Abstract

The COVID-19 pandemic drastically altered traditional work environments, accelerating remote work adoption and exposing new cybersecurity vulnerabilities. This article analyzes the evolving threat landscape in both Work From Office (WFO) and Work from Home (WFH) contexts, focusing on the surge in phishing, ransomware, insider threats and attacks exploiting unsecured home networks and remote access protocols. To address these risks, organizations must move toward adaptive security frameworks such as Zero Trust Architecture, which assumes no implicit trust within or outside the network and enforces strict access controls. Additionally, the article explores the relevance of the updated NIS2 Directive, which expands regulatory scope and introduces stricter cybersecurity obligations across critical sectors in the European Union (EU). Together, Zero Trust and NIS2 serve as foundational pillars for securing hybrid work models and enhancing organizational resilience in the face of modern cyber threats.

Keywords

Cybersecurity, Zero Trust Architecture, NIS2, Identity and Access Management, Cloud Security, Risk Mitigation, “Never Trust, Always Verify”

Share and Cite:

1. Introduction

The COVID-19 pandemic marked a turning point in the way organizations operate, accelerating a global shift from traditional on-site work environments to remote and hybrid models. Prior to 2020, the majority of employees carried out their activities within the physical perimeter of company offices, where security policies and infrastructures were centralized and strictly controlled [1]. However, the pandemic forced a sudden and large-scale adoption of work-from-home (WFH) practices, exposing numerous vulnerabilities in both technological infrastructure and user behavior [2].

As hybrid work becomes the new standard, cybersecurity threats have evolved in complexity and frequency. The traditional notion of a secure network perimeter is no longer sufficient in an environment where devices, users and data are distributed across diverse and often uncontrolled locations [3]. In this new paradigm, the user’s identity has emerged as the primary security boundary, demanding new approaches to authentication, access control and threat mitigation [4].

According to Ahmad [5], cybercriminals are exploiting popular terms (example: COVID-19) in file names to deceive users into opening malicious files. For instance, a file named Eeskiri-COVID-19.chm (“eeskiri” meaning “rule” in Estonian) appears to be a helpful resource but is a keylogger. Once opened, it collects login credentials and sends the data to maildrive [.] icu. Using trending events in cyberattacks is a common tactic among threat actors, who often capitalize on timely news, holidays or celebrities in social engineering schemes. In the hurry to find helpful information, people may unwittingly expose sensitive data. In times of uncertainty, it’s especially important to take a step back and think about who you can trust online.

Kotak et al. [6] provided key taxonomies and shared findings from a detailed risk analysis, highlighting threats, their impacts and mitigation strategies. The analysis uncovered various risks to corporate networks, especially from new attack vectors in remote work setups. Companies must assess remote work policies, limit access privileges, implement proper security tools and set clear risk-mitigation guidelines. Taxonomies should be regularly updated as threats evolve and risk scores will vary by organization based on preparedness, industry risk and employee roles.

WFH presents security issues such as: network security (WFH increases data risk without a secure network) [7], phishing and social engineering (the attackers trick users into sharing private data, causing data breaches) [8], password management (passwords should be complex and unique to each account to prevent unauthorized access) [9], endpoint security (update antivirus and firewall software on endpoints to protect against malware attacks.) [10], data protection (encrypt sensitive data, back it up regularly and use cloud storage and backup) [11] and video conferencing security (ensure secure, password-protected video meetings due to increased usage) [12].

Hui et al. [13] found that implementing international regulations, such as the Code of Conduct (COC), reduced the number of distributed denial of service (DDoS) attacks in enforcing countries by at least 11.8%. Many countries do not participate in international treaties for various reasons, including differing laws and the potential for discordance among international and domestic regulations. Campbell et al. [14] studied how security breach announcements affect market value. They found that a breach of confidential information reduced a company’s market value by 5%, whereas a breach of non-confidential information had a different impact. Gordon et al. [15] found that economic incentives encourage healthcare and financial organizations to implement information security controls like e Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley (GLB) Act.

Regulatory frameworks such as NIS2 Directive (EU 2022/2555) and architectural models like the Zero Trust Architecture (ZTA) are becoming essential for organizations aiming to maintain resilience, compliance and business continuity in a distributed work context [16]. Before implementing ZTA, organizations must assess risks to understand security, identify vulnerabilities and assess risks to critical systems. This helps ensure ZTA is applied effectively and focused on the areas of most concern [17].

Adopting ZTA is a cultural shift that requires continuous education and awareness. All employees must understand the principles of Zero Trust (ZT) and their role in protecting the organization from cyber threats and related attacks. Organizations should invest in regular, up-to-date cybersecurity training programs for employees [18]. These programs should cover ZTA principles such as the importance of identity verification, multi-factor authentication (MFA) and the concept of least privilege access. Training should also include recognizing and responding to cyber threats [19].

