By Ben TAGOE
Remote and hybrid work are no longer an experiment; they have become the operating model for much of today’s workforce. While flexibility and access to global talent bring undeniable business advantages, they also expand the attack surface and shift the way attackers approach their targets. Traditional security strategies built around office networks and firewalls are insufficient in this new reality, where people, devices, and cloud services form the new perimeter. Security teams must now address risks that arise not only from technology but also from the way people actually work outside the office.
The new perimeter: people, devices, and cloud services
Even as some companies nudge workers back into offices, hybrid and remote arrangements remain central to how work gets done. Most remote capable employees expect hybrid options going forward, and a significant share prefer a mix of home and office days.
From a security perspective the perimeter has dissolved: corporate firewalls and office switches are only a part of the story. Endpoints (laptops, phones, home routers), unmanaged or poorly configured cloud services, third-party SaaS, and human behaviour now define the landscape making it easier for attackers to exploit weak links, whether through phishing, ransomware, misconfigurations or insider mistakes.
Threats we see, and why they matter
Phishing and credential theft remain the most common threats in distributed workplaces, with adversaries now exploiting trusted, compromised accounts and increasingly sophisticated lures. A single successful phishing email can open the door to SaaS platforms, customer records, and financial systems. Ransomware also continues to disrupt organizations by targeting high value vendors and service providers, causing widespread outages that ripple through supply chains. Cloud adoption adds another layer of complexity; misconfigured permissions and poorly secured storage often expose sensitive data to the internet, sometimes without an organization realizing it until it’s too late. Insider risks and third-party weaknesses only compound the challenge, reminding us that in a hybrid world, the weakest link may be a partner or employee working from a living room rather than a headquarters.
A human-centred security approach
These realities highlight the importance of a human-centered approach to security. Controls that frustrate employees often backfire, leading to risky workarounds like using personal email or unapproved apps. Instead, security must be designed with people in mind. Multi-factor authentication (MFA) is critical, but it should be seamless; modern identity solutions and passwordless authentication are preferable to clunky legacy systems. Similarly, secure access solutions that integrate with single sign-on can replace outdated VPNs, reducing both friction and risk. A Zero Trust security model where every request is verified regardless of location fits naturally with remote and hybrid work because it assumes breach and limits damage through continuous validation and least privilege.
Practical steps can be divided into short-term, mid-term, and strategic measures. In the short term, organizations should enforce MFA for all accounts, deploy endpoint detection and response (EDR) tools with automated patching, and harden email by enforcing protocols like DMARC, DKIM, and SPF. Simple but clear policies for bring-your-own-device (BYOD) use can prevent unmanaged devices from quietly bypassing defenses. Within a few months, companies should consider rolling out conditional access policies, implementing data loss prevention (DLP) for sensitive files, and improving identity governance to ensure privileges are tightly controlled. Over the longer term, investing in secure access service edge (SASE) solutions, conducting remote-focused incident response exercises, and maturing vendor risk management programs are all essential to reducing systemic exposure.
Human-centred tips that reduce real risk
Security awareness training is equally important, but it must be relevant and empathetic. A finance employee and a DevOps engineer face different threats, so training should be tailored to their realities. Employees also need reassurance that reporting a mistake will not lead to punishment but to coaching and support. A culture of trust and shared responsibility makes it far more likely that incidents will be reported quickly, reducing both dwell time and damage. The principle is simple: make secure actions the easiest actions. Providing secure, well configured laptops with one click access to corporate resources reduces the temptation for employees to rely on personal devices or unauthorized apps.
Consider a simple attack flow: an attacker sends a convincing phishing email disguised as a tax message, and an employee unknowingly surrenders credentials. Without strong MFA, the attacker gains access to a SaaS CRM and quietly exfiltrates customer data. Later, by exploiting a poorly secured contractor portal, the attacker deploys ransomware to critical backups. Each step of this chain is preventable with layered defenses—phishing detection and simulation, hardware-backed MFA, SaaS conditional access policies, DLP, vendor requirements, and network segmentation. The point is that remote security is not about one perfect control but about overlapping, human-aware safeguards that close off common paths of exploitation.
Measuring success: the metrics that matter
Measuring progress requires meaningful metrics. Organizations should track their mean time to detect and contain incidents, the percentage of endpoints covered by EDR and patching, MFA enrollment rates, phishing resilience scores, and the speed with which critical vulnerabilities are remediated. These measures provide a clearer picture of resilience than compliance checklists alone.
Remote and hybrid work are here to stay, and they are not problems to be solved once but realities to be designed around. Security programs must embrace the distributed nature of modern work by putting identity, device posture, and user behaviour at the center. Organizations that adopt Zero Trust principles, strengthen endpoint and identity security, and invest in continuous awareness will not only reduce their exposure but also empower employees to work flexibly and securely. Ultimately, human-centered security is the key to thriving in this new era: usable, empathetic, and resilient.
The post Security in remote & hybrid work environments appeared first on The Business & Financial Times.
Read Full Story
Facebook
Twitter
Pinterest
Instagram
Google+
YouTube
LinkedIn
RSS