An executive framework for scaling hybrid work security

Hybrid work demands that companies rethink their security strategies, policies, and procedures. By taking a systematic approach, security leaders have a rare opportunity to innovate their programs across the enterprise. This guide offers them a framework to assess their readiness for a new era of work.

Innovation is the ability to see change as an opportunity. In the wake of the pandemic, changes to the workplace are inevitable. 45% of employees are calling for hybrid work, which lets them choose when to go into the office. But are security teams ready for the shift?

In a hybrid work environment, the security perimeter is no longer bound to an office. It has to extend to wherever employees work, whether that’s at home, a cafe, or even on the go.

To complicate things, security has also expanded into workplace health. To keep employees safe, security teams need to be sure the people coming into the workplace are healthy.

Hybrid work demands that companies rethink their security strategies, policies, and procedures. By taking a systematic approach, security leaders have a unique opportunity to innovate their programs across the enterprise. This guide offers them a framework to assess their readiness for a new era of work.

1. The five pillars of workplace security

The hybrid work model throws the regular 9-to-5 workweek out the window. Employees are more likely to go into the office when it suits their schedules, and many will decide not to go in at all.

To adjust, your security team needs to keep a pulse on who’s coming and going from your offices at all times. And they have to monitor how remote employees access company systems and data. To mitigate threats to the hybrid work environment, you need a solid security foundation. This foundation builds on five essential pillars:

Physical security

Physical security is often the first line of defense against a breach or health threat. It prevents unauthorized access to a company’s facilities, equipment, and resources. Common components of physical security include access control, wayfinding, surveillance, and alarm systems. This pillar protects:

  • Employees and guests
  • Buildings
  • Physical assets
  • IT hardware
  • Vehicle fleets

People security

People security protects against malicious, negligent, and unintentional insider threats. Anyone with access to company systems or data can pose a threat. This includes full-time and contract staff, partners, visitors, and vendors. People security programs often include:

  • Security awareness training
  • Pre-employment screenings
  • Employee off-boarding
  • Incident investigation and remediation plan

Data security

Data security helps protect critical company data stored across devices, networks, and the cloud. This includes trade secrets, employee data, and product data. Security measures include:

  • Authentication
  • Access control
  • Encryption
  • Tokenization
  • Backups & recovery

Infrastructure security

Infrastructure security protects against service disruptions that may threaten business continuity. 70% of executives plan to make new investments in IT infrastructure to secure critical company data under hybrid work. Security measures include:

  • Firewalls
  • Wireless security
  • Application security
  • Virtual private networks (VPNs)

Crisis management

Crisis management helps minimize an emergency on a company’s employees and business. Examples of crises include terror attacks, natural disasters, and pandemics. To prepare, teams need to have plans and procedures in place, including:

  • Documentation and work procedures
  • Emergency response plans
  • Business continuity plans
  • Disaster recovery plans

To improve your security for hybrid work, you’ll need to prioritize the people, data, and infrastructure security pillars. However, it’s necessary to keep all of the pillars in mind as you conduct a security assessment, which we’ll dive into next.

The average cost of a data breach is $3.86 million

Enterprise security requires enterprise-grade tools

To prepare for any kind of threat, you need the right resources. Here are a few ways Envoy can help keep your company safe:

  • Keep unwanted visitors out of your offices
  • Issue access to guests and employees
  • Collect visitors’ signatures on NDAs and waivers
  • Securely share your Wi-Fi
  • Meet and maintain visitor-related compliance needs
  • Share emergency information with visitors and employees on-site

2. How to assess your hybrid work security

If you oversee many locations, it’s not always easy to know where your security needs work. That’s where a security assessment can help. It’ll reveal gaps in your security you don’t know exist. Plus, it’ll give you a big picture view of your preparedness for hybrid work across the five pillars of security. You can conduct an assessment in three steps.

1. Identify stakeholders and invovle them early

Working closely with cross-functional partners will help you get important points of view before, during, and after the assessment. You may need to include people in:

These folks will ensure you have access to the people and technical resources you need for the assessment. For example, say you create a new workplace policy and need help putting it into effect. Your HR team will form a company-wide communication plan to make sure employees are aware. Your People team will ensure your access control system enforces the new policy. And your executive team will regularly remind employees to work from home if they’re ill.

Consider hosting a kickoff meeting with stakeholders before you start the security assessment. Get people in the same room (or on the same video call) to chat about roles, responsibilities, and timelines. Aim to paint a clear picture of the goals you want to accomplish and how stakeholders can help.

