Is Your Office Really Secure?

The Shifting Landscape of Work and Cybersecurity

Over the last eighteen months, a significant number of employees have benefited from greater flexibility and an improved work-life balance due to the widespread adoption of remote work, a change prompted by the pandemic. A substantial majority are keen to maintain this arrangement, as it eliminated lengthy commutes and unproductive meetings; Buffer’s 2021 State of Remote Work report indicates that over 97% of employees desire to continue remote work, at least on a partial basis.

Return to Office Demands from Companies

However, many companies, including prominent technology firms, are expressing differing viewpoints and are beginning to require employees to return to the physical workplace.

While the primary rationale often cited for this return centers on the need for enhanced collaboration and social interaction, another justification employers may present is heightened security. The pandemic has coincided with an unprecedented surge in cybersecurity threats, ranging from phishing schemes exploiting COVID-related anxieties to ransomware attacks that have paralyzed entire organizations.

Cybersecurity Concerns and Remote Work

Research conducted by Tessian and shared with TechCrunch reveals that, despite no attacks being directly linked to remote work, 56% of IT leaders believe their employees have developed less secure online behaviors while working from home. Furthermore, 70% of IT leaders anticipate that employees will be more likely to adhere to company security protocols concerning data protection and privacy when working in a traditional office setting.

Matthew Gribben, a cybersecurity specialist and former GCHQ consultant, stated to TechCrunch, “Although this was an existing concern before the pandemic, I believe many organizations will leverage security as a pretext for bringing people back to the office, potentially overlooking the cyber risks they already face.”

He further emphasized, “As demonstrated by the Colonial Pipeline attack, a single user account lacking multi-factor authentication can disrupt your entire business, regardless of the user’s location.”

Exploitation of Cybersecurity as a Rationale

Will Emmerson, CIO at Claromentis, has observed instances of companies utilizing cybersecurity as a means to expedite the transition back to in-person work. He notes, “Certain organizations are already employing cybersecurity as a justification for requiring team members to return to the office.”

“This is frequently observed in larger firms with outdated infrastructure that relies on a secure perimeter and has not fully embraced a cloud-based approach.”

Differing Approaches Based on Company Size

Larger companies may attempt to reinstate traditional 9-to-5 work schedules, but smaller startups have largely embraced remote work as a permanent solution. Craig Hattersley, CTO of SOC.OS, a BAE Systems spin-off, explains to TechCrunch that larger, more risk-averse companies, who “reluctantly allowed staff to work remotely during the pandemic, will readily seize any opportunity to revert to their previous policies.”

He adds, “While I concur that some companies will cite increased cybersecurity threats to mandate a return to the office, the size and nature of the organization will dictate their strategy. A perceived lack of direct oversight of employees by senior management could foster a fear that staff are not adequately managed.”

The Evolving Threat Landscape

While some organizations may use cybersecurity as a reason to bring employees back to the workplace, many contend that the traditional office is no longer the most secure environment. Businesses have significantly upgraded their cybersecurity measures to accommodate dispersed workforces over the past year, and hackers are now increasingly targeting those returning to post-COVID offices.

Dr. Margaret Cunningham, principal research scientist at Forcepoint, asserts, “There is no assurance that an individual’s physical location will alter the course of increasingly sophisticated cybersecurity attacks, nor will employees necessarily make fewer errors simply by being within an office building.”

The Inevitability of Hybrid Work Models

Some businesses may strive for a complete return to the workplace, but this is becoming increasingly impractical. After eighteen months of remote work, many employees have relocated, while others, having experienced increased productivity and reduced distractions, will resist a full return to daily commutes. Recent data indicates that nearly 40% of U.S. workers would contemplate resigning if required to return to the office full-time.

Consequently, most employers will likely need to adopt a hybrid approach, allowing employees to work from the office three days a week and remotely for the remaining two, or vice versa.

Adapting to the "Work From Anywhere" Paradigm

This shift inherently diminishes the validity of the cybersecurity argument. Sam Curry, chief security officer at Cybereason, tells TechCrunch: “The emerging hybrid phase presents a unique set of risks compared to those companies previously faced.”

“We’ve transitioned from working in the office to working from home, and now it’s work from anywhere. Assume all networks are compromised and adopt a least-trust perspective, continually reducing inherent trust and incrementally improving security. To paraphrase Voltaire, perfection is the enemy of good.”