Study reveals that 80% of professional workers are now partially remote, and 49% of CISOs say those employees pose the biggest security risk
“Traditional security tools haven’t kept pace with the modern workplace, leaving many CISOs vulnerable to data breaches and unauthorized access”
Despite a few high-profile examples of workers returning to the office en-masse, the report reveals that 15% more professional workers now work remotely at least part of the time compared to 2020, increasing from 70% to 80%. The shift to a distributed work environment left many businesses struggling to balance productivity and security. Employees often use unmonitored and untrusted devices to log into business applications and access sensitive data. At the same time, employees frequently subscribe to unsanctioned applications, which further compromise security posture. As a result, IT and security teams are often unable to block compromised devices or keep track of data once it disappears onto unmanaged devices and apps, significantly increasing the risk of sensitive data loss.
“The profound tectonic shifts in how companies have worked over the last two years have grown the Access-Trust Gap from a small fissure into a vast chasm,” said Jason Meller, VP of Product at 1Password. “That’s what makes it so insidious—companies see this gap as familiar and not worth re-examining. But our data shows the opposite, and unlike two years ago, we now have the tools to assess, measure its impact, and close it.”
The Access–Trust Gap: A Growing Risk for Businesses
The study underscores a critical issue many organizations face: the “Access-Trust Gap” — the security risks posed by unmanaged devices and applications accessing company data without proper governance controls. Among security leaders, there’s a growing awareness of the risks posed by these untrusted forms of access. Almost half (49%) of CISOs cite hybrid and remote employees as the top source of security risk, followed by partners, suppliers, affiliates (47%), and machine identities (38%).
“Traditional security tools haven’t kept pace with the modern workplace, leaving many CISOs vulnerable to data breaches and unauthorized access,” said Jay Bretzmann, Research Vice President at IDC. “As organizations embrace hybrid work, addressing the Access-Trust Gap is more urgent than ever. A future-looking access management solution should extend the strengths of identity access management (IAM) and mobile device management (MDM) to unmanaged apps and devices, ensuring all access attempts are trusted and secure. With the growing complexities of remote work and the rise of AI-driven threats, organizations need solutions that can meet modern security demands while still enabling productivity.”
AI Fuels Emerging Cybersecurity Threats
The study highlights the escalating danger of AI-powered cyberattacks. Generative AI (GenAI) is making phishing and identity-based attacks more sophisticated, putting increased pressure on businesses to safeguard sensitive data and intellectual property. IDC predicts that by 2026, 45% of midsize and large organizations will adopt identity detection and response solutions to defend against AI-driven threats.
IDC Prescribes Six Critical Capabilities to Close the Access-Trust Gap
To close the Access-Trust Gap and safeguard against the growing security risks of hybrid work, organizations must adopt a comprehensive access management solution that ensures every access attempt is both verified and secure. The study identifies six essential capabilities that ensure all access points—whether from managed or unmanaged devices—are trusted and secure. These capabilities are designed to empower security teams to protect sensitive data without compromising productivity.
- Extend access policies: Apply security policies across all devices, managed or unmanaged.
- Secure every app: Protect both IT-managed and shadow IT applications.
- Protect credentials: Safeguard credentials across all apps and websites.
- Authenticate identities: Verify the entire workforce’s identities throughout their lifecycle.
- Enable secure sign-ins: Ensure secure sign-ins from any device or location using various methods like SSO, passwords, or passkeys.
- Monitor device health: Block compromised or unhealthy devices from accessing corporate resource