Goldman Sachs leadership didn’t get the response they expected from their return to the office (RTO) order. In fact, Fortune reported that only about half of the company’s employees showed up. With today’s tight labor market and many employers allowing remote work, employees have firm ground to stand on. How do you secure a workforce that won’t always comply with your demands?

Employee compliance with cybersecurity measures has always been a key component of digital defense. However, employees often either purposely don’t comply or make mistakes. The 2022 X-Force Threat Intelligence Index found that phishing was the most common way criminals gained access to a network. Of all the attacks remediated by X-Force in 2021, 40% involved phishing. Organizations need to focus on maintaining always-on security measures that work without depending on cyber awareness and security edicts. 

Zero Trust Protects Regardless of Compliance

Organizations are moving more and more toward the Zero Trust framework. This protects them with an always-on approach instead of focusing on employee compliance. According to the 2021 Cyber Resilient Organization study, 35% of respondents have adopted this approach. Of those, 65% agreed that zero trust security strengthens cyber resilience. In addition, 63% of those organizations reported that a zero trust approach is significant or moderate. Their top reason? The approach improved operational efficiency.

Zero trust isn’t a single technology or even a single process. Instead, the zero trust approach is a framework that organizations use to implement different techniques and tools.

Other approaches focus on securing the perimeter and preventing an attack from occurring. Employers expect their people to comply with the processes and cyber hygiene. With a noncompliant workforce, you can’t rely on those methods of securing a network.

With zero trust, there is a mindset shift in how to approach cybersecurity. Instead of defending a perimeter, zero trust focuses on controlling access of both users and devices. It takes the approach that a breach has already happened. The tools are always on and do not rely on employees. So, they’re effective for employees who often don’t comply with security measures. Passively not complying may not be as dramatic as a walkout, but it can cause serious damage when an employee accesses sensitive data on a personal device or connects a work device over a public network.

Why Zero Trust Works for Remote Workers

Here are three common elements of a zero trust approach that apply to remote workers:

  • Principle of least privilege: By giving employees the least amount of access that they need to do their jobs, you can reduce vulnerabilities both from outsiders and insiders. The principle of least privilege is most effective when applied to domain controllers and domain admin accounts, which reduces the risk of ransomware. Remote workers have more freedom and add endpoints. So, restricting connections and user exposure reduces the damage and risk of an attack.
  • Microsegmentation: This technique divides the network into very small segments, called microsegments. It only grants users access to the specific sections they need for business purposes. If a breach occurs or an attacker steals an employee’s credentials, the amount of damage is limited only to the small segments that are involved. If you want to move to zero trust, analyze your data flows and infrastructure to see workload segments.
  • Multi-factor authentication (MFA): MFA makes it harder for cyber criminals to disguise themselves as authorized users, regardless of whether employees access networks remotely or in-house. With MFA, users must use more than one piece of evidence to verify their identity. For example, a user may be required to enter a password and then enter a code sent to them by SMS text.

Zero Trust Protects Remote Workers

Goldman Sachs employees refusing to return to the office are just one example of workers pushing back on RTO orders. Many employees who worked remotely for the past two years want to keep working from home. A recent Pew Research Report found that 60% of workers with jobs that can be performed remotely would like to work from home all or most of the time, which is an increase from 54% in 2020.

In addition, many employees say the ability to work remotely can affect their decision to stay with their company. The ADP People at Work: A Global Workforce View reported that 64% of the global workforce said they have or would consider looking for a new job if their current job required working in the office full-time. Large companies face this problem, too. Employees at Apple recently made headlines for threatening to quit if the current hybrid plan of requiring employees to be in the office Tuesday through Thursday continues.

Having a large number of remote workers means there is no longer a perimeter to defend. Organizations are finding that zero trust provides more protection with a remote or hybrid workforce. Remote workers mean more endpoints and opportunities to infiltrate a company’s data, which expands the attack area. To address this, zero trust focuses on the access of devices and users instead of the perimeter. The framework can reduce vulnerabilities and more accurately ensure that only authorized users and devices access the network, apps and data.

Creating an Always-On Cybersecurity Process

As remote and hybrid work becomes a long-term change, organizations must permanently adjust their cybersecurity processes to match how people actually work. Companies that currently require full-time hours in the office, or even hybrid work schedules, should begin thinking of employing long-term security effects to keep from losing valued employees to companies that allow more flexible work arrangements.

By beginning the process of adopting zero trust now, organizations can be prepared for continued remote work and any additional workforce changes in the future. Zero trust allows organizations to lessen their dependency on compliance while also setting themselves up for security.

More from Zero Trust

SOAR, SIEM, SASE and Zero Trust: How They All Fit Together

Cybersecurity in today’s climate is not a linear process. Organizations can’t simply implement a single tool or strategy to be protected from all threats and challenges. Instead, they must implement the right strategies and technologies for the organization’s specific needs and level of accepted risks. However, once the dive into today’s best practices and strategies begins, it’s easy to quickly become overwhelmed with SOAR, SIEM, SASE and Zero Trust —  especially since they almost all start with the letter S.…

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

What to Know About the Pentagon’s New Push for Zero Trust

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…