31 December 2021

Security and Privacy Risks in an Era of Hybrid Work


Following the abrupt shift to remote work forced by the COVID-19 pandemic, many companies have transitioned their workforces into “hybrid” roles, with workers splitting their time between their offices and homes, as well as airports, co-working facilities, coffee shops, and other “third spaces.” Yet many issues regarding privacy and security in the hybrid environment have not been addressed.

A new white paper published by the Center for Long-Term Cybersecurity (CLTC), Security and Privacy Risks in an Era of Hybrid Work, examines emerging privacy and security issues attached to hybrid work environments. The report was authored by five representatives from CLTC: Ann Cleaveland, Executive Director; Grace-Alice Evans, Non-Resident Fellow; Andrew Reddie, Research Director; Isaac Vernon, a student in the UC Berkeley School of Information and a Research Assistant at CLTC; and Steve Weber, Faculty Director.

Drawing on proceedings from a workshop convened by the Center for Long-Term Cybersecurity, as well as interviews with security, policy, human resources, and other leaders from private firms and government agencies, the paper introduces a variety of key concerns with hybrid work, as well as high-level policy recommendations for industry and government.

 Among the key takeaways:

Hybrid work represents a significant opportunity in terms of human capital development. Many employees welcome the freedom associated hybrid work, and firms that allow remote roles can recruit without regard to location, increasing the potential applicant pool.

“Zero trust” architectures are well-suited for a hybrid work environment as they promise a seamless experience for employees and state-of-the-art digital security for employers, through multi-factor authentication and continuous authentication of the users and devices on a network, regardless of where they are located. Zero trust security has limitations, however; such systems can be expensive and complicated to implement, while the term “zero trust” has negative connotations.

Employees are uncertain as to expectations concerning their privacy in the hybrid workplace as well as how they might protect firm data, particularly personally identifiable information (PII) and proprietary data. Workers in home environments may reveal PII, as well as information about protected characteristics for both themselves and “bystanding” members of the household. For firms operating across jurisdictions, the multitude of policy regimes that govern data will make privacy considerations even more complex.

Firms that are transparent with employees about their privacy and data protection expectations, and that provide support through training and other means, will have an opportunity to reshape norms and improve security while strengthening their relationships with workers.

Firms face a range of novel liability concerns associated with the security and privacy risks posed by hybrid work, from leakage of data through insecure networks to potential vulnerabilities in at-home “smart” devices. These concerns will need to be addressed, for example through liability shields or by segregating home workers’ personal and business devices and networks.

Equity concerns loom large in the context of hybrid work, as whether workers are in the office or at home could lead to differences in promotion decisions or in the types of work employees are asked to perform. Firms that support hybrid work will be called upon to level the playing field across the home and office environments, and should lean into lessons from the new virtual environment, in some cases translating them “backwards” into the office environment.

Government infrastructure investment could be allocated not only to expand broadband access, but also to improve home network security by providing secure routers and other home network equipment, ensuring workers in less privileged circumstances can participate.

To improve labor market flexibility, policy may be needed to ensure that firms’ investments in home network security are transferable to a new employer if the employee chooses to take a new job. This is a complex trade-off, as it may lead employers to reduce their investments in home-based workers. However, a set of policy-based standards that implement interoperability and “portability” could help mitigate this risk.

The move to hybrid work has potential to disadvantage local and state governments as they compete to attract businesses to develop offices and other facilities in their geographic regions. Governments could benefit from putting shared boundaries around such competition going forward.

“The shift to the hybrid work environment — an economy-wide ‘reset’ of work location and practices — offers a rare opportunity to break through longstanding habits of personal and organizational behavior that negatively impact privacy and security,” the authors write. “Escaping the downsides and realizing the upsides will require a combination of legislative and regulatory action, roles for industry associations, and new tools and technologies. Security and privacy in the hybrid work environment are tied tightly to productivity, equity, and innovation in the next decade. How firms and policymakers converge around new privacy and security considerations will determine whether hybrid work lives up to its promise.”

No comments: