Working from home, enterprise security strategies have to contend with internet-connected refrigerators, decades-old routers and teenagers on TikTok hogging bandwidth.
Personal technology blends with enterprise technology, and data flows between devices, sanctioned or not.
"Our perimeter has moved to a teenager on TikTok," said Jeff Greene, director of the National Cybersecurity Center of Excellence at the National Institute for Standards and Technology (NIST), while speaking on a virtual panel hosted by Palo Alto Networks.
Since the bring-your-own-device movement disrupted traditional perimeter security, organizations have grappled with a new frontier and a broader attack surface. While there are solutions strong enough to withstand the obstacles IT is facing, such as zero trust architecture, there are plenty of security challenges.
"The enterprise perimeter, whatever that perimeter was in January, that perimeter now extends into every home of every one of our remote workers," said Bryan Ware, assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), while speaking on the panel.
Digital transformation is at the forefront of innovating perimeter security. And in a post-pandemic world, enterprises will reckon with who led their digital transformation efforts: the CEO, CIO or COVID-19. Right now, the pandemic is "the fuel" for digital transformation, said Ware.
CIO meets remote stressors
Most companies already enabled remote work capabilities, they just didn't have to do it for every one of their employees in a week's time.
North Dakota's CIO Shawn Riley moved 252,000 people to telework or teleschooling, he said during the panel. The majority of the state's government employees, 65%, had never done remote work. While everyone's virtually overnight shift to remote work was impressive, bad actors noticed.
"Bad guys knew that was happening," said Riley. North Dakota's government went from filtering through about 1,500 weekly cyberattacks to more than 7,000. Of the employees who moved to working from home, about 70 of them plugged their devices into modems with ISP models lacking firewalls, exposing them to public-facing IP addresses.
It's enough to disappoint a CIO, but security mistakes existed before the coronavirus — the pandemic just amplified them.
Before NIST, Greene's professional background was in law and on Capitol Hill, ignorant of his own "fundamentally insecure" practices. "My security practices were abominable," said Greene.
Greene didn't view calls or video conferences as data exchanges. He realized that he likely wasn't the only one who thought this, and while the "threshold for all employees is 'use common sense,'" it's not an effective security plan, said Greene. Employees should be able to rate the data they exchange on communication platforms: low-, medium- or high-risk information.
Security should be designed around the average user, the IT professionals, and executive leadership, according to Greene. For NIST, focusing on the individual user was a new perspective, but remote work means IT professionals have to consider home routers, users' personal patching habits and complex passwords.
Legacy tech in important places
Communication tools from the last couple decades are still floating around, especially in workers' homes. For North Dakota government employees, Riley was stringent. The CIO chose Microsoft Teams as its primary communication tool and "effectively blocked" other solutions.
The state still had minor run-ins with security issues, including early "Zoom-bombing" for teleschool. But Riley didn't blame the tools because they were in the hands of users who don't have backgrounds in security. Riley's move to block other tools wasn't easily accepted — "you can imagine how popular I was," he said.
But the decline in cyber incidents evolved into greater acceptance of the prescribed tools. Eight weeks into remote work, security still isn't second nature, but government employees are improving.
In preparation for the technology technology questions newly-remote workers would have, Riley shifted half of his programming team to the help desk. The help center's call volume was up 400% compared to its previous record.
Organizations confronting the reality of a prolonged remote workforce are reassessing their ability to scale remote capabilities. CISA was already using cloud-based services for communications before the pandemic hit the U.S., and now sitting at home, Ware realized how much of their work can be done remotely.
"I expect we'll do more work that's not centralized in the national capital region," with minor exceptions where physical access to hardware is needed, Ware said.
The pandemic forced CISA to prioritize telework products, vendor collaborations, and recommendations. "These are not the kinds of tools we focus a whole lot on before," said Ware.
The pandemic also gave CISA insights into "nuanced parts of our economy" and how different industries are responding to the current environment, said Ware. Identifying critical infrastructure, primarily in the pharmaceuticals branch, that upholds fundamental systems for American life has become "some of the most important work we've done."
The federal government is paying particularly close attention to pharmaceutical research labs, universities and other companies contributing to vaccination development because they are at most risk for intellectual property theft.