Notifications
Clear all
Topic starter
08/06/2026 4:00 pm
TL;DR: Hybrid and remote work expand entry points, complicate access control, and increase dependence on VPNs, MFA, password managers, and zero-trust principles, according to Axiad’s guidance. The core issue is that distributed work changes the identity trust boundary, so security programmes must treat authentication, device posture, and privilege as linked controls, not separate projects.
NHIMG editorial — based on content published by Axiad: 10 Tips for Hybrid and Remote Work Security
By the numbers:
- 53% of professionals believe that they can improve their remote work security through the right software platforms.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams secure hybrid and remote work without adding too much user friction?
A: Use a layered approach: strengthen authentication with MFA or passwordless, centralise access with SSO, and reduce post-login reach through least privilege.
Q: Why does remote work increase identity risk even when the company has VPNs?
A: VPNs protect traffic in transit, but they do not solve weak credentials, excessive access, or compromised endpoints.
Q: What mistakes do organisations make when securing remote workers?
A: The most common mistake is treating remote access as a connectivity problem instead of an identity problem.
Practitioner guidance
- Harden remote authentication paths Require MFA or passwordless authentication for all remote access, and remove legacy login paths that still accept weak or reused passwords.
- Consolidate access through SSO Reduce the number of separate credentials users maintain by centralising application access behind SSO, then review recovery flows and third-party exceptions.
- Tie access to device trust Use endpoint management to verify patch status and isolate devices that are not protected before they can reach sensitive systems.
What's in the full article
Axiad's full blog post covers the tactical advice this analysis intentionally leaves at a higher level:
- Step-by-step guidance on choosing between VPN, MFA, passwordless, and SSO for remote access
- Operational tips for endpoint management and isolating devices that are not protected
- Practical employee-training ideas for phishing awareness and policy reinforcement
- Implementation considerations for consolidating third-party passwords and reducing credential sprawl
👉 Read Axiad's analysis of 10 tips for hybrid and remote work security →
Hybrid work security: what IAM teams still miss in 2022?
Explore further
08/06/2026 5:23 pm
Hybrid work security is an identity governance problem before it is a network problem. Once work moves onto personal devices and third-party networks, the organisation loses the stable perimeter assumptions that many access controls were built around. That means authentication, device trust, and privilege need to be governed together rather than as separate programmes. Practitioners should treat remote access as a permanent operating model, not an exception.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
A question worth separating out:
Q: How do you know if remote work security controls are actually working?
A: Look for fewer standalone passwords, consistent SSO adoption, enforced MFA or passwordless authentication, and access scopes that stay narrow after login. If users can still reach too many systems after authentication, the programme is secure at the front door but loose inside the building.
👉 Read our full editorial: Hybrid and remote work security needs identity controls, not trust
