In early March 2020, a Gallup poll showed that 31% of workers had worked remotely during their careers. One month later, more than 60% of those surveyed reported working remotely. Though remote work has been a slow but steady trend that many experts have long pointed to as the future of the workforce, the trend was inarguably fast-tracked when COVID-19 was labeled a global health pandemic and worldwide shutdowns prevented millions of workers from going into an office or company facility.
U.S.-based Enterprise Technology Research (ETR), which surveyed about 1,200 chief information officers from around the world across different industries, found that the percentage of workers around the world that permanently work from home doubled in 2021 as productivity has increased during the COVID-19 pandemic.
While remote work has certainly gotten plenty of attention, as the COVID-19 pandemic continues and companies, cities, states and countries emerge from varying lockdowns and restrictions, another working model is getting attention and is thought to have a firm place in the future of the workforce: the hybrid model.
The hybrid workforce is being explored by companies around the world as they grapple with different restrictions, as well as pleasing workers with flexibility and staying competitive in today’s environment. Microsoft, Google, Ford and Citigroup are some of the high-profile companies offering many of their employees a hybrid work model for the foreseeable future. Hybrid models vary significantly, but employees may go in to the office one to three days per week, while working from home or remotely on other days.
Omdia’s 2021 Future of Work survey found that 36% of employees report being primarily home- or remote-based with minimal time in the office going forward. Twenty-four percent of employees are going to be permanently based in an office working at a dedicated desk, with 22% of employees embracing a more hybrid work style going forward.
As enterprises around the world determine what the future of their workforce will look like, security leaders must focus on securing assets, data and employees in whatever location from which they work. The key for security leaders focused on enabling business and operational continuity is to provide safety and security without impeding on employee productivity and organizational communications.
Should organizations view hybrid employees as employees that work from home sometimes or employees that work in the office sometimes? Well, that paradigm, just like many other approaches to securing the future workplace, needs to shift, according to Beau Oliver, Vice President, Strategic Innovation Group at Booz Allen. “The hybrid workforce is definitely something that’s going to be sticking around. The dynamic of how to approach security certainly has to change too. There really is not a full-time, on-prem employee that leaves all of their devices at the office at the end of the day, and so we need to shift our paradigms now and adapt to this new reality,” Oliver says. “You want to be forward-thinking and push the boundaries for the value that [a hybrid or remote work environment] provides, but you’ve got to be proactive in mitigating and defining those threats that are ever-evolving.”
One of the problems from a security standpoint with a remote or hybrid work model, of course, is securing people and assets outside of the physical protection of the office environment. “Users have potentially expanded access to data, while at the same time the organization has limited insight into how it’s being used, where it’s being used and what security configurations remain,” says Jason Myers, Principal/Director, Strategic Innovation Group, Booz Allen.
It’s also easy to lose focus on what exactly you are trying to protect. In a distributed work environment, the goals of the company and the goals of the employees must be carefully aligned.
Two key concepts that security leaders need to embrace in today’s work environment are flexibility and contextual awareness, Myers says. Traditionally, he says, security has focused on static responses and procedures, but a changing work environment requires a change in approach. “Security must adjust to users’ changing risks. A hybrid workforce has different risks in different spaces under different conditions, so having informed, dynamic security protection and protocols that can change to all those situations is fundamental,” he adds.
A need for flexibility was not born from the COVID-19 pandemic or the accelerated shift to remote and hybrid work, however. Rather, the circumstances of the past two years have created a sense of urgency for flexibility within security and the enterprise as a whole. Myers says the days of security getting to say “no” to a solution because it was an unknown or difficult to secure are gone. Though not a new concept, many security teams still need to focus on enabling the business. “Plan for the new vulnerabilities, because they are going to emerge,” he says.
Contextual awareness is just as important as flexibility in a hybrid work model, Myers says, and it comes down to providing an organization with the intelligence needed to make informed decisions. For security leaders, one of the inherent difficulties with remote work is maintaining visibility on devices, people and their vulnerabilities from a distance. Being context aware is critical for security programs to manage insider risk and keep tabs on potential holes within an organization’s security posture.
In the hybrid work environment, Oliver says, security leaders can rely on automation tools for their security operations centers to provide rich analysis of the security landscape, as well as automatically enforce security policies and responses based on an individual’s behavior, the device connected to the network or more. “A large percentage of any of your data loss or security risks are based on human error. Add a remote work environment, and now it really relies on that user enforcing security across all their devices. Without automation, it creates an exponential amount of risk,” Oliver says.
Myers adds that automation as a security operations center tool — particularly at the endpoints — allows organizations to push some decision-making abilities to the edge. For example, if an employee violates a network policy, uses a device they shouldn’t use, or performs a certain anomalous activity such as downloading a significant amount of sensitive data offline, automation can take action on that device or network and block removal of the data, disable USB ports or temporarily halt the network connection.
“Ensuring your organization’s devices are in a trusted state before accessing the network and automating compliance solves many problems exposed or exacerbated by remote access,” Oliver summarizes.
Though much talk has surrounded cases both for and against a ‘bring-your-own-device (BYOD) model’ to the hybrid environment for its seamless flexibility within an employee’s life and work style, both Myers and Oliver say that organizations should instead focus on supplying all the devices their employees need to get the job done, so they don’t have to use their own personal devices to do their job.
“Personal devices are certainly a battle, and one of the biggest challenges is that, at the end of the day, there is limited visibility and so many limitations when it comes to personal devices,” Myers says.
“Ultimately, it should be the responsibility of the organization to arm employees with the right tools to do their jobs. It’s very difficult to offer security in a BYOD environment,” Oliver says. “I am a bigger fan of asking, ‘how can we provide security when you take this device home?’”
In the end, organizations should build a security posture based on the fundamental understanding of what they are trying to solve and accomplish while understanding their vulnerabilities and risks. Rarely is the solution solved with a single approach, one technology or one solution, according to Myers.
“If any security leader thinks they can fix their security posture with one tool, they are in for a rude awakening. A single tool will not solve that. It must be a holistic approach.”