Shady ASThe shift to hybrid work has fundamentally changed the security perimeter. In Belgium, the share of remote or hybrid workers was projected to reach 56.1% in 2023, governed by a legal framework that distinguishes between structural telework (under Collective Bargaining Agreement nr. 85) and occasional telework (under the law of 5 March 2017). This shift is not temporary — it represents a permanent transformation in how businesses operate.
The security implications are significant. Research shows that 75% of IT professionals report their organisations are more vulnerable to cyber threats since adopting remote work. Remote work increased the average cost of a data breach by USD 1.07 million where it was a factor, and organisations with high percentages of remote workers took 58 days longer to identify and contain breaches. For Belgian businesses navigating both cybersecurity risks and regulatory obligations, building secure hybrid infrastructure is a strategic necessity.
VPN vs Zero Trust Network Access
Traditional VPNs were designed for an era when remote access was the exception, not the norm. A VPN extends the network perimeter to the remote user, granting broad access to internal resources once connected. This castle-and-moat model creates significant risk: if an attacker compromises a VPN connection — through stolen credentials, a compromised device, or a VPN vulnerability — they gain the same broad network access as the legitimate user.
Zero Trust Network Access (ZTNA) takes a fundamentally different approach. Instead of extending the network, ZTNA grants access to specific applications based on continuously verified identity, device health, and contextual factors. According to Zscaler, 90% of global enterprises that have started migrating to the cloud are implementing or planning to implement Zero Trust. Gartner projected that by 2025, 60% of organisations will phase out VPNs in favour of ZTNA.
For Belgian businesses, the transition from VPN to ZTNA need not be sudden. Many organisations adopt a phased approach, implementing ZTNA for new applications and high-risk access scenarios while maintaining VPN for legacy systems. The key is to move toward a model where every access request is verified — never trusting implicitly based on network location alone.
Endpoint security for remote devices
When employees work from home, the coffee shop, or a co-working space, their devices become the new perimeter. Research indicates that 63% of organisations now require Endpoint Detection and Response (EDR) solutions on all remote devices, providing continuous monitoring for suspicious behaviour, automated threat response, and forensic capabilities that traditional antivirus cannot match.
Mobile Device Management (MDM) or Unified Endpoint Management (UEM) platforms such as Microsoft Intune, VMware Workspace ONE, or Jamf provide centralised control over device configuration, security policies, and application management. They enable IT teams to enforce encryption, mandate operating system updates, remotely wipe lost devices, and ensure that only compliant devices can access corporate resources.
BYOD policies present particular challenges. When employees use personal devices for work, organisations must balance security requirements with employee privacy. Containerisation — creating a secure, isolated workspace on the personal device — provides a middle ground. The corporate container is managed and secured by IT, while the rest of the device remains under the employee's control. Clear BYOD policies should define acceptable use, data handling requirements, and the organisation's rights regarding the managed container.
Cloud identity and access management
Identity has become the control plane of modern security. Platforms like Microsoft Entra ID (formerly Azure AD), Okta, and Google Workspace Identity provide centralised authentication and authorisation for cloud and on-premises applications. For hybrid work environments, cloud identity management enables single sign-on (SSO) across all corporate applications, reducing password fatigue and the security risks associated with password reuse.
Multi-factor authentication (MFA) is essential, yet only 35% of remote employees use it consistently according to recent research. Organisations should enforce MFA for all access to corporate resources, with phishing-resistant methods such as FIDO2 security keys or platform authenticators preferred over SMS-based codes, which are vulnerable to SIM-swapping attacks.
Conditional access policies add another layer of intelligence. These policies can grant, limit, or deny access based on a combination of signals: user identity, device compliance status, location, application sensitivity, and real-time risk assessment. For example, access to sensitive financial systems might require a managed device with up-to-date security patches, MFA with a hardware key, and a connection from a recognised country.
Secure collaboration and network segmentation
Hybrid work depends on collaboration tools — Microsoft Teams, Slack, Google Workspace, and others. These tools must be configured securely: enabling data loss prevention (DLP) policies to prevent sensitive information from being shared outside the organisation, configuring guest access controls, managing external sharing settings, and retaining communications in compliance with regulatory requirements.
Network segmentation for remote access ensures that even authenticated users can only reach the resources relevant to their role. Micro-segmentation takes this further, applying granular security policies at the workload level. When combined with ZTNA, micro-segmentation means that a compromised remote connection gives an attacker access to nothing beyond the specific application that was targeted — dramatically limiting the blast radius of any breach.
Monitoring and visibility across a distributed workforce present unique challenges. Security Information and Event Management (SIEM) platforms and cloud-native security tools must aggregate logs from endpoints, cloud services, identity providers, and network devices to provide a unified view of security posture. User and Entity Behaviour Analytics (UEBA) can detect anomalous patterns — such as an employee accessing systems at unusual hours or downloading abnormal volumes of data — that may indicate a compromised account.
Belgian regulatory considerations
Belgian employers offering structural telework must formalise arrangements through written agreements that specify the frequency of telework, the hours during which the teleworker must be reachable, and the equipment provided. The employer is responsible for providing and maintaining the necessary IT equipment and for covering related costs.
From a data protection perspective, remote work does not diminish GDPR obligations. Employers must ensure that personal data processed by remote workers is protected to the same standard as data processed on-premises. This includes ensuring that home networks and devices meet minimum security standards, that data is encrypted in transit and at rest, and that employees receive regular training on data protection responsibilities in a remote work context.
The well-being of teleworkers is also a legal consideration in Belgium. The law requires employers to take measures to prevent isolation and maintain social contact with colleagues. While this is primarily an HR concern, IT infrastructure plays a supporting role by enabling effective communication and collaboration tools that keep distributed teams connected.
How Shady AS can help
At Shady AS SRL, we design and implement secure hybrid work infrastructure for Belgian businesses. From deploying Zero Trust Network Access and endpoint security solutions to configuring cloud identity management with conditional access policies, our team in Brussels ensures your distributed workforce can work productively without compromising security.
Whether you need to modernise your remote access architecture, implement MFA across your organisation, or develop comprehensive BYOD and telework policies, contact Shady AS SRL to build a hybrid work environment that is both secure and compliant with Belgian regulations.