On July 6, 2016, the European Union (EU) adopted the Network and Information Systems (NIS) Directive to establish a unified cybersecurity policy. Recognizing the global and societal impact of cyberattacks, the directive aimed to provide a foundation for achieving a common cybersecurity level across the EU, considering the cross-border nature of cybersecurity [20]. However, its adoption exposed gaps in achieving consistent cybersecurity across member states. The updated NIS2 Directive broadens its scope, adds stricter requirements and emphasizes risk management, aligning with global cybersecurity standards and best practices [21].

This paper aims to provide:

1) A comparative analysis of the threats and vulnerabilities associated with Work from Office (WFO) and Work from Home (WFH), focusing on three distinct phases: before, during and after the COVID-19 pandemic.

2) It examines the evolution of cybersecurity strategies related to infrastructure security, identity protection and the implementation of modern security standards such as Zero Trust and NIS2.

This research is structured as follow: Section 2 represents the Methodology, Section 3 describes How Work Has Evolved: Before, During & After the COVID-19, Section 4 presents the Threats and Vulnerabilities for WFO and WFH, Section 5 presents Company Perimeter Security & User Identity Security, Section 6 describes ZTA, Section 7 describes NIS2 Directive, Section 8 represents the Discussions and Section 9 represents the Conclusions.

2. Methodology

To ensure the inclusion of the most reliable evidence and the identification of all relevant studies, we adopted a systematic approach throughout our research. This process involved implementing a comprehensive search strategy, carefully conducted in alignment with the literature search guidelines specified in reference [22] and the Preferred Reporting Items for Systematic Reviews (PRISMA) recommendations outlined in reference [23].

A ScienceDirect database search was used to identify relevant scientific literature. The search was limited to English-language publications and there were no restrictions on their geographical distribution between 2015 and 2024 to ensure data relevance and accuracy. The search query was performed using specific keywords in the title, abstract and keywords fields of the documents.

Figure 1. The number of published articles based on keyword “cybersecurity”.

Figure 1 illustrates the trend in the number of published articles over the past ten years related to the keyword “cybersecurity” within the ScienceDirect database. The number of academic publications referencing the keyword “cybersecurity” has shown a steady and substantial increase over the past decade. In 2015, there were only 241 publications, but this number has risen significantly each year, reaching 4680 publications in 2024, representing an approximate 19-fold increase over the ten-year period. Between 2015 and 2019, the growth was gradual, with the number of publications rising from 241 to 941, indicating growing academic interest in the topic. A more pronounced acceleration is observed starting in 2020, likely influenced by the global digital transformation triggered by the COVID-19 pandemic and the rise of remote work, which brought cybersecurity to the forefront of both research and practice. The number of publications increased sharply from 1520 in 2020 to 2057 in 2021 and continued to rise in the following years, reaching 2915 in 2023. The most significant spike occurs in 2024, with 4680 publications, suggesting an ongoing intensification of research activity in this field, possibly driven by the increasing complexity of cyber threats, the integration of AI in cybersecurity and regulatory pressures across industries.

Figure 2 illustrates the evolution of publications for the keywords “work from home” and “work from office” in the last 10 years. The comparative analysis of publication trends reveals a significant shift in academic interest toward the concept of "work from home", particularly beginning in 2020. From 2015 to 2019, the number of publications using the keyword “work from home” remained low and relatively stable, ranging from 4 to 9 publications annually, reflecting limited scholarly focus on remote work during that time. In contrast, the “work from office” keyword maintained a similarly low profile, fluctuating modestly between 4 and 12 publications per year. However, a sharp increase in publications related to “work from home” is observed starting in 2020, coinciding with the onset of the COVID-19 pandemic. Publications jumped from 9 in 2019 to 36 in 2020 and continued to surge in subsequent years, peaking at 175 in 2023, before slightly declining to 154 in 2024. This dramatic growth reflects the global transition to remote work and the corresponding surge in interest surrounding its implications for productivity, cybersecurity, mental health and workplace culture. Conversely, academic output related to “work from office” remained relatively stagnant during the same period, with slight fluctuations but no significant increase. Notably, post-2020, publications on “work from office” did not experience a resurgence despite the gradual return to physical workplaces, suggesting a sustained shift in research focus toward remote or hybrid work models.

Figure 2. Number of publications for keywords “work from home” and “work from office”.