2. Creating a scoring card system

A security assessment requires you to evaluate your security across pillars and workplaces. To do that, you need to develop a scoring system. Let’s take a look at the two steps you’ll have to take to create one.

Part 1 – Identify threats

Create a list of security threats that fall under each pillar, starting with physical security. Then move on to people security, data security, and so on. Make sure each list includes threats specific to hybrid work. For example, your list for the data security pillar may look like this:

Answering the question, “what’s the worst that can happen under this pillar?” will help you identify the most significant threats. Don’t forget to get stakeholder feedback, so other opinions are represented.

Part 2 – Develop a scoring system

A scoring system is a tool you’ll use to grade your hybrid work security. It’ll categorize security risks by likelihood and severity. If you don’t want to create a custom system, you can use the one below. Customization allows you to tailor how you score the security assessment to best suit your needs. For example, you may want to use a 3×3, 4×4, or 5×5 grid. Or maybe you’d prefer a numeric system that scores on a three or five-point scale. There are lots of different ways to approach scoring. As long as the one you choose works for your team, there’s no right or wrong way forward.

Illustration of a custom scoring system using a 3x4 grid
  1. The security assessment

Now that you’ve identified threats for each pillar and created a scoring system, you can complete the security assessment matrix. Before you do that, let’s go over the matrix, so you know how to make the most of it.

Understanding the matrix

The left column buckets each hub by security pillar. A “hub” in this context refers to a hybrid landscape that includes an office as well as remote locations near it where employees do work. When you’re customizing the matrix, rename the hubs to whatever will be clearest to your team (e.g., HQ, Dublin, Bangalore). Columns to the right of the security pillars represent the threats you identified earlier. They will be different for each pillar.

Example of an empty assessment matrix

How to score the matrix

Use your scoring system to assign a score to each of the boxes in the matrix. Start in the top left corner and work your way across hubs or threats. This example looks at the data security pillar. You can see that the first threat—phishing scam—received a “low risk” score for Hub 1. This shows that while a phishing scam is possible, if it occurred its impact on the business would be low. Be sure your stakeholders agree on the score you give each hub and pillar.

Illustrations showing how to fill out an assessment matrix using the scoresheet

Understanding the results

Once you’ve filled out the matrix, the results of the assessment should show:

  1. The strengths and weaknesses of your security for each hub
  2. The strengths and weaknesses of each security pillar across all hubs

For example, say Hub 1 scores well for infrastructure security. You can use this hub as a model to scale this pillar’s security programs to other hubs. Poor scores across a single pillar could reveal a systemic issue. For example, you may be missing critical training programs that teach employees how to identify and mitigate cybersecurity threats.

How to prioritize improvements

You won’t be able to address every threat at once, so you should have a plan of action to guide your team’s focus. You might consider listing out the work you need to do in order of priority. For example:

1st priority: Intolerable risks

These are the risks you can’t put off. Failing to address them could put business continuity at stake.

2nd priority: High risks, critical risks

These risks are important to address. They may have a serious and lasting impact on your company.

3rd priority: Moderate risks

These risks may impact business operations but they won’t cause lasting damage.

Or you might decide to focus on a particular hub or pillar. If scale is a priority, consider addressing the threats associated with a single hub first. Once the hub scores well across pillars you can scale its security programs to other hubs.

3. Using the results to scale your hybrid work security

After you’ve completed the assessment, you’re ready to take action. To illustrate how you might proceed, let’s take a look at a fictional example.

Preparing 20+ offices for hybrid work

ESRE, an architecture firm, has more than 20 offices across the globe. When the pandemic hit, it kept its headquarters open for employees to do critical on-site work. To keep people safe, the company has implemented several operational changes. These changes include reduced capacity, regular health screenings, and mandatory pre-registration for employees. Since most employees are remote for the time being, the company has invested in cybersecurity to keep its IT assets safe.

ESRE recently reopened its San Francisco and Hong Kong offices under a flexible work arrangement. The executive team plans to open other offices in the next six months. Before they do, they want to be sure their hybrid work security is strong across each of the three open hubs. To find out, ESRE’s head of global physical security led a security assessment. By addressing the vulnerabilities of each hub, they can scale security programs to others.

Analyzing ESRE’s assessment results

ESRE’s team used the scoring system above to assess the security of its three global hubs. Here are the results:

The results show that:

  1. HQ has the strongest hybrid work security across each pillar, with mostly low and moderate risk scores. Hong Kong has the weakest hybrid work security across each pillar, with more incidence of high-risk vulnerabilities.
  2. Across ESRE’s hubs, data security and people security are the strongest pillars. Crisis management is the weakest security pillar.

