Security Staff Acquisition & Development, DevSecOps

How this work-from-home era transformed security awareness, tech development forever

Share
People pass by the Nasdaq building as the screen shows the logo of the video-conferencing software company Zoom on April 18, 2019, in New York City. (Photo by Kena Betancur/Getty Images)

As companies adapt to the work-from-home era, the technologies and the way they purchase products will also adapt. Vendors are seeing an increasing emphasis on product security and the reputation for security of products that will be used outside the corporate perimeter. October may be Cybersecurity Awareness Month, but for the products used in home work environments, enterprise buyers are themselves transitioning to the cybersecurity awareness era.

"What we saw was particularly our commercial customers had to make an unprecedented, very fast shift from a world in which you use things like network-based analysis and physical protection of corporate assets to a world where someone might be pulling a PC out of the closet and connecting into the cloud," said David Weston, partner director of enterprise and OS security at Microsoft. "They had to just work with what they could to keep a business going. But now that we're back up and running and continuity is there, immediately we're seeing folks start to focus on security."

For companies caught off guard by the pandemic, accommodating the need to work from home led to a duct tape and spackle approach to network security. The sudden shifts appear to have lead to the wider use of two major vectors in the ransomware explosion — RDP and VPN. With remote work being here to say, security personnel have started to take the time to harden the new, distributed office set up.

Home offices bring requirements for a huge array of technologies. Video conferencing is here to stay, as are many of the cloud workspaces holdout companies switched to during the pandemic. Home networking equipment, printers and other devices meant to replicate the office are suddenly a security staff's concern, and so might be the home devices likely to share the same networks.

Product security from vendors

Vendors are seeing security concerns permeate procurement culture to the point where even when less infosec-enthralled buyers look at products, they still consider security.

When offering to explain security features, "some people care, some people don't," said Intel business client planning director, Michael Nordquist. "They're just like, 'Hey, I want to make sure that when I buy this PC I'm safe. What do I have to buy?"

But mot of those security questions comes from the enterprise buyers, he said; they have yet to filter down to end-users purchasing for themselves, where security remains a less marketable feature. That would track with HP's data, said Shivaun Albright, HP chief technologist of print security, who said security staff were exercising weak oversight of home purchases. Company polling, she said, found that half of work from home users who purchased a new printer said they installed it without a check from their enterprise's cybersecurity teams.

"There is still more education that needs to be done with end users/hybrid workers on the security front," she said, via email.

To combat rogue home purchases, say vendors, procures have to offer technology that works the way people work at home. Home computing is a more customizable experience where users are more accustomed to using technology in a less stressful way. So it may not be a surprise, then, that employers are beginning to offer more options to their employees for their home office ("We're seeing them offer more choice," said Nordquist, "the sexier system that's not just 14-inches and any color you want as long as black").

Companies are seeing more demand for simplified security for devices, systems and software the home users do not have to fight to be protected by. It can be a critical feature for many security teams who have lost the perimeter around their employees.

"We've conditioned people to use technology so that the general consumer just assumes it works," said Heather Hinton, chief information security officer of the video conferencing platform RingCentral.

"It has to be as usable and as simple as 'push this button,' or people will avoid it just because it's difficult," she added.

Video conferencing apps saw rapid change in demand over the pandemic, as they became the de facto hub for office communications. Their rise in prominence has come with increasing attention to their security. When Zoom, who at one point licensed technology to RingCentral, announced it would provide end-to-end encryption for paying customers, it was quickly pressured into offering end-to-end encryption for all customers. RingCentral is currently running a public beta of E2EE.

Security for internet-connected devices

Outside the domain of traditional IT, working from home exposes business networks to a wide assortment of internet-connected devices purchased for home use. While security might not be top of mind in those purchases, they are somewhere in the middle of the checklist.

"I'm not sure that security features drive the purchase of non-security IT products, but the lack of adequate security controls can trip up a technology procurement process," said Daniel Kennedy, principal research analyst at S&P Market Intelligence's 451 Research.

Some IoT manufacturers, however, are banking on the growth of security as a marketable feature. Being able to market security through ioXt labeling is one of the selling points of the growing ioXt Alliance standards group.

"As ioXt members invest in technologies to strengthen the security of their products, they are eager to promote their efforts to the consumer," said Jan Bondoc, the Alliance's director of information security.

As the market begins to flourish, vendors are turning their attention not just to bolstering security in the short term and building reputations in the long term. With office technology, particularly with no secondary security in place, exposure can mean losing the trust of entire industries worried about regulations and consumer goodwill.

Creating that reputation not only means handling current threats but also predicting future ones, convincing customers that you've already considered what they don't know to worry about yet.

"We have to continually evolve our hardware every year," said Intel's Nordquist. "There's no 'wait until next year, we're going to have this feature, everything's going to be great.'"

This is part of SC Media's special October coverage, in honor of Cybersecurity Awareness Month, spotlighting “security by design”: How different organizations within various verticals recognize their own security practices not only as a necessity, but also as a differentiator. Click here to access all of our security awareness coverage, which will filter out throughout the month.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.