A mere four years ago, typical office environments consisted of side-by-side cubicles or desks, where dozens of people gathered daily and sat a few feet from one another.

Due to the global pandemic that made the term “social distancing” a household phrase, the evolution of the work environment has resulted in a myriad of hybrid and remote work options – dramatically altering the workforce environment and creating physical and digital risks for both business and commercial real estate owners alike.

A Complex Set of Challenges 

Terri Lewis, chief human resources officer, One Call

According to Abe Freeland, executive vice president at Alliant Insurance Services, in the years preceding the onset of COVID, when debt was historically inexpensive, many commercial real estate owners embarked upon capital intensive growth, development and redevelopment projects, particularly as the commercial real estate market gravitated to ultra-high quality and high amenity spaces customized to their tenants’ wants and needs.

“Post-COVID, the deep and prolonged occupancy challenges facing owners, coupled with much higher interest rates and debt maturities, are dealing many commercial real estate owners a double whammy,” Freeland said.

As a result, owners of distressed properties are often forced to consider deferring planned upgrades and maintenance, which can lead to greater risk, more exposure and unintended consequences. Further, post-COVID staffing shortages have made asset maintenance and operations that much more challenging.

Today, commercial real estate owners are relying upon building management systems (BMS) more than ever to automate, manage and monitor various building systems and protections. And as Freeland explained, while AI has accelerated the capabilities and sophistication of such systems, owners must identify and address vulnerabilities associated with these systems, such as cyber attacks, as well as identify limitations of automation.

“Coupled with staffing shortages, now more than ever, commercial real estate owners are relying upon the expertise of their broker and carrier partners in assessing their evolving exposure to risk across digital platforms and physical real estate,” Freeland said.

“As the landscape evolves from physical management to automation, commercial real estate owners must adapt how they assess and address risk and exposure.”

In addition, hybrid and remote work arrangements mean cyber security risk is top of mind for many companies. Gabriel Bassett, director cyber risk engineering, at Liberty Mutual Insurance, said that often times cyber insurers and brokers talk about the increased system vulnerability presented by employees using company laptops and accessing company networks without direct oversight.

“Often large organizations created their security programs with a ‘walled city’ mentality,” Bassett said. “Things within the organization perimeter can be trusted and those outside cannot. Hybrid work evolves the status quo to one in which the perimeter is at the employee laptop and at the data center — whether on premise or in the cloud.”

Bassett said this separation creates additional challenges. Services that work fine between computers in the same building may no longer have the bandwidth need, for example for security updates.

Additionally, monitoring for malicious activity can no longer simply happen at the perimeter, it must happen both on the network
and on every computer.

“The good news is that many companies already have the tools to address the new reality of hybrid work,” Bassett said.

Those companies that have undergone a digital transformation are well positioned to support their employees wherever they are, by migrating from supplying the service directly to managing the services supplied by their IT vendors.

For example, instead of sending patches that fix known software issues to employee laptops from a computer at the company, many companies are centrally configuring how employee laptops retrieve software updates directly from the vendor.

As Bassett explained, companies who have made the digital transformation also invest in monitoring at all layers of the
architecture. That way they are aware of the status of their IT estate, no matter where it extends.

“And no technology is effective without culture,” Bassett said.

“Organizations must invest in their security culture, leading by example and establishing accountability at all levels for doing
the secure thing, even when it may not be the easiest thing.”

Beth Waller, a principal and chair of the cybersecurity and data privacy practice at Woods Rogers Vandeventer Black in Virginia, said the risks associated with the use of company devices within a hybrid or remote working environment stem from potentially dangerous connections, which can leave company data and equipment vulnerable.

A common example is a hotel or a coffee shop where a bad actor sets up a public WiFi hotspot. Logging onto the fictitious WiFi connection, an unsuspecting employee exposes all information shared on the network to theft and the device to potential
compromise.

“More companies also are looking to leverage AI technologies to enhance efficiency, and cyber threat actors are following suit,”
Waller said. “The proliferation of AI is creating an opportunity for threat actors to leverage video and audio manipulation to create ‘deep fake’ tactics to fool employees into, for example, wiring funds to threat actors’ owned bank accounts. As technology continues to advance, so does the need to stay on top of new and evolving risks.”

Embracing New Strategies

Terri Lewis, chief human resources officer at One Call said that some additional inherent risks or problems that can arise from remote workers using company laptops and accessing company networks without direct oversight
include:

• Phishing: Remote workers may be more susceptible to phishing emails that impersonate legitimate sources and trick them into clicking malicious links, opening infected attachments, or divulging sensitive information.
• Unencrypted File Sharing: Remote workers may share files or documents with their colleagues or clients through unencrypted channels, such as email or cloud services, exposing them to interception or theft by cyber criminals.
• Home WiFi: Remote workers connect to their company networks through their home WiFi, which may not have adequate security measures, allowing hackers to intercept or disrupt their network traffic while reducing the company’s ability to monitor and protect their internet activity.

“Companies need to enhance remote employee security,” Lewis said. “Companies understand the risks associated with insecure home networks. They have implemented additional security controls to mitigate those risks. This includes robust authentication, secure VPNs, and regular security awareness training.”

She also suggested that companies invest in robust endpoint security solutions for end-user devices. These solutions protect against malware, phishing, and unauthorized access. And ensure all devices have up-to-date software and security patches.

“Ongoing training educates employees about cybersecurity best practices,” Lewis said.

“As hybrid work relies heavily on cloud services, companies should enhance cloud security by implementing strong identity and access management (IAM) practices to control access to cloud resources: encrypt data stored in the cloud to prevent unauthorized access; and required multi-factor authentication (MFA)for accessing cloud accounts.”

Continuous Evolution

Ransomware attacks are on the rise after decreasing in 2022 and early 2023.

As Bassett explains, attackers have demonstrated the ability to deploy supply chain attacks and to monetize the access they gain.

“Large vendors have begun to establish good Third Party Risk Management (TPRM),” Bassett said. “However, such programs are
expensive, both for the company and its vendors. TPRM must become more affordable so that it can include small vendors and fourth- and fifth-party vendors.”

In addition, threat actors are just starting to explore how AI can be attacked and how it can be used in attacks.

So with talent retention and work-life balance top of mind for so many, do the opportunities in hybrid work arrangements outweigh the risks? In Lewis’ opinion, yes they do.

“I believe organizations who can allow people to work remotely will lose out on high level talent if they do not allow the flexibility people seek. People understand they have to come to an office if their role cannot be done remotely,” Lewis said.

“Additionally, studies have shown that remote workers can be more productive due to fewer distractions and a more comfortable work environment. Overall, the risks and opportunities associated with the hybrid work environment will continue to evolve as technology advances and businesses continue to adapt to changing dynamics.

“Companies that effectively navigate these challenges and leverage the opportunities presented will be better positioned for success in the future,” Lewis said. &