Figure 3 presents the evolution of the publications for keywords “Zero Trust Architecture”. The academic interest in ZTA has demonstrated a steady and persistent presence over the past decade, with fluctuations that reflect both evolving cybersecurity paradigms and contextual drivers such as organizational digital transformation and increased cyber threat exposure. From 2015 to 2019, the number of publications remained relatively stable, fluctuating between 165 and 210 articles per year. This indicates early recognition of ZTA concepts, although the research community had not yet broadly expanded its investigation during this phase. A notable shift begins in the post-2020 period. While 2020 saw a slight dip to 176 publications, subsequent years display a clear upward trajectory: 233 in 2021, 192 in 2022, 265 in 2023 and reaching a peak of 316 in 2024. This growing interest corresponds with heightened cybersecurity concerns triggered by increased remote work, the decentralization of IT environments and the expansion of cloud-based infrastructures, conditions that underscore the limitations of traditional perimeter-based security models and emphasize the relevance of ZTA. The sharp increase in 2023 and 2024 suggests that ZTA has transitioned from a niche or emerging topic to a mainstream framework within cybersecurity research. It reflects not only the maturing of the concept but also its growing adoption across sectors seeking robust security architectures resilient to insider threats, supply chain risks and sophisticated external attacks.

Figure 3. Number of publications for keywords “Zero Trust Architecture”.

In addition to the bibliometric analysis, a thematic synthesis was employed to enhance the analytical rigor and support the systematic nature of this review. Following the identification of relevant literature, a qualitative assessment was conducted to extract and categorize recurring themes and focal areas within the body of work. Core topics such as ZTA and the NIS2 Directive were selected based on their frequency of appearance, relevance to contemporary cybersecurity discourse, and their citation in high-impact publications. A manual coding process facilitated the identification of thematic patterns related to regulatory evolution, architectural transformations in cybersecurity, and organizational responses to the rise of remote and hybrid work environments. This integrative approach enabled the derivation of meaningful insights that extend beyond publication trends, thereby reinforcing the methodological robustness of the review.

3. How Work Has Evolved: Before, during & after COVID-19

Prior to 2020, the dominant model of professional activity was grounded in the physical presence of employees within organizational offices. This traditional work-from-office (WFO) approach allowed for centralized IT infrastructure, direct oversight of employees and strict control over access to resources. Security models were primarily based on perimeter defense, relying heavily on firewalls, internal network segmentation and physical access control [24]. Remote work was rare and often reserved for exceptional roles or senior staff and VPN access was highly restricted and tightly monitored.

Organizations before COVID-19 placed a significant emphasis on physical network security and endpoint protection within corporate environments. However, this perimeter-centric security model often failed to account for insider threats and lacked agility in adapting to mobile or cloud-based ecosystems [25].

The onset of the COVID-19 pandemic in early 2020 forced a massive and sudden transition to remote work on a global scale. Organizations had to rapidly reconfigure IT infrastructures to accommodate work-from-home (WFH) arrangements, often without proper planning or the implementation of robust security protocols [2]. In many cases, remote access was granted through hastily deployed VPNs and personal devices were allowed for work use without adequate endpoint security or monitoring.

This abrupt shift exposed organizations to a wide range of cybersecurity vulnerabilities. According to reference [26], cybercrime reports increased by over 300% during the early months of the pandemic, largely due to phishing attacks, ransomware and exploitation of unpatched systems. Employees working from home became primary targets due to weaker network protections and lower security awareness. The decentralization of the workforce also strained traditional IT support models, making it difficult for organizations to enforce compliance, manage devices or monitor user activity effectively [27].

In the post-pandemic period, many organizations have adopted hybrid work models, allowing employees to alternate between working from home and from the office. While this approach offers increased flexibility and productivity, it also introduces long-term cybersecurity challenges that must be addressed with strategic planning and modern frameworks [1].

The hybrid era has accelerated the adoption of cloud-first strategies, identity-centric security and Zero Trust Architecture (ZTA) as organizations acknowledge the dissolution of traditional network perimeters [28]. Additionally, regulatory compliance requirements such as those outlined in the NIS2 Directive, mandate higher levels of resilience, incident reporting and risk management across both public and private sectors [16].

As work becomes more decentralized, the need for continuous authentication, dynamic access policies and secure user behavior monitoring has become paramount. The security paradigm has shifted toward protecting data, users and devices, regardless of location, through real-time threat detection, micro-segmentation and least privilege access [3].

4. Threats and Vulnerabilities

As organizations adapt to flexible and hybrid work environments, the threat landscape has significantly evolved. Both WFO and WFH models present unique cybersecurity risks. This section compares the key threats and vulnerabilities inherent in each approach and highlights the underlying differences in security exposure and control.

4.1. Work from Office (WFO)

The traditional office environment allows centralized control of physical and digital assets. IT departments typically manage network infrastructure, deploy endpoint protection uniformly and restrict access to sensitive systems through internal firewalls and physical barriers [25]. Despite these advantages, WFO environments are not immune to cyber threats.

Key Threats and Vulnerabilities in WFO:

1) Insider Threats: Malicious or negligent insiders can exploit unrestricted internal access [29].

2) Phishing and Social Engineering: Email-based attacks targeting office employees remain prevalent and are often successful due to human error.

3) Lateral Movement: Once an attacker gains access to the internal network, poor segmentation allows easy movement between systems [30].

4) Removable Media Risks: USB devices and external storage used within the office can introduce malware into controlled environments [28].

5) Legacy Systems: Many on-premises environments rely on outdated systems that may lack security patches or modern authentication mechanisms [16].

While organizations benefit from physical security measures (example: key cards, surveillance), their dependency on perimeter-based security models makes them vulnerable when employees connect remotely or when boundaries are breached.

4.2. Work from Home (WFH)

The WFH model decentralizes control, shifting security responsibility partly to the end user. Employees connect through home networks and often use personal devices, increasing exposure to unmanaged risks [2].

Key Threats and Vulnerabilities in WFH:

1) Unsecured Networks: Home Wi-Fi networks often lack enterprise-grade encryption and firewall configurations.

2) Inadequate Endpoint Security: Personal devices may lack antivirus software, disk encryption or regular updates.

3) Credential Theft: Remote workers are more susceptible to phishing, credential stuffing and man-in-the-middle attacks [26].

4) Weak Authentication Mechanisms: Password reuse and lack of multi-factor authentication (MFA) significantly increase breach risk [4].

5) Shadow IT: Employees may use unauthorized applications (example: messaging, file sharing tools) to bypass slow VPNs or access limitations [31].

6) Data Leakage: Working in uncontrolled environments increases the risk of accidental data exposure, such as through family members or unsecured file transfers.

According to a report by European Network and Information Security Agency’s (ENISA) [16], organizations observed a sharp increase in attack vectors directly related to remote work conditions, particularly phishing campaigns exploiting pandemic-related themes and remote desktop protocol (RDP) attacks.

Hybrid work models demand a unified security strategy that addresses both environments while reducing reliance on traditional perimeter-based defenses [3]. This has led to a rise in identity-focused security models and Zero Trust adoption, explored in later sections. Table 1 presents a comparative summary of WFO and WFH.

Table 1. Comparative Summary—WFO vs WFH.

4.3. Cyber-Attacks for WFO and WFH

The COVID-19 pandemic caused a dramatic shift in work environments, accelerating remote work adoption and reshaping cybersecurity risks [32]. Both traditional office-based (WFO) and remote (WFH) setups experienced an increase in cyber-attacks as threat actors exploited uncertainty, reduced IT oversight and global fear. Table 2 highlights the cyber-attacks which could appear in WFH and WFO setups.

Table 2. Comparative table highlighting the cyber-attacks that could occur in WFH vs WFO setups.

The shift to remote work has significantly expanded the cyberattack surface, ex-posing organizations to heightened risks such as phishing, ransomware and unsecured home networks. Research indicates that the rapid and often unplanned transition to WFH environments introduced inconsistent security practices and increased employee susceptibility to social engineering and endpoint exploitation. To effectively mitigate these evolving threats, a multi-layered cybersecurity approach is essential: one that incorporates VPNs, MFA, endpoint protection and comprehensive user awareness training (Table 3).

Table 3. Threats for WFO and WFH.

5. Company Perimeter Security & User Identity Security

The shift from centralized office work to hybrid and remote models has fundamentally changed the cybersecurity landscape. Traditional approaches focused on securing the organization’s physical and network perimeter are no longer sufficient in a world where users, devices and applications operate from virtually anywhere. Consequently, organizations are transitioning from perimeter-based security to user identity–centric security, placing individual identity at the core of their security strategy.

5.1. Company Perimeter Security: Traditional Foundations and Emerging Challenges

Perimeter security is rooted in the assumption that threats originate from outside the organization’s internal network, while users and systems inside are inherently trusted. Security teams typically employ tools like firewalls, Virtual Private Networks (VPNs) and Intrusion Detection Systems (IDS) to enforce this model [24].

The main characteristics of perimeter-based security include:

1) Centralized access control based on IP address and location [43].

2) Physical safeguards (example: badge access, secured data centers) [44].

3) Static rules for firewall and traffic filtering [45].

4) Device-centric policies, often limited to corporate-owned endpoints [46].

While effective in physically contained environments, this model exhibits serious limitations in the context of cloud adoption, mobile work and third-party integrations. Once an attacker breaches the perimeter via phishing, malware or a compromised VPN, they often encounter minimal resistance moving laterally across internal systems [28].

