As the response to COVID-19 continues, many companies in America and across the globe are preparing to restart operations, but it won\u2019t be business as usual.\n\u201cThe workplace we return to is going to be dramatically different. The new reality will drive a different approach to the way companies think about their security architecture,\u201d said Tony Buffomante, co-leader and principal of KPMGs global cybersecurity practice.\n\u201cTo deal with immediate needs, some organizations are considering temperature checks and contact-tracing apps to keep the workplace safe,\u201d Buffomante said. \u201cBut implementing these measures while maintaining legal requirements for privacy and security is a tough nut to crack. Unless they can overcome these hurdles swiftly, businesses may need to put screening programs on hold,\u201d he said.\nOrganizations must also manage the security implications of a huge increase in remote work. In the wake of COVID-19-related business losses, many plan to switch more workers to permanently off-site positions. Those who do come in will be offered more remote options to accommodate for social distancing in once-crowded offices.\nThe shift to remote work has vastly broadened the attack surface, and cybercriminals have been quick to seize the advantage, luring worried and distracted home workers with COVID-19-related phishing messages and directing them to fake websites where they steal credentials, hoping to worm their way onto corporate networks.\nThese tactics and others will continue after the crisis. Like enterprises, hackers are employing automation to broaden their reach and increase their efficiency. To counter them, many organizations will need to rethink their security models.\nProtecting Yourself in the Cloud\nEven before the virus, the security paradigm was changing. \u201cThe network perimeter was already dissolving, and now it\u2019s completely dissolved,\u201d Buffomante said.\n\u201cSome organizations wrongly assume that by moving to the cloud, they\u2019re outsourcing security. In reality, cloud security is a shared responsibility,\u201d Buffomante said.\nTo protect themselves, companies must correctly configure firewall connections and align data access with their internal security policies, instead of going with the default of unlimited access to corporate data. They should also monitor for suspicious activity, so that if someone logs in from Chicago and tries again from Singapore an hour later, their identity can be verified or their access shut off before a breach occurs.\nMoving to Zero Trust\nManaging cloud settings gets complicated very quickly for enterprises using hundreds of outside apps, in addition to internal clouds. Managing employee devices does nothing to address the information access problem.\n\u201cWe used to talk about devices as endpoints. Now, the human has become the endpoint,\u201d Buffomante said.\u00a0\nBasing security on people instead of apps or devices is the idea behind zero trust, he said, a comprehensive security methodology that uses multifactor authentication to make sure users are who they say they are and follows the least-privilege principal to provide users access to all the tools and information they need to do their jobs, but no more.\n\u201cWith zero trust, organizations categorize their information by risk and business value,\u201d said Buffomante. \u00a0They set up a governance system to enforce granular access rules automatically and in real time for every user, device, and application.\nCentralized management means that when a user\u2019s role changes, access permissions are adjusted once and propagate throughout the organization. The speed and agility of this approach closes security gaps and prevents hackers from breaching dangerous orphan accounts.\nMonitoring is also used, not only prevent unauthorized access, but to collect information about user activity. During certification reviews, this information is passed to business managers. Instead of trying to decipher security hieroglyphics, they see a clear quantification of risk. \u201cThey also learn whether workers are really using the apps they\u2019ve been assigned, giving them insight into how work is performed and improving business decisions,\u201d said Buffomante.\nThere are many different ways to implement zero trust, which includes a mix of technologies companies can adopt at their own pace.\nNo matter how you slice it, an identity-based approach to security offers the best way to meet the future demands of an increasingly remote, multi-device, cloud-based workforce.