The Security Implications—and Unexpected Advantages—of Hybrid Working

It’s been over two years since offices around the world closed their doors, sending employees to work from home to ride out a series of pandemic lockdowns. Those two years saw a succession of commands to close, reopen, close again, and reopen again, during which office workers in many industries embraced remote work and the benefits of eliminating the commute and providing a better work-life balance. And now many organisations have settled into a happy middle ground, embracing a range of “hybrid” work models.  

But it is quickly becoming apparent that desk location is not the only variable in “hybrid” working models. Devices, applications, even personas, identities, and organisational structures are now hybrid, leading to the inevitable emergence of new security challenges.   Today hybrid approaches are being driven by demands for flexibility and agility, but—if we get it right—hybrid work environments have the potential to unlock topline business benefits and create a significant competitive advantage.

In order to understand the opportunities of “hybrid” models let’s first consider the implications for security:

Hybrid locations

This is the one we are most familiar with from trends articles. We are seeing reluctance from many employees and organisations to return to a traditional office environment five days a week. For security professionals, a fixed environment is one that you can put physical perimeter security around, and somewhere that the networks are known and trusted. When employees access systems outside of that highly provisioned and secure environment there are potentially additional requirements to secure access networks. Life gets more confusing because “home workers” have become “remote workers,” with the new label emphasising that the location of each individual can change day-to-day. 

Hybrid devices

Before the pandemic, the security concerns around mixed-use devices were focused on personal devices being used for corporate purposes; bring your own device (BYOD). The last two years have seen corporate devices increasingly used for personal purposes – whether it was taking some of the load for homeschooling or just providing a crutch for video-based social lives during lockdowns. Indeed some organisations had to quickly provision employees with laptops and mobile devices to enable work to continue away from the office. New habits are easily formed and we should expect that the laptops and mobile devices will remain with staff members, available for personal and out-of-hours use as well as for work.  

Hybrid applications and services

Remember when the applications you used for your job were markedly different from the ones (if any) that you used at home? Nowadays, productivity apps are in daily use for both work and personal purposes. Non-approved software and unmanaged cloud services are in daily business use by a significant proportion of any workforce—in fact Netskope Threat Labs data suggests that 97% of cloud apps and services in use by the average organisation are classed as shadow IT, unmanaged. More complexity comes from the fact that the managed apps in use in an organisation (Microsoft and Google cloud apps, and SaaS and IaaS services like Box or AWS) are also available as consumer products. If the same device is being used to access work and personal instances of the same cloud service this is something that the vast majority of legacy security systems are unable to spot or control. 

Hybrid workforces

To stay competitive, organisations often need to rapidly reduce or quickly expand personnel, engage in a new outsourcing or contractual relationship, expand into new markets by growing organically or inorganically through mergers and acquisitions, or even leave some non-core activities behind through divesting. The workforce is no longer a single entity that can easily be governed through uniform policies. It is a hybrid mix of contract types, governed by a range of national laws and customs, supported by heavy partnership and outsourcing approaches.  Each of these segments of the workforce requires different levels of access to systems and potentially access privileges that change regularly too.

So hybrid is not just desks; it is people, devices, applications, services, and locations, and each of these points to a requirement to rethink security in order to mitigate risk and support productivity. In order to secure these new working models, we need to turn to a Security Service Edge (SSE). SSE is a cloud-native, data-centric security stack driven by a consistent coherent policy with unified reporting. It includes secure web gateway, cloud access security broker, remote browser isolation, firewall-as-a-service, zero-trust network access as well as security posture management: all the services you need to enable and secure data wherever it ventures, into cloud apps, over the internet, and into private data centres. The location of your employees, sub-contractors and partners, the devices they use, the unmanaged apps they try in their constant quest for productivity… everything is seen and those insights are used to govern policies to secure data appropriately.  

But this is where we get to the really interesting proposition… because while organisations tend to come to SSE reactively, driven by a desire to modernise established security use cases, it sets up an organisation for much greater agility and flexibility in the future. Once you have a security architecture that can protect data wherever it travels, one that enables continually adaptive trust decisions, your business can bend and flex, expand and retract in direct response to the challenges and opportunities it faces. Hybrid models of working are today’s new challenges, and they are driving a complete rearchitecting of security to be cloud-native and data-centric. But once security is cloud-native and data-centric, you’re ready for anything that comes next!