Before the coronavirus pandemic hit, working from home used to be a novelty for many employees. According to a June 2020 IBM Security and Morning Consult “Work From Home Survey,” 80% of respondents say they worked from home either rarely or not at all prior to the pandemic. In-office work allowed employers and information technology (IT) teams to manage and implement security measures and protocols at a central location.

Now, remote work has become the norm for many and could become a mainstay for some companies. A hybrid in-office work approach also may be an option. Yet, more than 50% of employees surveyed don’t have updated company security policies to navigate potential threats while working from home.

Security challenges can arise every time there’s a shift to your environment. New vulnerabilities may surface, and cyber attacks still remain relentless. But, there are basic steps you can take to reduce the risk of a compromise. Here are a few things to consider when securing your environment in a remote work or a hybrid in-office setting.

Remote Workforce Common Security Challenges

Remote work has its benefits; it can provide more flexibility and potential work-life balance. But, it can also present challenges if employees let their guard down, especially when it comes to securing data.


Employees may not consider company security policies when at home. For example, employees may allow their children to use corporate laptops to play games. Or, they may use their personal laptops for work purposes. The recent survey found that 52% of respondents are using their personal laptops for work with no tools to secure it.

These activities can lead to a compromise of the device and the connected network. Ideally, all employees should try to use corporate-provided devices. These devices should have security controls in place, such as firewalls, endpoint detection and response and antivirus software. However, employees may inadvertently disable these controls because they are “slowing them down.” Before turning off certain controls, team members should consult with their IT department.


A common misperception is that data is protected when connected to a company’s virtual private network (VPN). A VPN does encrypt traffic between the user and a corporate network, but it does not stop a threat actor from accessing and compromising the internal network.

Incident Response

Responding to a compromise can be challenging. Most incident response teams are in one location. They have technologies, people and evidentiary information at their fingertips. Today, those teams are also working from home, which can make investigating a breach more difficult.

For example, if an employee’s home network is compromised, an incident responder cannot go to the person’s house to access and investigate the network. The employee would have to ship the infected device to the investigator, which extends the window of opportunity for an attacker to move deeper into the environment.


Installing patches can also be tricky. Corporate devices automatically download patches to fix vulnerabilities. Those devices need to be connected to the corporate network to receive those patches.

Downloading a patch requires a steady VPN or network connection. This process can be stalled or not completed if employees need to connect through VPN, which can easily disconnect with a shaky internet connection.

Some companies may perform automated patching overnight. The patching will not work if those devices are powered down.


Fraudulent emails purporting to be from reputable companies are a common attempt to gain personal data. And, employees working remotely aren’t immune to these scams. Employees clicking on these malicious links can give threat actors access to personal and company information.

Multifactor authentication provides extra security by requiring two or more credentials for log in to an account. This makes it harder for bad actors to get access to usernames and password.

Additionally, make sure employees set their device’s software to update automatically so it can deal easily address any new security threats.


Hybrid In-Office Workforce Common Security Challenges

A hybrid workforce model can bring the same kinds of challenges to those who working at home some days and in an office on other days.

Compromised Network

A company’s entire network could be compromised if an employee uses an infected device in the office. In many cases, devices previously trusted to connect to a corporate network will automatically connect again without requiring re-authentication, eliminating a layer of security.

Infected Documents

Infected documents also can cause problems. For example, an employee’s laptop unknowingly becomes compromised because they open a malware-infected document on their corporate laptop at home. They email that document to a coworker working in the office. Once the co-worker opens the email, their laptop becomes compromised and so does any network connected to it.

Reducing Risks

The key for any business is to have a data protection and security plan built for whatever workforce model is chosen.

Separate Network

One of the most effective steps is to set up a separate network for employees who work from home. They could use a VPN to access that network and have limited access to servers and company information.

Security and IT teams can also do the following:

  • Perform a preliminary check on remote employees devices before they return to the office.
  • Ensure security controls are on.
  • Add an extra layer of protection to the VPN with automated security checks before allowing a device to connect to the network.
  • Deploy additional network segmentation to which employees’ machines connect to when they return to the office.
  • Perform authentication and authorization checks before granting access to the corporate network.
  • Limit employees’ access to only the data they need to do their jobs

Cyber Hygiene

More than 50% of survey respondents are not aware of new company policies related to customer data, password management and video conferencing following a transition to working from home.

Maintaining cyber hygiene best practices is critical to a company’s security measures. Businesses should host quarterly security awareness trainings to educate employees on risk management in a remote work environment. It’s also important to remind employees of best practices when they return to the office.

Penetration Testing

Finally, perform penetration testing, especially against the internal network. An internal network penetration test can simulate a compromised machine.

A simulated attack can connect to the network and show where a threat actor could move after compromising an employee’s machine.

You should also implement an ongoing vulnerability management program to continuously identify, prioritize and patch high-risk vulnerabilities that an attacker may leverage. Plus, perform an adversary simulation engagement to find gaps in your remote incident response programs.

Learn how IBM’s X-Force Red’s team of hackers can help your organization.


More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…