The COVID-19 pandemic accelerated the obsolescence of perimeter-based models. With millions of users connecting from untrusted locations and devices, organizations quickly realized that traditional perimeter defenses could not be scaled to secure a highly distributed workforce [16].

5.2. User Identity Security: A Modern Paradigm

User identity security centers on who the user is, rather than where they are connecting from. It leverages authentication, authorization and continuous monitoring to ensure that only verified and permitted users gain access to sensitive resources.

Core components of identity-centric security include:

1) MFA for robust identity verification. MFA adds a second or third layer of verification such as: biometrics or app-based tokens, making it significantly harder for attackers to use stolen credentials [47].

2) Single Sign-On (SSO) to unify credentials across systems [48].

3) Identity and Access Management (IAM) for lifecycle control of user privileges [49]. IAM platforms enforce role-based access control (RBAC), least privilege principles and timely deprovisioning of unused accounts, especially crucial in managing employee onboarding or offboarding cycles [50].

4) Behavioral analytics to detect anomalies in user activity [51].

5) Context-aware access based on device health, location and risk score [52].

6) User Behavior Analytics (UBA) systems detect anomalies in access patterns, such as impossible travel scenarios or sudden access to sensitive systems. These alerts can trigger automatic access restrictions or escalation [53].

Unlike perimeter security, which assumes a binary trusted or untrusted model, identity-based security implements granular and dynamic access controls. Access decisions are made based on real-time evaluation of user context, trust level and resource sensitivity [3].

This model is particularly effective for hybrid and remote work scenarios, where users authenticate from diverse networks, devices and geographic regions. It aligns with modern security principles such as Zero Trust, which mandates continuous verification and least privilege access.

Threat actors have increasingly shifted focus from exploiting infrastructure vulnerabilities to targeting users directly. Phishing, credential stuffing, social engineering and session hijacking are among the most common tactics used to compromise identity. According to Proofpoint [54], more than 80% of reported breaches in the past year involved compromised credentials, highlighting the pivotal role of identity security.

Unlike earlier times when security focused on securing devices or networks, today’s attacks target authentication flows, token reuse and improperly configured Single Sign-On (SSO) systems [4]. Attackers leverage legitimate credentials to bypass traditional perimeter defenses, operate under assumed privileges and move laterally within networks undetected. Despite technological advances, human behavior remains one of the weakest links in cybersecurity. Social engineering attacks thrive on user naivety, urgency or emotional manipulation. As such, continuous user education and security awareness training are fundamental components of any identity protection strategy [30]. Effective training programs should focus on:

1) Recognizing phishing and spear-phishing attempts.

2) Safe use of personal devices and public Wi-Fi.

3) Credential management and password hygiene [55].

4) Reporting suspicious emails or access attempts.

Identity in the Context of Zero Trust and NIS2 Identity security is also a foundational element of the ZTA, as defined by NIS2 [28]. ZTA principles dictate that:

1) No user or system is inherently trusted.

2) Access is continually reassessed based on risk and context.

3) Strong identity verification is required at every access point.

The NIS2 Directive from the European Union further reinforces the importance of identity-centric controls. Article 21 of the directive emphasizes access control, identity management and the use of MFA as critical cybersecurity risk management measures for essential and important entities (Table 4) [16].

Table 4. Comparative overview—perimeter security vs identity security.

As organizations adopt cloud-based services and hybrid work models, identity becomes the most reliable control point for managing access and mitigating threats. Identity security also supports compliance with regulations like the NIS2 Directive, which emphasizes robust identity verification and access controls [16].

To effectively transition to identity security, organizations must implement a coordinated set of technical and cultural changes:

1) Implement enterprise-wide identity governance, including role-based access control and periodic access reviews, to reduce unauthorized access.

2) Enforce MFA and conditional access policies that evaluate device posture, geolocation and risk scoring [4].

3) Audit and minimize privileged accounts through Privileged Access Management (PAM) and just-in-time access provisioning [56].

4) Educating users on phishing and credential hygiene [54].

A hybrid security model that integrates both perimeter and identity controls can offer layered protection. However, in the modern threat landscape, user identity is the new perimeter [57]. Relying solely on network boundaries is no longer viable; robust identity verification is now essential to defend against distributed and persistent cyber threats.

In the context of modern cybersecurity frameworks, user identity security is critical for safeguarding enterprise networks and digital infrastructures. One of the most effective approaches for securing digital identities and preventing unauthorized access is the application of Artificial Intelligence (AI) to detect anomalous user behavior, which may signal compromised credentials, insider threats or identity spoofing.

