TAG Cyber Survey: Hybrid Work

By Katie Teitler

A mere two years ago, the idea of “hybrid work,” that is, working partly in a dedicated corporate office environment and partly from various and fluctuating remote locations, was the privilege of a select few. While remote work had more than taken hold in the corporate world by that same time period, hybrid work wasn’t yet part of the corporate lexicon.

When COVID-19 hit in full force in the United States, starting in March 2020, offices were shuttered and workers were forced into their living rooms, dining rooms, basements, and even bedrooms as their new work environments. Coffee shops weren’t open for a change of scenery. Business travel had ground to a halt. Businesses were operating at near 100 percent remote capacity wherever and whenever possible.​

As signs of improvement arose, especially following the release of COVID-19 vaccines, some office workers tentatively started returning to office environments for at least part-time in-office work. Today, in Q4 2021, as we weather the roller coaster of COVID cases in the U.S., 61 percent of organizations report that their workforces continue to function remotely, according to a recent survey of 258 IT and security professionals conducted by TAG Cyber. (Figure 1)

When broken down by company size, organizations with 1,000-4,999 employees have more employees working remotely than any other category (29.5 percent of those companies have more than 51 percent of employees working remotely).

However, when looking at companies with 91-100 percent of employees working remotely, smaller companies, those with 100-999 employees, report the highest percentage of employees working remotely (41 percent of those companies have more than 90 percent of employees working remotely).​

Looking ahead to 2022, hybrid work seems to be the future. To level set, according to TAG Cyber’s definition, hybrid work differs from remote work in that hybrid workers function part time in the corporate office environment and part time in other, remote locations. Remote work, in contrast, means that the preponderance of time is spent working in out-of-office locations. This does not mean that remote workers will never visit the corporate office, nor does it mean that their working location will be static. However, remote workers are likely to have a dedicated office and spend the majority of their time working from there.

When it comes to post-pandemic working conditions, 60 percent of our survey respondents said they expect fewer than half their companies’ employees to work remotely when offices are able to reopen. (Figure 2)

Smaller companies, those with 100-999 employees, are the least likely to anticipate remote and hybrid work. By contrast, companies with 5,000-9,999 employees and those with more than 25,000 employees are anticipating a higher percentage of remote workers in the coming months.

And again, fully remote work is different from hybrid work—where workers are coming in and out of the office and potentially working from various remote locations on their days outside the office, as well as potentially using unmanaged devices to conduct work when they are out of the office. These factors introduce additional risks when combined with a return to the office.

When it comes to the remote work structure alone, a clear majority of our respondents say they are fully prepared for the cyber security implications. Fully 80 percent said they already have a remote cyber security strategy in place, and an additional 12 percent said they are working on it. (Figure 3)

A strategy is one thing, but the ability to execute on that strategy is everything. Far too often in security—whether it concerns remote or hybrid work—operationalizing plans is a major challenge. Companies lack such essentials as the in-house security expertise necessary; and the budget to hire more internal staff, to hire outside experts, or to acquire the appropriate tooling. The IT and security professionals may lack the power to affect business decisions that would improve security posture.

One area that they are operationalizing, when it comes to remote and hybrid work, is the management of unmanaged devices like personal laptops, phones, IoT devices, and tablets over which the security team has little to no visibility or control. This is especially true of access to SaaS applications that are now used in business settings. (Figure 4)

According to our respondents, nearly 40 percent of companies draw a line in the sand when it comes to personal and/or unmanaged devices accessing corporate resources. Thirty-four percent said employees are allowed to use non-work issued devices, and another 27 percent said employees can use personal/unmanaged devices for work purposes, depending on the security hygiene of the device. The latter, of course, relies on the company deploying and using appropriate endpoint/device management tools and access controls—not to mention the onsite (or contracted) staff to do so.

We were remiss in our survey design, though, and this potentially calls the results of this answer into question. We should have asked, How are IT and security departments measuring when and how employees are accessing SaaS applications via unmanaged devices? Based on our extensive work with enterprises and vendors, we know that a significant number of enterprises do not have full visibility into who or what is being accessed—and how. Especially as it relates to SaaS applications.​

Getting deeper into the matter of access, the next question was: How are you currently securing remote and hybrid worker connections? Respondents were allowed to choose as many answers as apply. (Figure 5)

Sixty-nine percent are currently using VPNs—an outdated and nominally secure connection method—for remote connectivity.

Tied for second place, at 55.8 percent, are antivirus and firewalls/next-gen firewalls used to help secure employees’ connections into corporate resources. Next is multi-factor authentication (MFA), and five points behind is encryption.

Interestingly, despite the buzz, zero trust network access is currently being used at less than 20 percent of companies. This finding may indicate end users’ understanding that zero trust is not a product but an approach. Or it may signal that, despite all the industry hype of moving toward more secure methods of access, namely continuous verification based on context and identity, end users are not yet ready to move their systems away from a “trusted” architecture.

Regardless, the use of numerous security technologies certainly seems valuable to our survey takers. Fifty-four percent reported that their organizations saw an increase in potential attack activity as a result of remote and hybrid work. This is in light of mandated security awareness training for employees at more than 80 percent of organizations.

Looking to the future and the seeming inevitability of increased hybrid work, only 22 percent of respondents said that they do not expect the number of cyber security incidents targeted at their organization to increase as hybrid work increases.​

Of the 78 percent who said attack activity will or may increase, the reasons varied. (Figure 6)

In the clear lead is concern over insecure home/public Wi-Fi, with 24 percent of the vote. With this in mind, it would be TAG Cyber’s suggestion that these organizations implement zero trust access-based controls, increase use of endpoint detection and response (including built-in device hygiene assessment capabilities), and even consider behavioral monitoring (which, incidentally, was the least selected answer to the question about securing hybrid access).

Not surprisingly, respondents again expressed great concern in their answers over the use of unmanaged/personal devices. Yet, more than a third of respondents said that their organizations plan to allow the use of personal devices in the future—perhaps pressured into doing so by non-security/non-IT use cases—and nearly 50 percent said that their organizations will permit employees to manage applications from personal devices while working remotely.​

Given the concern about and risks of infected personal and unmanaged devices (Figure 7), organizations must look for enhanced authentication and access options, predicated on identity (both human and machine) which conform to a zero trust approach.

When it comes to the market’s opinion of methods to decrease risk in order to increase cyber security control, 59 percent of respondents said that the solution lies in security education and awareness training (respondents were allowed to choose their top 3 controls). (Figure 8)

TAG Cyber is a proponent of ongoing education in all areas; however, cyber security must be a combination of people, process, and technology (PPT), led by security experts and not left to unsuspecting users as the first line of defense. We were thus pleased to see that email and endpoint security were ranked highly by respondents (45 percent and 41 percent, respectively), followed by strong authentication (MFA and long, unguessable passwords). ​ Network monitoring, a tried-and-true method of identifying suspicious behavior, fell in the middle of the pack, while secure access service edge (SASE), a category gaining tremendous attention in the vendor community, fell to the bottom of organizations’ choices for enhanced security control.

Though this question could have included multiple additional areas of control (TAG Cyber tracks 130+ categories of vendor products), no respondent chose them as a write-in option. With all of the choices on the market, it’s a good thing that our survey takers anticipate increased cyber security budgets (72 percent) to tackle the new paradigm of hybrid work.