Article

Hybrid work, children, and security: the benefits and risks

Hybrid work is a great boon for family life. But organizations must ensure that parents, children, and sensitive data are safe from cybercrime.
Hybrid work, children, and security: the benefits and risks

By enabling greater flexibility and opportunities around the world, hybrid work has been nothing short of a revolution.  

Just ask a working parent.  

But for all its benefits in work/life balance for families, hybrid work is not without challenges.

Just ask an IT or security team.  

To gain a better understanding of those challenges, Cisco’s Working Parents Study surveyed 6,116 working parents aged 18 in over in 12 countries: the UK, France, Spain, Switzerland, Italy, Poland, Netherlands, Sweden, South Africa, UAE, Saudia Arabia, and Germany.  

Among its findings? While a full 85 percent of parents share their devices used for work with children, organizations must do more to keep everyone protected.  

For further insights on the study — and how organizations can support a hybrid work revolution that’s safe and secure — we spoke with Martin Lee, EMEA lead for Cisco Talos, the company’s threat intelligence and response group.

 

Thank you, Martin! First off, what inspired the Working Parents Study? And what challenges were you and your team trying to better understand?

Thank you, Kevin. We wanted to understand the security habits of a prevalent and time-strapped demographic — working parents — and to highlight for IT and security teams the threats involved. So, we polled more than 6,000 employees across the EMEA region.

Today, those teams are dealing with highly varied and widely distributed workforces. What kinds of challenges arise for them? 

A multiage, multi-geographic and multidimensional hybrid workforce is incredibly complex to secure. Set against an evolving and aggressive threat landscape, security teams face a huge challenge. Because enabling access for teams to work remotely is a very different problem to ensuring that team members use systems securely when they are out of the office. But IT leaders cannot just cancel out the working habits of employees. Instead, they must lean into a busy, stress-filled reality and mitigate threats.   

We’ll get to some of the steps that IT and security teams need to be taking in a moment. But first, let’s talk about children. To what extent are they using devices designated for work?

Our EMEA survey revealed some interesting findings. Eighty-five percent of working parents admitting to sharing a device used for work with a child in the past six months. Of the parents who share their work devices with children, 43 percent allow unsupervised access — with children gaining full knowledge of passcodes. And even among those without access to passcodes, 56 percent remain unsupervised 

Given those high percentages, what are the dangers, for children, workers, or organizations?

The starting point for breaches is often human error. Even trained people sometimes get things wrong. When you hand your device to a child, the child may not know why some actions, such as clicking a link or downloading the latest cool game might not be a good idea. Additionally, any access by an unauthorized individual to confidential data is a potential data breach. In the case of unauthorized child access there is an additional risk of inadvertent submission or deletion of data via an open browser tab or accidental email breaches.

This sounds like a pretty chaotic environment. How can IT and security teams better manage the situation? 

To start, they need to work with rather than against users. For example, they can allow users to create guest user accounts on devices. That will allow family members restricted use without access to business systems, but they will still benefit from corporate cyber protection. Permitting guest accounts is less than ideal, but it’s better than having unauthorised users with full access to a device.  

And what are some key technology protections? 

Implementing zero trust and either multifactor authentication (MFA) or two-actor authentication (2FA) or biometrics is critical. When a user accesses a new application or system, you need to verify that the user intended to perform that action. An MFA/2FA ping or biometric recognition enables you to do that. As for children, a simple additional verification step will almost certainly prevent curious children from accessing sensitive systems. And in the case of device sharing, implementing time outs for inactive sessions, MFA and working with users’ needs is another crucial part of the strategy.  

Of course, sensitive data also needs to be protected by a VPN. Not all data has equal security requirements. Organizations need to protect sensitive data so that it can only be accessed via VPN, while requiring the user to enter their username, password, and verify via MFA/2FA.  

What if somehow data is lost? 

Back-up, back-up, and back-up again! The family or home environment is hazardous for fragile electronic devices. Spilled coffee, lemonade or paint can easily disable a device, as can falls onto hard, tiled kitchen floors. Ensuring that important data isn’t lost and that replacement devices can be easily restored from backed-up data is vital to keeping hybrid workers operational. 

The role of IT has expanded in recent years to include education. What kinds of tips and information should they be sharing?

 It’s so important to educate users about cybersecurity. Devious users have a nasty habit of finding ways to subvert security protections if they find that these protections get in the way of their goals. Make sure users are aware of the importance of cybersecurity, the consequences of getting it wrong, as well as common threats and attacks. Simple policies reinforced with sanctions for transgressions help users understand what is acceptable and what is not.  

These are concrete, common-sense measures. What percentage of organizations are adopting them? 

The Cisco Cyber Readiness Index revealed that very few European organizations are prepared to defend against today's rapidly evolving threat landscape. For example, only 3 percent of European organizations were assessed as having a Mature stage of readiness in 2024 compared with 15 percent in 2023. Much of that is due to the increased likelihood of being attacked. The report also outlined that 69 percent of European respondents anticipate a cybersecurity incident in the next one to two years.

Hybrid work is here to stay. What can we look forward to in the future, in terms of convenience, security, and innovation?

Hybrid work has brought great improvements for employees and employers, and it’s not going away. The good news is that we can expect further improvements, making it easier for legitimate users to log in and access systems through capabilities like biometrics. For defenders, improved visibility of the context of connections will help identify and block attacks early. But we have to stay vigilant, because the bad actors show no signs of letting up.