Light Dark
July 26, 2022 By Jennifer Gregory 4 min read
Risk Management
Zero Trust

Goldman Sachs leadership didn’t get the response they expected from their return to the office (RTO) order. In fact, Fortune reported that only about half of the company’s employees showed up. With today’s tight labor market and many employers allowing remote work, employees have firm ground to stand on. How do you secure a workforce that won’t always comply with your demands?

Employee compliance with cybersecurity measures has always been a key component of digital defense. However, employees often either purposely don’t comply or make mistakes. The 2022 X-Force Threat Intelligence Index found that phishing was the most common way criminals gained access to a network. Of all the attacks remediated by X-Force in 2021, 40% involved phishing. Organizations need to focus on maintaining always-on security measures that work without depending on cyber awareness and security edicts.

Zero trust protects regardless of compliance

Organizations are moving more and more toward the Zero Trust framework. This protects them with an always-on approach instead of focusing on employee compliance. According to the 2021 Cyber Resilient Organization study, 35% of respondents have adopted this approach. Of those, 65% agreed that zero trust security strengthens cyber resilience. In addition, 63% of those organizations reported that a zero trust approach is significant or moderate. Their top reason? The approach improved operational efficiency.

Zero trust isn’t a single technology or even a single process. Instead, the zero trust approach is a framework that organizations use to implement different techniques and tools.

Other approaches focus on securing the perimeter and preventing an attack from occurring. Employers expect their people to comply with the processes and cyber hygiene. With a noncompliant workforce, you can’t rely on those methods of securing a network.

With zero trust, there is a mindset shift in how to approach cybersecurity. Instead of defending a perimeter, zero trust focuses on controlling access of both users and devices. It takes the approach that a breach has already happened. The tools are always on and do not rely on employees. So, they’re effective for employees who often don’t comply with security measures. Passively not complying may not be as dramatic as a walkout, but it can cause serious damage when an employee accesses sensitive data on a personal device or connects a work device over a public network.

Why zero trust works for remote workers

Here are three common elements of a zero trust approach that apply to remote workers:

  • Principle of least privilege: By giving employees the least amount of access that they need to do their jobs, you can reduce vulnerabilities both from outsiders and insiders. The principle of least privilege is most effective when applied to domain controllers and domain admin accounts, which reduces the risk of ransomware. Remote workers have more freedom and add endpoints. So, restricting connections and user exposure reduces the damage and risk of an attack.
  • Microsegmentation: This technique divides the network into very small segments, called microsegments. It only grants users access to the specific sections they need for business purposes. If a breach occurs or an attacker steals an employee’s credentials, the amount of damage is limited only to the small segments that are involved. If you want to move to zero trust, analyze your data flows and infrastructure to see workload segments.
  • Multi-factor authentication (MFA): MFA makes it harder for cyber criminals to disguise themselves as authorized users, regardless of whether employees access networks remotely or in-house. With MFA, users must use more than one piece of evidence to verify their identity. For example, a user may be required to enter a password and then enter a code sent to them by SMS text.

Zero trust protects remote workers

Goldman Sachs employees refusing to return to the office are just one example of workers pushing back on RTO orders. Many employees who worked remotely for the past two years want to keep working from home. A recent Pew Research Report found that 60% of workers with jobs that can be performed remotely would like to work from home all or most of the time, which is an increase from 54% in 2020.

In addition, many employees say the ability to work remotely can affect their decision to stay with their company. The ADP People at Work: A Global Workforce View reported that 64% of the global workforce said they have or would consider looking for a new job if their current job required working in the office full-time. Large companies face this problem, too. Employees at Apple recently made headlines for threatening to quit if the current hybrid plan of requiring employees to be in the office Tuesday through Thursday continues.

Having a large number of remote workers means there is no longer a perimeter to defend. Organizations are finding that zero trust provides more protection with a remote or hybrid workforce. Remote workers mean more endpoints and opportunities to infiltrate a company’s data, which expands the attack area. To address this, zero trust focuses on the access of devices and users instead of the perimeter. The framework can reduce vulnerabilities and more accurately ensure that only authorized users and devices access the network, apps and data.

Creating an always-on cybersecurity process

As remote and hybrid work becomes a long-term change, organizations must permanently adjust their cybersecurity processes to match how people actually work. Companies that currently require full-time hours in the office, or even hybrid work schedules, should begin thinking of employing long-term security effects to keep from losing valued employees to companies that allow more flexible work arrangements.

By beginning the process of adopting zero trust now, organizations can be prepared for continued remote work and any additional workforce changes in the future. Zero trust allows organizations to lessen their dependency on compliance while also setting themselves up for security.

 |  |  |  |  |  | 
Jennifer Gregory
Cybersecurity Writer

More from Risk Management
November 22, 2024

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

November 20, 2024

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature