TL;DR: A Black Hat survey of more than 270 cybersecurity professionals found that 95% believe the COVID-19 crisis increases cyber threat to enterprise systems and data, while 80% expect cybersecurity operations to change significantly and only 15% expect a return to normal after the pandemic, according to SentinelOne. The operational lesson is that distributed access, weak endpoint visibility, and rushed remote control expansion turn identity and device trust into the core security boundary.
At a glance
What this is: The article argues that pandemic-driven remote work is expanding attack surface across endpoints, RDP, and cloud migration, with weak visibility and rushed access changes amplifying risk.
Why it matters: For IAM and NHI practitioners, the shift matters because remote access patterns, standing privilege, and unmanaged endpoints quickly turn identity governance into an operational containment problem.
By the numbers:
- 95% of security professionals believe the COVID-19 crisis increases the cyber threat to enterprise systems and data.
- 80% believe the pandemic will lead to significant changes in cybersecurity operations.
- 68% of employees reported that they had begun to use their own computers for work.
- 51% of respondents are either in the process of deploying or expect to move off of VPNs to embrace software-defined wide area networks.
👉 Read SentinelOne's analysis of remote-work cyber risk and endpoint control gaps
Context
Pandemic-driven remote work changes the security boundary because employees, devices, and applications all move outside the traditional office perimeter. That creates more exposed endpoints, more remote access pathways, and more opportunity for attackers to exploit weakly governed credentials and infrastructure.
The identity angle is practical rather than theoretical. When users connect from unmanaged devices, or when remote administration tools such as RDP are exposed too broadly, access control becomes part of frontline security, not just an IAM policy discussion. That pattern was typical of organisations under pressure to move quickly, and it remains a familiar control problem in distributed environments.
Key questions
Q: What breaks when remote access is expanded faster than endpoint controls?
A: Remote access expansion without endpoint control creates blind spots, longer attacker dwell time, and broader lateral movement risk. The problem is not only more devices, but more trust placed in devices that security teams cannot fully verify. Without local telemetry and strict access scoping, malicious activity can look like normal remote work until damage is already underway.
Q: Why do unmanaged home devices increase enterprise risk so quickly?
A: Unmanaged home devices often lack corporate hardening, consistent monitoring, and centrally enforced access controls. That makes them weaker entry points for malware, credential theft, and session hijacking. Once they are used to access company data or infrastructure, the organisation inherits the risk of the device without inheriting the controls that should have protected it.
Q: Where do RDP and VPN controls usually fail in practice?
A: They fail when organisations treat connectivity as proof of trust. If remote access is allowed with broad privileges, weak device checks, or exposed services, attackers can use valid credentials or brute-force entry to blend in. The control failure is not the protocol alone, but the absence of exposure management and privileged session governance.
Q: Who should be accountable when remote work access creates a breach?
A: Accountability should be shared across identity, endpoint, and infrastructure owners, because remote-work failures rarely sit in one team. IAM should own privilege scope, endpoint teams should own device posture, and infrastructure teams should own exposure reduction. If remote access is still a business dependency, the governance model has to assign named owners before the incident, not after it.
Technical breakdown
Why endpoint visibility becomes the first control gap
Endpoint visibility is the ability to see process activity, malicious behaviour, and access attempts on the device itself. In remote work scenarios, security teams often lose direct network context, so cloud-delivered detection can arrive too late to stop an attack. Local telemetry matters because the device is where credential use, lateral movement attempts, and malware execution first appear. Without that visibility, analysts face a flood of benign noise and cannot distinguish normal work-from-home behaviour from hostile activity fast enough.
Practical implication: prioritise endpoint telemetry and response on user devices before relying on perimeter-style controls.
How RDP exposure turns remote access into an entry path
Remote Desktop Protocol is a common target because it provides direct interactive access to Windows systems and often sits behind weak configuration or reused credentials. Once exposed to the internet, it becomes a brute-force and credential-stuffing target, and stolen valid credentials can make the attack look legitimate. That is why RDP is less a protocol issue than an authentication and exposure management issue. When broad access meets poor hardening, ransomware crews and other intruders gain a ready-made foothold.
Practical implication: treat internet-facing RDP as a privileged access surface and restrict it aggressively.
Why cloud migration changes the security model, not just the location
Moving workloads into the cloud does not simply relocate existing controls. Cloud systems are dynamic, short-lived, and built from code, which means scanning a fixed server estate is no longer enough. Security needs to track workload identity, configuration drift, and the permissions granted to automation and administrators. The article’s cloud discussion shows the danger of porting old assumptions into a new operating model. If teams redesign security after migration, they are already behind the change curve.
Practical implication: align cloud access controls, workload identity, and configuration review with the runtime reality of ephemeral infrastructure.
Threat narrative
Attacker objective: The attacker wants a low-friction entry point into corporate systems that can be converted into ransomware, data theft, or broader operational disruption.
- Entry begins when attackers target exposed remote access surfaces such as internet-facing RDP or unmanaged home devices.
- Escalation occurs when stolen or brute-forced credentials provide valid access that blends into normal administrator or user activity.
- Impact follows through ransomware deployment, data theft, or wider compromise of enterprise systems once the remote foothold is established.
NHI Mgmt Group analysis
Remote access sprawl is the new governance boundary: The article shows that once users work from home, the practical security boundary moves from the office network to the endpoint and its credentials. That creates a governance problem for IAM and PAM teams because access policy is only as strong as the device and session it is applied to. The field now has to treat remote connectivity as a lifecycle control, not a temporary exception.
