Resources

In 2020, most organisations prioritised rapid remote enablement. Security was often deferred in favour of continuity and productivity.

Six years on, hybrid work is no longer a contingency, it is the operating model for many organisations.

The question has shifted. Not ‘can we support remote work?’, but ‘how exposed are we, and how well are we controlling that risk?’.

Why hybrid work changed the security equation

Since 2020, cyber risk has increased in both frequency and complexity. The ASD Annual Cyber Threat Report highlights sustained growth in cybersecurity incidents and malicious activity across Australian organisations.

The primary driver is structural

The attack surface has expanded. Traditional network boundaries have largely disappeared. In their place are distributed workforces, lightly managed devices, and increased reliance on cloud services.

Research indicates hybrid workers experience significantly higher attack rates compared to office-based staff, reinforcing that workforce distribution is now a primary risk driver.

The implication is clear: security models must evolve to match the operating model.

What good security looks like in 2026

The challenge is no longer awareness of best practice; it is consistent execution across a distributed workforce.

1. Establish a baseline (but don’t stop there)

Frameworks such as the ASD Essential Eight provide a strong starting point. However, effectiveness depends on coverage, enforcement, and ongoing validation across all endpoints.

Framework adoption without operational discipline creates a false sense of security.

2. Address human risk as a primary control layer

Phishing remains one of the most effective entry points for attackers. Hybrid work increases exposure due to reduced peer verification and less visible IT support.

Leading organisations move beyond compliance training to behaviour-focused programs, simulation exercises, and clear escalation pathways.

User behaviour is now a critical security control.

3. Improve visibility across a fragmented environment

Many organisations operate with devices and applications they do not fully control. This creates material blind spots.

Priority focus areas include endpoint visibility, identity monitoring, and centralised detection capabilities.

You cannot secure what you cannot see.

4. Shift from tools to governance

Security maturity is determined less by the tools you own and more by how consistently they are operated.

Mature organisations prioritise ownership, validation, and accountability for security controls.

Tools without governance increase cost but not necessarily protection.

The reality for mid-sized organisations

The focus should be on prioritising high-impact controls, strengthening user behaviour, and improving governance before expanding technology investment.

Where to focus next

If your organisation has not revisited its security model since enabling hybrid work, that is now a meaningful risk.

A practical starting point includes reviewing control coverage, validating enforcement of core controls, strengthening user awareness, and improving visibility across endpoints and identities.

From there, the priority is not adding more controls, but ensuring existing controls are consistently applied and measurable.

Hybrid work is not temporary. Security models must reflect that reality.

Organisations that reduce risk most effectively align security to their operating model, enforce controls consistently, and treat user behaviour as a core control layer.