Hybrid work security in 2026: the real attack surface

Most Australian SMBs are running hybrid work security models built for 2020. Office firewall, VPN for remote staff, MFA on Microsoft 365, anti-virus on the laptops. That stack worked when remote work was the exception and the perimeter was a physical office. In 2026, the perimeter is gone, and the businesses still defending the old one are losing.

The honest reality is that the threat surface for hybrid and remote work has shifted three times in the last six years, and most defensive postures have shifted once. The gap between current threat reality and current defence reality is the largest it has been since the pandemic forced everyone home. Let us walk through what actually changed and what hybrid work security needs to look like now.

What changed since the pandemic-era playbook

The 2020 hybrid work conversation centred on getting people working from home reliably. The security work was incremental, adding MFA to the existing stack, deploying remote access VPN, ensuring laptops were patched. The threat model was assumed to be roughly the same as office work, just delivered over the internet.

Three things have invalidated that assumption.

The first is that attackers shifted from network-based attacks to identity-based attacks. The 2020 threat model assumed an attacker would try to break into the network. The 2026 reality is that attackers steal credentials, bypass MFA through various techniques, and walk in through the front door. Network defences are increasingly irrelevant because the attack does not cross the network in the way old detection rules assume.

The second is that work moved from corporate-managed devices to a mix of corporate, personal, and contractor devices. BYOD is no longer the exception. Contractors with their own laptops are no longer the exception. Mobile devices accessing corporate data are no longer the exception. The 2020 model assumed the endpoint was managed. The 2026 reality is that 30 to 50 per cent of the devices touching your data are not.

The third is that the application surface migrated from on-premises to SaaS. Business data lives in Microsoft 365, Salesforce, Xero, ConnectWise, HubSpot, and 80 other SaaS tools. Defending the corporate network does not defend any of those. The attack does not need to be inside your network because the data is not in your network.

The cumulative effect is that the 2020 hybrid work security playbook is now defending the wrong perimeter against the wrong threats with the wrong tools. The right defences exist, but the migration from old to new is incomplete in most Australian SMBs.

The actual attack surface in 2026

For an Australian SMB running hybrid work in 2026, the realistic attack surface breaks down into five zones.

Identity is the primary battleground. Microsoft Entra ID accounts, Google Workspace accounts, third-party SaaS logins. Every credential is a potential entry point. The Proofpoint FIDO downgrade attack we covered in our MFA fallback piece is one example. Adversary-in-the-middle phishing kits like Evilginx and Tycoon 2FA are another. MFA fatigue attacks remain prevalent. The identity layer is where most breaches start.

Endpoints are still important but secondary. Compromised endpoints lead to credential theft, lateral movement, and data exfiltration, but they are typically post-exploitation rather than initial access. EDR and XDR cover this layer reasonably well, as we covered in our EDR vs XDR vs MDR piece. The challenge is coverage across the broader device population including BYOD.

SaaS applications hold the data. Once an attacker has identity access, they have data access. The defensive layer here is application-level controls, Conditional Access policies, sensitivity labels, data loss prevention. Most Australian SMBs have weak controls at this layer because the SaaS portfolio is unmanaged, as we covered in our SaaS sprawl piece.

Home networks add a real but bounded risk. Compromised home routers, IoT devices on the same network as work laptops, unsecured Wi-Fi. The exposure exists but is rarely the primary attack path. Tightening this is good practice but it is not the highest-impact investment in most SMB environments.

Personal mobile devices accessing corporate data are increasingly material. Email, Teams, SharePoint accessed from personal phones with no MDM, no app-level controls, and household members occasionally borrowing the device. The exposure compounds because mobile sees everything (calendar, contacts, recent communications) without the visibility controls applied to corporate devices.

What modern hybrid work security looks like

The defensive posture that actually addresses the 2026 threat model is built on six elements.

The home network conversation

The 2020 advice around home networks was overstated, and the correction is overdue. The reality for most Australian SMBs is that home network compromise is a possible attack path but not the primary one. Most attackers do not need to compromise the home router because they can compromise the user’s identity directly.

The right home network advice for hybrid workers is the baseline that any household should follow regardless of work context. WPA3 or WPA2 with a strong password. Router firmware updated. Default admin credentials changed. Guest network for IoT devices and visitors. These are sensible hygiene measures, but they should not be the centrepiece of corporate hybrid work security.

The corporate investment in home network security should focus on assumed-hostile network handling. The corporate device should work safely on any network, including a hostile one. Always-on VPN if traffic needs to cross corporate boundaries. Otherwise, direct SSO with phishing-resistant MFA, no reliance on network controls to provide security. This is the posture that makes home network security less critical because it does not depend on the network being trustworthy.

The BYOD reality most businesses are avoiding

Most Australian SMBs have effective BYOD policies on paper that nobody enforces in practice. The reality is that staff use personal phones for corporate email, personal tablets for documents during travel, and family laptops when their corporate device is unavailable. The official policy says this is not allowed. The unofficial reality is that it happens constantly.

The right answer depends on the business. Three patterns work.

The first is strict corporate-only device access. Personal devices cannot access corporate data under any circumstances. The policy is enforceable through Conditional Access blocking non-compliant devices. This works for businesses with the budget to provide corporate devices to everyone who needs access, including contractors and casual staff. The cost is real but the security posture is clean.

The second is managed BYOD with explicit boundaries. Personal devices can access defined corporate resources through managed applications (Outlook mobile, Teams mobile, OneDrive mobile) with app-level data protection. The device itself is not enrolled but the applications are managed. This works for most Australian SMBs and is the realistic compromise between cost and control.

The third is fully open access with strong identity and data controls. Personal devices can access anything the user can access, but Conditional Access enforces phishing-resistant MFA, session controls, and data loss prevention. This works only for businesses with mature identity controls and an appetite for the residual risk.

The pattern that does not work is the “no BYOD” policy with no enforcement. Staff use personal devices anyway, IT looks the other way, and the security posture is exactly the same as fully open access without any of the actual controls. This is the most common pattern in Australian SMBs and it is the most expensive when something goes wrong.

What we recommend

For Australian SMBs still running the 2020 hybrid work playbook, the modernisation is overdue. Six to nine months of focused work brings the security posture in line with the actual threat environment, starting with phishing-resistant MFA and Conditional Access.

For businesses with material BYOD usage, the policy reality check should come first. Decide which of the three patterns above fits the business and implement it consistently. The “no BYOD policy with no enforcement” is the worst of all worlds.

For businesses preparing for ISO 27001, SMB1001, or Essential Eight ML2 audits, the hybrid work controls will be scrutinised. The auditor will ask about Conditional Access, device compliance, and identity protection. Better to have these in place than to be building them under audit pressure.

For businesses with cyber insurance renewals coming up, the underwriting questionnaire will include hybrid work security. Phishing-resistant MFA, device compliance, and SaaS visibility are increasingly material to premium and excess. The gap between current state and underwriter expectation has widened materially in the last 18 months.