Remote workforce identity risk: where access controls are failing

TL;DR: A governance gap between policy and actual access behaviour emerged in Axiad’s 2021 Remote Workforce Security Report, compiled with Cybersecurity Insiders, which found that 79% of security professionals apply the same controls for all remote roles, while 52% said employees had found workarounds and 71% cited phishing as a leading threat. The result is a governance gap between policy and actual access behaviour.

NHIMG editorial — based on content published by Axiad: Remote Workforce Security Survey shows access control policies providing hackers with more routes into organizations

By the numbers:

• 52%, e than half, 52%, of tech leaders said their remote employees had found workarounds to their company’s security policies.
• 71%, shing threats, at 71%, emerged as the most significant new threat vector concerning remote work environments.
• 56%, atched vulnerabilities proved to be an issue for over half, 56%, of respondents.

Questions worth separating out

Q: How should security teams reduce identity risk in remote work environments?

A: Security teams should combine stronger authentication with device posture, access segmentation, and fast response to suspicious sessions.

Q: Why do remote employees create more identity risk than office-based users?

A: Remote employees increase risk because they operate on less trusted devices and networks, where phishing, malware, and policy bypasses are more likely to succeed.

Q: What do organisations get wrong about MFA in remote access programmes?

A: Many organisations treat MFA as a finish line instead of one control in a wider trust model.

Practitioner guidance

• Separate remote access policy by risk tier Classify remote users by role sensitivity, device trust, and data exposure, then apply different authentication and session controls instead of a single remote-access standard.
• Track workaround behaviour as a governance metric Measure MFA refusal, helpdesk exceptions, unmanaged device use, and password manager bypasses as indicators that the control design is not operationally viable.
• Harden the remote phishing path Use phishing-resistant authentication, endpoint posture checks, and rapid credential response to reduce the chance that one compromised remote session becomes a wider breach.

What's in the full article

Axiad's full research covers the operational detail this post intentionally leaves for the source:

• The full survey breakdown across user licensing, hardware purchases, and added vendors that support remote access expansion.
• The underlying methodology and respondent mix from Cybersecurity Insiders, useful for comparing the report against your own environment.
• More detailed breakdowns of phishing, malware, unauthorized access, and device-related concerns by practitioner group.
• The article’s broader commentary on balancing usability with security in remote authentication programmes.

👉 Read Axiad's remote workforce security survey on access control policy gaps →

Remote workforce identity risk: where access controls are failing?

Explore further

View Full Forum →  |  NHI Foundation Course →