5.3. The Use of Artificial Intelligence in Detecting Anomalous User Behavior

AI models, particularly those rooted in machine learning (ML) and deep learning (DL), offer the capability to monitor and analyze vast amounts of user activity data in real time. These models learn baseline behavioral profiles based on patterns such as login locations, device usage, access times, application interaction and data movement. When a deviation from the baseline is detected such as unusual access times, atypical device usage or irregular access to sensitive files, the system can trigger alerts or initiate automatic security responses [58].

In identity-centric security architectures, such as Zero Trust, AI plays a central role in continuously validating the legitimacy of users beyond initial authentication. User and Entity Behavior Analytics (UEBA) systems, powered by unsupervised ML algorithms, can identify subtle behavioral anomalies without requiring labeled attack data, making them highly effective in detecting novel or insider threats [59]. For instance, an account used exclusively during work hours on a corporate device may raise suspicion if it is suddenly accessed at night from an unrecognized IP address.

Additionally, supervised learning models such as decision trees, support vector machines (SVM) and neural networks are employed in systems where annotated data is available to train models for identifying risky behavior patterns. Advanced deep learning techniques, including Long Short-Term Memory (LSTM) networks, are particularly effective for modeling temporal sequences of user actions, thus enabling the detection of gradual behavior shifts indicative of evolving threats [60].

The incorporation of AI in identity security has also been enhanced through context-aware authentication systems, where AI evaluates contextual parameters (example: geolocation, biometric inputs, device health) in real time to assess identity legitimacy. These adaptive systems significantly reduce reliance on static credentials, mitigating risks associated with password theft and reuse [61]. Overall, AI-driven detection of anomalous user behavior enhances not only real-time threat visibility but also supports proactive identity threat mitigation, aligning with the principles of continuous authentication and risk-based access control strategies.

However, despite their potential, AI-based cybersecurity systems face notable challenges, including the management of false positives, which can overwhelm security teams and vulnerability to adversarial attacks that deliberately manipulate inputs to deceive machine learning models.

6. Zero Trust Architecture (ZTA)

The evolving cyber threat landscape, driven by cloud migration, remote work and increasingly sophisticated attacks, has rendered traditional perimeter-based security models insufficient. In response, the Zero Trust Architecture (ZTA) has emerged as a foundational security paradigm that aligns with modern enterprise needs. ZTA fundamentally challenges the notion of inherent trust within any network and instead advocates for “never trust, always verify” principles at every access point [62].

According to Abbas et al. [62], the implementation of ZTA across various contexts has yielded the following key outcomes:

1) Improved Threat Detection and Prevention—ZTA uses continuous verification mechanisms that significantly minimize the risk of successful attacks. Real-time monitoring and dynamic policy enforcement quickly identify and contain sophisticated threats.

2) Enhanced Access Control—ZTA integrates multi-factor authentication and strict identity verification protocols. This minimizes unauthorized access. Role-based access control and permissions ensure users and devices can only access necessary resources, reducing the risk of data leaks.

3) Resilience in Distributed Environments—ZTA effectively secures hybrid infrastructures, including cloud environments and remote work setups. Its scalability and adaptability maintain robust security, regardless of system complexity or distribution.

Zero Trust is a comprehensive strategy integrating identity, device, application and network security. According to NIST SP 800-207 [28], the key principles of Zero Trust are:

1) Continuous verification: every access request is dynamically evaluated based on user identity, device health, location, behavior and risk level.

2) Least privilege access: users and devices are granted the minimum level of access necessary to perform their tasks, reducing the potential blast radius of a breach [63].

3) Micro segmentation: networks are broken into small zones with strict controls to prevent lateral movement if one segment is compromised.

4) Assume breach: security systems are designed with the expectation that attackers may already be present within the network, emphasizing detection and rapid response.

6.1. The Implementation of ZTA in Hybrid Environments

Zero Trust is particularly relevant in hybrid work environments, where employees, contractors and partners may access resources from a variety of locations and devices. Effective Zero Trust implementation requires organizations to focus on five foundational pillars [4]:

1) Identity—enforce strong authentication, such as phishing-resistant MFA and continuous identity assurance through anomaly detection.

2) Devices: ensure that endpoints meet security posture requirements (example: OS updates, antivirus, encryption) before granting access.

3) Applications: apply access controls and monitoring for all applications, especially SaaS and legacy systems.

4) Data: classify, label and enforce policies for data access, sharing and encryption.

5) Infrastructure and Networks: use micro segmentation and dynamic access control to contain threats and monitor traffic behavior.

The primary advantages of adopting Zero Trust Architecture in hybrid environments include:

1) Reduces risks from both internal and external threats by eliminating assumptions of implicit trust within the network.

