hardware and software with security in mind, not as an afterthought," she says, pointing out how, in the wake of a series of very public IoT exploits (including last year's Nest camera exploit), vendors have begun strengthening the authentication controls in IoT devices due to customer demand and regulatory pressure. "A new normal would mean security becomes a product attribute that companies market to consumers, and consumers seek it out in the products they buy." 

Privacy Rights for Employees
Another attribute that employees working from home demand is respect for their data privacy. Recent years have seen privacy become a board-level concern, says Robert Waitman, director of Cisco's Security and Trust Organization, and the coronavirus pandemic has only accelerated the move of privacy into the "critical" category.

"The top three concerns are that data might be used for an unrelated purpose, that it might be shared without permission to third parties, and that data only be kept as long as it's needed," he explains.

Most of the attention to data privacy has been given to customer data, but the work-from-home movement has seen the attention expand to include employees.

"The employee protections are different than the consumers' [protections]," Waitman says. "At the core of it, though, employees are people, and so many of the same ideas and protections apply to employees."  

Ultimately, experts agree that the challenges of the new normal also present an opportunity for companies to "get it right" when expanding their security and privacy practices to cover a widely distributed workforce.

"Building trust is critical – now's the time to be building trust," Waitman explains. "This is where companies need to pay attention."

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
Curtis Franklin, Jr. has been writing about technologies and products in computing and networking since the early 1980s. He has contributed to a number of technology-industry publications including Dark Reading, InformationWeek Enterprise Efficiency, ChannelWeb, Network ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mark Darby
50%
50%
Mark Darby,
User Rank: Author
6/22/2020 | 5:24:47 AM
Beyond Trust into Certainty?

Trust is absolutely crucial during this extraordinary period of business calibration, but trust in itself may not be enough at the moment, there needs to be more certainty. Every organisation has its own unique circumstances and while instincts tend to veer towards protection during periods of disruption, smart leaders will place equal emphasis on protection and growth.

 

RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/21/2020 | 1:58:03 PM
Privacy Rights for Employees
This should be a very cut and dry subject but I think we over complicate it. If you have a work asset it should be used solely for work purposes. Whether it be physical or VDI isolation, doesn't matter. Its typically part of most organizations AUP that what you do on company property is subject to review.

If you follow this mechanic then your privacy will remain intact and you have nothing to worry about. If not, then you do so at your own risk.
   OVER THE EDGE
All Links Are Safe ... Right?

Source: Mimecast

What security-related videos have made you laugh? Let us know! Add them to the Comments section or email us at [email protected].

Name That Toon: Sign of the Tides
Flash Poll