Rethinking Security in the Era of Hybrid Work

 

Having witnessed hybrid work become a long-term reality instead of a temporary response to disruption, organisations are facing a tough question: how to safeguard a workforce that can now operate fluidly across offices, homes, devices, and networks without compromising efficiency and productivity in any way. 

The shift has exposed some of the shortcomings of traditional security models, which were built on rigid perimeters, centrally controlled and not suited to the distributed digital environment people live in today. The adoption of modern cybersecurity frameworks customised specifically for hybrid environments is a necessity for companies seeking to remain resilient in such environments. Indian businesses, on the other hand, are at a critical point in this transformation. 

In the Global Cybersecurity Index (GCI) 2024, the country achieved a Tier 1 ranking with a score of 98.49 as a mark of recognition for its advancements in cooperation, organisational strategy, legal safeguards, technical readiness, and capacity building. 

The score reflects these achievements. Despite these achievements, there remains a sobering reality hidden beneath them: vulnerabilities still persist. In 2023 alone, India reported 112,474 cybersecurity incidents, with more than 429,000 attacks targeting financial institutions. According to a separate study, 83 per cent of Indian companies experienced at least one security breach. Among these breaches, India is ranked fourth in the Asia-Pacific region for these incidents. 

In an era defined by work-anywhere culture, connectivity has reached unparalleled levels, but with this has come a new dimension of risk as well. Aside from protecting emails and stored files, cybersecurity in hybrid environments has also grown to include conversations—whether they are exchanged via video conferencing, voice notes, or shared screens—as well. 

The threat of audio surveillance, once considered a niche one, is slowly emerging as one of the most pressing threats in recent years. Despite cybersecurity being a complicated issue, much of it is driven by human behaviour. Forbes reports that 95 per cent of cybersecurity breaches come from human error, such as the sharing of sensitive information without adequate safeguards, or connecting to calls over an unsecured network. 

A major concern with this risk is that it doesn't always require a sophisticated attack to occur. It is just as easy to exploit vulnerabilities as it is to exploit the very tools and environments that employees rely on, or to make misplaced assumptions about the privacy of virtual discussions. Furthermore, hybrid work has changed the way the modern office is used, shifting its focus from cubicles and meeting rooms to coffee shops, hotel lobbies, and even home offices. 

There is, however, a danger associated with the heightened level of flexibility. For example, it may seem effortless to take a client call over a public Wi-Fi network. However, in reality, such networks are capable of intercepting audio streams, capturing shared content, or even infiltrating a device without being discovered. 

Virtual meetings, screen shares, and calendar invitations carry sensitive information that varies from financial data to customer records to internal strategies - so even routine exchanges can be a source of vulnerability. A study published in ScienceDirect has already revealed that video conferencing platforms have persistent weaknesses, ranging from inadequate access controls to fragile encryption standards, illustrating how easily conversations can be compromised outside of a secure office setting. 

Likewise, the tools that enable collaboration, such as headsets, webcams, and conferencing software, have evolved into critical trust endpoints. These devices not only serve as an instrument of communication, but have also become a source of business intelligence, client meetings, and proprietary insights, as well. 

In an era when artificial intelligence is increasingly embedded in workplace applications, the threat that internal communications can be stored, analysed, or inadvertently shared outside of intended audiences is becoming more and more prevalent. Hence, organisations must take their cybersecurity efforts way beyond traditional firewalls, protecting every stream of data flowing through hybrid networks as well as voice and video.

In spite of the fact that these risks are hazardous, they are subtle in nature. Unlike phishing emails or malicious links, which can be a red flag, unsecured connections and vulnerabilities often go unnoticed by the general public. Experts say that this is akin to holding a confidential board meeting in a crowded café, where the information is not shouted out, but it is still exposed, regardless. 

In the context of such an exposure to cybercrime, the stakes are enormous. Comparitech estimates that by 2025, the global economy will be burdened by cybercrime at $10.5 trillion. This puts businesses at risk of having to take a proactive stance against cyber threats, realising that the question is not whether they will be targeted, but when. 

It is therefore imperative that companies take a comprehensive approach to protecting data and systems in the hybrid era, which is different from traditional security models. A triadic relationship lies at the heart of modern cybersecurity - identity, device, and application - all of which are essential to verify and trust together, ensuring that all three of these entities are properly verified and trusted. 

Today, identity cannot be reduced to usernames and passwords; instead, users must be authenticated using multiple factors, and their behaviour must be monitored in order to monitor for irregularities. As part of the process of maintaining security standards, devices must be assessed for integrity, malware-free, and configured in a way that is safe and secure. 

As well as sanctioning, monitoring, and integrating applications into organisational governance, there are also risks associated with a legitimate user on a compromised device, or a healthy device accessing an unverified application, as much as a stolen credential. Any weaknesses in this chain can leave attackers free to attack. 

As a result of the challenges faced by the organisation, security teams have long layered solutions like endpoint protection, authentication protocols, and application gateways in order to combat the challenges involved. In spite of this patchwork, it is often a common misconception that all of these threats will be covered, but it leaves gaps where they are able to flourish. 

Unmanaged devices remain invisible, unapproved applications can still slip through, and inadequately verified identities remain vulnerable to spoofed identities. A recent survey indicates that there are still insufficient safeguards in place to protect data, with 79 per cent of IT leaders admitting that their safeguards are insufficient at present. 

When breaches occur, they are often not the result of a single point of failure but the result of overlooked interactions between disparate tools or their inability to adjust to nuanced risks. For instance, when a developer accesses sensitive repositories using a laptop running unverified plugins, such a developer is taking advantage of these blind spots. An innovative new model is being developed to address these blind spots—Extended Access Management.

As opposed to legacy frameworks, this solution unifies the validation of identity, device, and application under a single, context-aware lens, which enables the validity of all login attempts to be evaluated as not just credentials, but also the health of the device and the legitimacy of the application, ensuring both conditional and continuous access is achieved. 

As a result of this model, employees increasingly rely on personal devices to access corporate systems and to work on them at the same time, which embraces the realities of modern workplaces. Rather than resisting this trend, Extended Access Management secures it through real-time analytics aimed at determining whether a personal device is safe to connect to sensitive assets based on real-time analytics. 

A simpler, unified login experience for employees is the result of this, which eliminates the burden of multiple logins and passwords. As a result, organisations are able to protect hybrid operations with greater visibility, greater control and the agility they require, without compromising productivity, in order to safeguard hybrid operations. 

In spite of its vulnerabilities, hybrid work remains a powerful force that offers employees flexibility and balance. However, there is a responsibility associated with this freedom to secure the digital spaces in which collaboration occurs, the conversations that drive strategy, and the voices of those individuals who hold the greatest importance. 

A headset is a relatively harmless device, but that doesn't mean that any other people might be listening in as well, especially in a time when even the most dangerous intrusions might sneak up on people quietly.