Notifications
Clear all
Topic starter
08/06/2026 4:09 pm
TL;DR: Remote workforce security remains inconsistent, with 79% of security professionals enforcing the same controls for all roles remotely, while 52% said remote employees found workarounds and 71% cited phishing as a top threat, according to Axiad and Cybersecurity Insiders. Identity assurance now has to account for user behaviour, not just policy design.
NHIMG editorial — based on content published by Axiad: Remote Workforce Security Survey shows access control policies providing hackers with more routes into organizations
By the numbers:
- More than half (52%) of tech leaders said their remote employees had found workarounds to their company’s security policies.
- Phishing threats (71%) and malware (61%) have emerged as the most significant new threat vectors concerning remote work environments.
Questions worth separating out
Q: How should security teams reduce identity risk in remote workforce environments?
A: Security teams should reduce the number of resources each remote identity can reach, then align MFA, device posture, and access reviews with how people actually work.
Q: Why do remote employees create more identity risk than office-based users?
A: Remote employees often authenticate from less controlled devices and networks, then depend on cloud and SaaS access that may be broader than their day-to-day task set.
Q: What should organisations do when users work around MFA or other access controls?
A: Treat workarounds as evidence that the control design is not aligned with user behaviour.
Practitioner guidance
- Reduce remote access blast radius Review which remote access pathways expose confidential data and privileged functions, then narrow access scopes so a single compromised user identity cannot reach broad resource sets.
- Treat workaround rates as a governance metric Track how often employees bypass MFA, device management, or password manager requirements, and use those signals in access review and control redesign conversations.
- Pair phishing resilience with entitlement limits Strengthen user training, but also shorten the access path available to any stolen identity by removing unnecessary application reach and privileged roles.
What's in the full article
Axiad's full research covers the operational detail this post intentionally leaves for the source:
- Breakdowns of the survey methodology and respondent mix across IT and cybersecurity roles.
- Additional data on remote access licensing, hardware purchases, and cloud application expansion.
- Detailed findings on user resistance to MFA, mobile device management, and password managers.
- The full set of remote-work threat perceptions, including identity theft, malicious websites, and privileged access concerns.
👉 Read Axiad's research on remote workforce security and access control risk →
Remote workforce security controls are lagging. What should teams fix first?
Explore further
08/06/2026 5:37 pm
Remote work turns identity governance into a behaviour problem, not just a policy problem. The report shows that organisations can standardise controls on paper while users still find ways around them in practice. That means the real boundary is no longer the policy document but the point at which users experience the control as too difficult to follow. Practitioners should treat policy bypass as a governance signal, not user misconduct alone.
A few things that frame the scale:
- 79% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: How do teams know whether remote access controls are actually working?
A: Look for adoption, bypass, and exception patterns rather than only policy coverage. If a large share of employees resists MFA, device management, or password tooling, the control may exist but still fail operationally. Real effectiveness shows up when the secure path is the easiest path for most users.
👉 Read our full editorial: Remote workforce security survey shows identity controls breaking down