2) Strengthens breach resilience through mechanisms that isolate compromised components and facilitate swift threat detection and response.

3) Facilitates regulatory compliance with frameworks such as GDPR, HIPAA, and the NIS2 Directive by enforcing structured identity and access controls.

4) Enhances visibility and auditability of user access and behavior across the organization’s digital infrastructure.

Key obstacles to the successful adoption of ZTA within an enterprise context include:

1) Organizational change: transitioning to ZTA requires cross-departmental alignment, leadership buy-in and cultural adaptation [64].

2) Technical complexity: legacy systems may lack support for ZTA principles or require significant reconfiguration.

3) Cost and resource allocation: ZTA initiatives involve investment in identity platforms, endpoint management, security analytics and staff training.

In a WFH scenario, an employee connects to the corporate network using a personal device that has unknowingly been compromised with malware. In traditional network architecture, this malware could move laterally across the network, potentially accessing file shares, internal applications or even privileged credentials. By contrast, under a Zero Trust Architecture that employs micro-segmentation, the employee’s device is restricted to a narrowly defined network segment with access only to essential services. Communication between segments is subject to strict access controls and identity verification. As a result, even if malware is present, it cannot move beyond the isolated segment, effectively containing the threat and preventing it from compromising critical infrastructure or sensitive data. This approach exemplifies the ZTA principle of “never trust, always verify”, applied in a dynamic and granular way to modern remote work environments.

6.2. Zero Trust Architecture and Regulatory Compliance (NIS2 Directive)

The integration of ZTA with regulatory compliance frameworks has become increasingly vital, particularly in the context of the EU NIS2 Directive, which came into force in January 2023 (Table 5). As a legal instrument aimed at strengthening the cybersecurity posture of critical and important entities across the European Union, NIS2 significantly raises the bar for both technical and organizational security measures. Its alignment with Zero Trust principles reinforces the necessity for proactive, identity-centric and context-aware security strategies in both public and private sectors [16].

Table 5. Alignment between ZTA and NIS2 directive requirements.

7. NIS2 Directive

The NIS2 Directive (Directive (EU) 2022/2555), adopted by the European Parliament and Council in December 2022 and effective from January 2023, represents a significant evolution in the European Union’s cybersecurity legislation. It replaces the original NIS Directive (Directive (EU) 2016/1148), aiming to address its shortcomings and adapt to a vastly transformed cyber threat landscape marked by digitalization, interconnectivity and hybrid work environments [65].

NIS2 strengthens the overall level of cybersecurity across the EU by expanding the scope of covered sectors, enhancing risk management obligations, enforcing stricter supervisory measures and introducing harmonized sanctions for non-compliance. It also brings the Directive into closer alignment with contemporary cybersecurity principles such as ZTA.

A key change in NIS2 is the broadened scope of application. The directive applies to both essential (energy, transport, banking, healthcare, digital infrastructure, water, public administration) and important entities (postal services, waste management, food, manufacturing of critical products, digital providers including cloud computing and data centers) in sectors critical to societal and economic functions. Entities are automatically included based on size thresholds (typically > 50 employees or > €10 million turnover) unless otherwise excluded. This approach addresses ambiguity in the original directive, ensuring broader and more consistent application across member states [66]. The research [67] shows that larger small and medium-sized enterprises (SMEs) in telecommunication and energy show moderate preparedness (average score 72.3), while smaller service-based enterprises exhibit lower compliance (average score 48.5). Tikanmäki et al. [68] examines hospital cybersecurity and compliance with NIS2 requirements through a specific scenario: “USB infection of a point-of-care testing machine”. The study revealed that NIS2 does not specify that the hospitals are forced to have implemented an Intrusion Prevention System (IPS) or Intrusion Prevention Detection System (IDS) in their network.

Under Article 21, all covered entities are required to implement a comprehensive set of technical, operational and organizational security measures, including:

1) Risk analysis and information system security policies.

2) Incident handling and continuity planning.

3) Supply chain security and procurement standards.

4) Access control and identity management.

5) Use of multi-factor authentication and encryption.

6) Employee cybersecurity training.

These measures are outcome-focused and risk-based, allowing flexibility in implementation while establishing clear minimum standards. Importantly, several of these controls directly support and are supported by modern security models like ZTA, which emphasizes identity, least privilege, segmentation and continuous monitoring (Table 6) [18].

Table 6. Alignment with ZTA and enterprise security.

8. Discussions

The transition from traditional office-based work to hybrid and fully remote models has fundamentally altered the cybersecurity threat landscape. The COVID-19 pandemic accelerated this shift, forcing organizations to rapidly adopt digital solutions and remote connectivity, often without sufficient time to adapt their security architecture. As a result, legacy perimeter-based defenses have shown critical limitations, especially in the face of increasingly sophisticated attacks targeting user credentials, remote access points and cloud services.