To be efficient, ESRE’s security team focuses on improving one pillar at a time. This allows them to make improvements to multiple hubs at once. For example, HQ was the only hub that scored well for physical security. The team decides to apply HQ’s processes, procedures, and technology for this pillar to the other hubs. As for San Francisco and Hong Kong, both hubs had poor scores for infrastructure security. ESRE’s security leader plans to make a case for investing in wireless security and VPN.

Compliance often varies by location and can be tricky to navigate. ESRE’s team has spent a lot of time meeting guidelines and best practices for their San Francisco hub. Even though it’s not required, they decide to scale these security measures across ESRE’s other hubs. Their reasoning: if the regulations provide better security at one hub, they’ll improve security at the others, too.

Improvements to your hybrid work security fall into three buckets: standardization, resourcing, and optimization. Keep these three things in mind when deciding on the work you need to do to improve your security. Ask your team:

Can we extend existing processes and procedures from one hub to other hubs?

Have we made the right investments? Do we have the technical systems, people, and tools needed to mitigate threats?

Are we applying standardizations and resources effectively (e.g., automating as many tasks as possible)? Are there areas we can optimize further?

To address a specific risk, like a public health emergency, one state may have a requirement for employers to provide “employee awareness training” where the other states do not. It is worth training all your employees, not just the people required to take the training because it becomes a useful way to engage your employees and get critical information into their hands, whether they’re remote or in the office. It improves safety for everyone.

CISSP, CBCP, CPP, Director Global Security & Services, athenahealth

4. Improve your preparedness over time

Improving your security programs across each pillar won’t happen overnight. Once you begin to take action against your security assessment, you need to track the efficacy of the improvements. There are quantitative and qualitative ways of doing this, and both are equally important.  

Conduct regular assessments

The vulnerability landscape is always evolving. Keeping a constant pulse on your security is a critical part of mitigating threats. To do this, conduct assessments on a regular basis. For example, you may choose to assess your security bi-annually, or before launching new programs or processes. This ensures business continuity now and prepares you to withstand threats in the future. Use the results to compare the current period to previous ones. You’ll be able to see how your key security objectives are improving over time. Here’s what that might look like, using physical security as an example:

You can also keep track of the number of security incidents that occur over a period of time. By noting these incidents, you can see whether the security changes you’ve made have had an impact. Some businesses track the number of:

  • Cyberattacks
  • Break-ins
  • Disasters
  • Health-related office closures

Quantitative data is important, but it only gets you so far. Qualitative metrics will help you see the nuances in your security programs. This adds context to the work your team is doing and explains what numbers alone can’t reveal. The next section dives into several ways you can collect feedback from employees.

Collect employee feedback

Employees are a critical layer of your company’s security. Their cooperation and preparedness help keep your company safe. Speaking with employees can highlight security gaps that assessments may miss. To collect a wide range of feedback, talk to employees who come into the office regularly as well as those who are remote. Here are a few ways you can keep your ear to the ground.

Conduct interviews

Interviews are typically one-on-one conversations and can be formal or informal. They’re a great way to learn from employees responsible for enforcing your security programs, like an HR manager or front desk attendant. These conversations can give you new insights into your programs so you can improve them. Frame the conversations to employees as an opportunity for you to learn about the work they’re doing. This will ensure they focus on the information that’ll be most helpful to you.

Organize a focus group

Focus groups bring together a small group of people across your company to discuss a topic. To capture different opinions, include employees, supervisors, managers, and department heads. Keep the groups under 10 people so everyone can take part in the discussions. These conversations can help you understand how a new program is going and how you might improve it. Your role as moderator is to ask questions, listen, and learn.

Shadow employees

Shadowing an employee is a way to learn first-hand how your security policies and procedures are executed. It’s also a great way to see how employees in one office operate differently from those in another. Ask the person you’re shadowing to perform a role or task as they would normally. Keep an eye out for actions the employee does that are different from their peers at other hubs. Be sure to ask questions about what they think can be done better or differently.

Each feedback method works in person and remote, making them great for hybrid work. Remember to keep an open mind to new ideas and ask questions to understand the feedback. Finally, capture this feedback somewhere and be sure to share a summary with your team. Create a culture around receiving employee feedback on a regular basis. This will help fill knowledge gaps in your security programs your team would otherwise not know about.