The Way Forward: 5 Security Fixes to Support a Hybrid Workforce

In many industries, working from home is here to stay – even as workers are vaccinated and lockdown orders are lifted. A survey from Pew Research Center finds more than half of employees, if given the option, want to continue working from home post-pandemic. Many organizations are also looking at hybrid models that support a mix of at-home and in-office arrangements.

As temporary solutions transition to permanent setups, it’s time to reexamine the security protocols and policies that were put in place to support the sudden shift to remote work in the early days of the pandemic.

“Much of what we did in April and May was a kludge,” says Chester Wisniewski, principal research scientist at Sophos. “Those quick fixes all need to be rearchitected into permanent solutions.”

What does security look like in a hybrid work environment? Chief among the concerns to address is employee use of personal accounts and devices for work.

“A lot of organizations have been allowing employees to use personal devices,” says Wisniewski. “Some people were using Facebook Messenger and What’s App, for example, to communicate. That probably puts you in violation of privacy regulations, like GDPR.”

What other considerations should security leaders address to get their policies in line with today’s reality? Wisniewski has five suggestions.

Survey the Situation

Your first step is a thorough audit, if you haven’t done one already, of how your employees are getting their work done. What devices are they using? What accounts are they accessing for communication and collaboration?

“Do a survey of the landscape to figure out where your high priority problems are,” says Wisniewski.

Once you have the information about where your security gaps exist, you can start to identify the appropriate tools to plug them.

Consider Zero Trust

Many large organizations had already adopted Zero Trust technologies before the pandemic. Many mid-sized businesses were taking a closer look at it, but small business might not be very close to researching or implementing Zero Trust solutions.

Wisniewski says now is the right time to take a look at how your organization can start to deploy some Zero Trust technologies and tools to enhance security for a hybrid workforce. Zero Trust is a security concept and set of tools based on the belief that all attempts to access networks, systems, or data must be verified, regardless of whether they’re coming from inside or outside of the traditional firewall.

“This is your opportunity to start doubling down on investment,” he says. “If you are truly going to be perimeter-less – the time is now.”

Ask for Budget

When it comes to Zero Trust or any other new security initiative, Wisniewski says it is an opportune time to make the case for investment.

“The pandemic is a good excuse to ask for that money. Now we have budget to spend on securing and formalizing things.”

Stop Allowing Shared Devices

Employees did the best with what they had for the last year. But Wisniewski says devices that employees use both professionally and personally cannot be allowed anymore.

If employees have been using company-owned devices for these kinds of personal activities, a return to office part time will also mean they come back onto the corporate network with unsanctioned applications. Make it clear that shared devices are forbidden.

“Shared devices are always a bad idea. If you were allowing that temporarily, it’s time to stop. A work device is for work. It’s not for kids to do homework or for family members to watch Netflix.”

Ensure Patching Happens

Many businesses got away from regular patching and updating of their employees’ work devices while they were remote. And as more return to an office part time, they will bring with them devices that have not been on company Wi-Fi in many months. This poses significant risks.

Wisniewski suggests making a plan now for that re-entry. Restrict devices when they arrive in office to a specific local area network so they can be updated away from everyone else. It’s essentially a quarantine for corporate devices.

“As they come through the door, quarantine devices until you know they are protected and patched,” he says.

Sophos can assist you with infrastructure planning for your full or hybrid office return. Learn more at

Copyright © 2021 IDG Communications, Inc.