The analysis in this article demonstrates that WFO environments, while benefiting from centralized IT control and network segmentation, often foster a false sense of security. On the other hand, remote work environments introduce unique vulnerabilities such as unmanaged personal devices, unsecured home networks and reduced visibility into user behavior. These changes emphasize the growing importance of identity as the new perimeter, shifting the focus from location-based access to context and identity-based controls.

The emergence of ZTA is a direct response to these evolving threats. ZTA’s emphasis on continuous verification, least-privilege access and micro segmentation aligns well with the dynamic nature of hybrid work environments. Its adoption helps mitigate both insider and outsider threat and enhances organizational resilience by minimizing lateral movement during a breach. However, implementing ZTA presents operational challenges, including integration with legacy systems, the need for comprehensive identity governance and significant cultural and technical shifts within organizations.

Describing ZTA adoption as a “cultural shift” reflects the broader transformation required in organizational mindset and behavior, as outlined in NIST SP 800-207. Zero Trust moves away from the traditional assumption of implicit trust within network boundaries toward a model of continuous, explicit verification based on identity, device posture and contextual risk. This shift affects not only technical architecture but also organizational policies and practices. Employees and leadership alike must adopt a posture of ‘never trust, always verify,’ which has direct implications for security awareness training, emphasizing concepts such as least privilege, segmentation and dynamic access control. From a policy standpoint, organizations must implement adaptive access management, continuous monitoring and risk-based authentication as core elements of their cybersecurity posture. Effective change management is critical to this transition and should include executive leadership endorsement, alignment with NIST Cybersecurity Framework (CSF) functions, particularly Identify, Protect and Respond, and structured communication and training plans. Without integrating these cultural and procedural dimensions, organizations risk falling short of the full security benefits envisioned in a Zero Trust model.

Moreover, regulatory frameworks such as the NIS2 Directive reinforce the relevance of ZTA by mandating robust cybersecurity measures that directly overlap with Zero Trust principles. Organizations subject to NIS2 must adopt practices such as MFA, risk-based access controls, supply chain risk management and real-time threat monitoring. This convergence between regulatory compliance and architectural best practices provides an opportunity for companies to unify their security strategy under a single, scalable and auditable framework.

Despite these advancements, several areas warrant further discussion:

1) User Behavior and Awareness: both office and remote environments remain vulnerable to social engineering and phishing attacks. The human factor remains a critical weakness, underscoring the need for continuous security awareness and training programs.

2) Technology Gaps and Vendor Lock-in: the successful implementation of ZTA requires the integration of multiple technologies (example: IAM, Security Information and Event Management (SIEM), Software-Defined Perimeter (SDP)). Without proper planning, organizations risk fragmentation or over-reliance on specific vendors.

3) Regulatory Ambiguity and Interoperability: while NIS2 offers a strong baseline, its practical interpretation and enforcement vary across EU member states. This may pose challenges for multinational organizations operating under multiple legal jurisdictions.

4) Scalability and Cost: especially for SMEs, the financial and technical burden of transitioning to ZTA or complying with NIS2 may be significant. Risk-based prioritization and phased implementation are essential to achieving progress without overwhelming resources.

The security paradigm must continue to evolve beyond physical boundaries and static defenses. A layered, identity-centric approach, grounded in ZT and aligned with regulatory mandates like NIS2, offers the most effective path forward for securing both office-based and remote work environments. However, its success depends not only on technology, but also on organizational leadership, cross-functional collaboration and ongoing investment in cybersecurity maturity.

9. Conclusion

The objective of this review is to provide a comprehensive and unified source of information for scientists, engineers, researchers and organizations engaged in the investigation of recent advancements and challenges associated with the concepts of work from home and work from office. The COVID-19 pandemic significantly reshaped how and where we work, triggering a rapid shift to remote operations and exposing both new and existing cybersecurity vulnerabilities. While WFO environments faced intensified threats like ransomware and insider risks, the rise of WFH brought a surge in phishing, weak network defenses and unregulated use of personal and third-party tools. This evolving threat landscape underscores the urgent need for organizations to adopt adaptive, risk-based cybersecurity strategies that extend beyond the traditional perimeter. Proactive measures such as regular security training, multi-factor authentication, secure remote access solutions and continuous risk assessments, are essential in building resilience for both office-based and remote work models. As work environments continue to evolve post-pandemic, maintaining cybersecurity must remain a shared responsibility between organizations and employees to safeguard data, infrastructure and trust in the digital workspace.

Conflicts of Interest

The authors declare no conflicts of interest regarding the publication of this paper.

References