Endpoint visibility is a control plane, not a logging luxury: The article’s core failure mode is not merely more threats, but less ability to distinguish benign remote-work activity from hostile behaviour. When detection depends on delayed cloud signals, dwell time grows and attackers gain room to operate. Practitioners should read this as a warning that response speed on the device itself has become part of access governance.
RDP hardening exposes the standing-access problem: Internet-facing RDP is dangerous because it combines direct administrative reach with weak exposure discipline and reusable credentials. That pattern mirrors broader NHI and privileged access risk, where standing access can be abused before review or containment occurs. The governance lesson is that access which is always on, especially for remote administration, is a structural weakness rather than a convenience.
Cloud migration is forcing identity assumptions to be rewritten: The article makes clear that moving to AWS or another cloud does not preserve legacy security models. Dynamic workloads, distributed users, and automation mean access must be tied to runtime context, not static network location. For identity programmes, that means workload identity, least privilege, and remote-session governance need to be designed together.
Distributed trust gap: The article captures a broader failure mode where organisations trust remote devices and paths more than they should because business continuity pressures outpace control maturity. That creates a repeatable gap across human identity, privileged access, and NHI-like automation surfaces. Practitioners should use this moment to re-evaluate where trust is being granted by default instead of verified continuously.
What this signals
Remote-work security is not just a connectivity problem. It is a governance problem in which endpoint trust, remote admin privilege, and identity proofing have to be tightened together before attacker dwell time grows. Practitioners should expect more pressure to prove that every remote session is justified, monitored, and removable at the session boundary, not merely authenticated at login.
Distributed trust gap: organisations that still treat VPN access, RDP reachability, and unmanaged endpoints as separate issues will continue to miss the real risk. The control failure is the assumption that the network edge still exists in a world where users, data, and administrative access have already moved beyond it.
As cloud migration and remote work converge, identity teams will be pulled into decisions that used to sit with infrastructure alone. That means access scoping, privileged session control, and workload identity need to be part of the same operating model, or the programme will keep reacting after exposure has already expanded.
For practitioners
- Harden remote administration paths Disable public exposure of RDP wherever possible, and where it must exist, place it behind controlled access, MFA, and strict source-IP restrictions. Review every remote admin path as if it were privileged production access, not a convenience channel.
- Move detection closer to the endpoint Prioritise endpoint telemetry and response on laptops and workstations that now touch enterprise resources. Correlate process execution, credential use, and remote session activity so analysts can distinguish real compromise from background noise.
- Re-scope remote access privileges Audit who can reach internal systems from unmanaged or personal devices, then reduce standing access to the smallest practical set. Tie elevated access to session-level approval and removal once the task is complete.
- Treat cloud migration as an access redesign Do not port on-premises assumptions into cloud workloads. Rework permissions, workload identities, and change control together so ephemeral infrastructure does not inherit broad access from static server-era models.
Key takeaways
- Remote work widened the attack surface by pushing corporate access onto endpoints and remote channels that many organisations could not fully see or control.
- The article’s evidence points to a sharp increase in threat pressure, especially where exposed RDP, weak visibility, and broad access overlap.
- The limiting control is not one tool but tighter exposure management, endpoint telemetry, and privilege scoping tied to remote session governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Remote access privilege and identity scoping are central to the article's risk pattern. |
| NIST SP 800-53 Rev 5 | AC-6 | Least privilege is the control most directly challenged by broad remote access. |
| MITRE ATT&CK | TA0006 , Credential Access; TA0008 , Lateral Movement | The article describes credential abuse and movement through remote access paths. |
| NIST Zero Trust (SP 800-207) | The article's trust assumptions are at odds with continuous verification for remote access. | |
| CIS Controls v8 | CIS-6 , Access Control Management | Remote work risk here is fundamentally an access-management problem. |
Map remote access pathways to PR.AC-4 and reduce standing privilege on exposed admin channels.
Key terms
- Endpoint Visibility: Endpoint visibility is the ability to observe activity directly on laptops, desktops, and servers so defenders can see malicious behaviour, credential use, and execution in context. In remote work environments, it becomes a primary control because network location alone no longer tells you whether a device is safe.
- RDP Exposure: RDP exposure is the state in which Remote Desktop Protocol is reachable from untrusted networks, especially the internet. It becomes risky when combined with weak authentication, reused credentials, or limited monitoring, because attackers can turn a convenience service into a direct path into internal systems.
- Standing Access: Standing access is persistent permission that remains available until someone manually removes it. In remote and cloud environments, standing access expands the impact of stolen credentials and makes compromise easier to scale because an attacker can use legitimate rights instead of noisy escalation steps.
- Remote Session Governance: Remote session governance is the discipline of controlling who can open remote sessions, from where, on what device, and with what level of privilege. It ties authentication, device trust, and session duration together so access is granted only for the task and is observable while active.
What's in the full article
SentinelOne's full article covers the operational detail this post intentionally leaves for the source:
- How the Black Hat survey framed SecOps changes during the pandemic and what practitioners said about post-crisis normality
- The FBI and IC3 complaint figures that show how quickly cybercrime volume scaled during the early pandemic period
- Examples of RDP brute-force activity and ransomware patterns that illustrate the exposure risk in more operational detail
- SentinelOne's device-centric detection and response framing for remote workforce defence
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It gives identity and security practitioners a structured way to apply governance principles across modern access patterns.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org