Realizing Upsides for Digital Security in the Hybrid Workplace

If and when the COVID pandemic fades into history, the shift toward remote and hybrid work is poised to persist. In an April 2021 Forrester Consulting survey of more than 1,300 security leaders, business executives, and remote workers, 70 percent said their organizations will have employees working from home one or more days a week during the next 12 to 24 months.

Amid its challenges, hybrid and remote work represents a significant opportunity in terms of human capital development. Many employees welcome the flexibility associated with hybrid work, and firms that allow remote roles can recruit without regard to location, increasing their potential applicant pools.

The problem is, we’ve only just begun to grapple with the digital security challenges ushered in by remote and hybrid work. Sixty-seven percent of respondents to the Forrester survey reported they had experienced “business-impacting” cyberattacks that specifically targeted remote workers.

Privacy and security challenges lie at the intersection of technology, human behavior, and policy. For example, as more and more workers are logged in to corporate networks from their homes, workers’ smart speakers, thermostats, or other “smart” devices — and their vulnerabilities — are now part of the virtual work environment.

There are also more opportunities for workers to inadvertently reveal proprietary or sensitive corporate data to others in their household, whether family members or roommates. And in an era of video conferencing, they may also risk revealing protected characteristics of themselves and their household. As a result, hybrid work could lead to a range of novel equity and liability concerns. For businesses operating across jurisdictions, the multitude of policy regimes that govern data make these privacy considerations even more complex.

For all these challenges, though, the shift to hybrid has plenty of potential upsides. The University of California, Berkeley’s Center for Long-Term Cybersecurity recently published a

paper, Security and Privacy Risks in an Era of Hybrid Work, that spells out recommendations for managing many of the emerging privacy and security issues attached to hybrid work environments, based on interviews with security, policy, human resources, and other leaders from private firms and government agencies.

The good news is that the shift to hybrid offers a rare opportunity to break through many of the long-standing habits and assumptions that have negatively impacted privacy and security.

First, firms now have more incentive than ever to move toward so-called “zero trust” architectures, which promise a seamless experience for employees and state-of-the-art digital security for employers. The zero trust model uses both multi-factor authentication and continuous authentication of the users and devices on a network, regardless of where they are located. Until now, many firms have been slow to adopt zero trust given its complexity and the investment required.

But we must do better to bring down the cost and simplify implementation for businesses of all sizes – hybrid work makes even more clear that the old password-based model is no longer a sustainable solution. Industry and government must work together to invest in zero trust and build awareness of its benefits.

Another habit that needs to be broken: conversations about security and privacy between firms and employees need to occur at a deeper level than boiler-plate consent agreements or an annual compliance-based cybersecurity training. Employees are uncertain about expectations concerning their own privacy in the hybrid workplace, as well as how they might protect firm data.

Solutions include investing in fresh approaches to employee training, creating mechanisms to make a firm’s security and privacy commitments visible in the context of an employee’s hybrid workday, and building coalitions of firms to establish a consensus on expectations for security and privacy. Firms that do engage in a robust discussion around privacy and data protection expectations with employees will reshape norms and improve security while strengthening their relationships with workers.

At a higher level, government investment should be allocated to improve home network security. Through the recently passed bipartisan infrastructure deal (Infrastructure Investment and Jobs Act), the U.S. Federal Government is set to invest approximately $65 billion in broadband to improve internet access, speeds, and pricing, with two-thirds of this funding to be allocated to the Department of Commerce Broadband Equity, Access, and Deployment Program. Broadband is a necessary ingredient for workers in less privileged circumstances to participate effectively in the hybrid labor market, but connectivity alone is not sufficient.

A more refined policy should repurpose some of these funds (or expand the overall pool of investment) to subsidize other parts of the hybrid work environment, including, for example, secure routers and other home network equipment. “The last mile” for internet connection (such as the coaxial cable from the street to the home router) should now extend fully into the home network and reflect the security and privacy requirements associated with hybrid work, regardless of whether the home is rented or owned.

Realizing all these potential upsides — and breaking through past habits and assumptions — will require a combination of legislative and regulatory action, roles for industry associations, and new tools and technologies. Security and privacy in the hybrid work environment will be tied tightly to productivity, equity, and innovation in the next decade. How firms and policymakers converge around new privacy and security considerations will determine whether hybrid work lives up to its promise.

About Ann Cleaveland
Ann Cleaveland is the executive director of the University of California, Berkeley’s Center for Long-Term Cybersecurity (CLTC).