Remote workforce giving new meaning to "fishing trip"

Pierre-Paul Ferland -

Sometimes I wish we, infosec specialists, were better at "reading the room". A report from Tessian reveals that 56% of IT leaders believe employees are "cutting corners" when not in the office. The main concern seems the revolve around "blurring" personal and professional lives, leading to the use of personal devices for work purposes, increased phishing, and failure to report incidents. The study further reports that 70% of these leaders believe "return to office" will improve security behaviours. The conclusions are thus exactly what you think: having people "watching" each other is perceived by IT leaders as an improvement in security.

I disagree. I believe "watching" people only works when we constantly do it, which costs extreme amounts. The costs are not only technological: the loss of employee experience can hurt your employer's brand.

Let's first agree the study dealt with qualitative data. Even quantitative data over increased attacks should be carefully interpreted: how could we isolate the variable "working away from office's surveillance" to identify causality? In my opinion, the results from the survey express more the concerns of IT leaders over a perceived loss of control over employees' behaviours rather than a true spike in breaches due to changing work habits. My hypothesis is that remote work did not change behaviours significantly. Charlie will click on that phishing, wherever the lure lands.

And yet, we’re still clinging to an outdated mindset... the "perimeter" era. That idea where we could secure all our assets behind a firewall on the network. This is a legacy belief system where the office was a "trusted zone" and everything outside was the Wild West. But today, that mental model is more risk than remedy. Most modern threat models don't start with a cat on a keyboard or someone printing a doc at home. Threats are overseas, with phishing, pretexting, social engineering, and session hijacking.

Let’s be honest: your office doesn't make you magically secure. Sitting in a cubicle doesn’t repel malicious links. If anything, the illusion of physical control makes some companies complacent. The real frontier has become the endpoint. It’s the browser. It’s the device, the identity, the session.

And the good news? We already have the tools to deal with that.

VPNs, SASE, enterprise browsers, cloud-based DLP, modern EDR/XDRs.We don’t need to overcompensate by herding people back to fluorescent lighting and forced birthday cakes. We need to get back to first principles: What are we actually trying to protect? What are the real threats? And what architecture supports both resilience and a positive employee experience?

From the employee's side, it is clear that the benefits of remoteness should stay. A recent survey from Virgin Media reveals that 76% of workers intend to add remote work days to prolong their time abroad. And the fear-mongering essay I have linked will not change that.

The CEO of Tessian does reinforce my position by concluding that the hybrid workforce is not going away and our best bet is doubling down on building a security culture to inspire rather than scare employees into compliance. The positions are echoed in this recent article from CPO Magazine which suggests a shift to "zero trust" (I hate the buzzword too, bear with me!) Access to systems should be bound to identities rather than networks, and the identity should be analyzed within its context (location, device, apps, etc.).

If we detect Suzan is accessing European PII from her trip to Hawaii, our systems should know that access to this data must be blocked. And the same systems should inform Suzan of said restriction... Unless you want her to ask "Ha-WHY can't I see this?"