Hybrid working is no longer a temporary fix or a perk for a small part of your team. It is now a normal part of how many people in Great Britain work. The Office for National Statistics reported that between January and March 2025, 30% of employees were hybrid workers, and that figure rose to 34% for full-time workers.
That matters because your cloud setup is now being accessed from more places, on more devices, and through more networks than it was a few years ago. Your people may be moving between home, office, client sites and public spaces, often in the same week. If your cloud security still assumes that most work happens inside a single office perimeter, you are working from an outdated model.
This is where businesses often need a more joined-up approach, and that is why firms such as Transputec focus on cloud, cyber security and managed support together rather than treating them as separate issues. In a hybrid environment, that joined-up thinking becomes even more important because cloud security is no longer just about the platform itself. It is also about the way your people use it every day.
Your biggest risk is no longer just the cloud platform
A lot of businesses still think cloud security starts and ends with choosing a well-known provider. That does matter, but it is only part of the picture. The National Cyber Security Centre makes this clear in its cloud guidance: you need to choose services that match your security needs, but you also need to configure and use them securely.
In other words, moving to Microsoft 365, Azure, AWS or another cloud service does not remove your responsibility. It changes it. In a hybrid model, your security risk often shifts away from the server room and towards identity, access, device health, user behaviour and visibility.
That shift matters because UK businesses are still under real pressure. The Cyber Security Breaches Survey 2025 found that 43% of businesses identified a cyber security breach or attack in the previous 12 months. It also found that phishing remained the most common type of cyber crime, affecting 93% of businesses that experienced cyber crime.
You need to move from perimeter thinking to identity-first security
If your workforce is hybrid, you cannot rely on office-based protections in the same way as before. You need to assume that people will sign in from different places and that not every device or network will be equally trustworthy.
That is why identity should sit at the centre of your cloud security strategy. You need stronger controls around who is signing in, how they are signing in, and what they can reach once they are in. For most businesses, that means taking a hard look at:
- multi-factor authentication
- conditional access policies
- least-privilege permissions
- role-based access controls
- sign-in monitoring and alerting
If a user only needs access to 1 system, do not give them 5. If a contractor only needs temporary access, do not leave their account open for months. Hybrid working creates too many moving parts for loose access management.
Device trust matters far more when people work across locations
In a fully office-based setup, IT teams often had more direct control over the hardware being used. In a hybrid setup, that control can weaken unless you actively rebuild it.
You should know which devices are accessing your cloud systems, whether they are encrypted, whether they are patched, and whether they meet your security standards. If you do not have that visibility, you are leaving a gap between your cloud platform and the real-world device being used to reach it.
That does not mean making work harder for your staff. It means being clearer about what “trusted access” looks like. For example, you may decide that access to sensitive files is only allowed from managed devices, or that log-ins from outdated operating systems trigger extra checks. Those are practical changes that reflect the reality of hybrid work.
Your cloud security policies need to reflect real behaviour, not ideal behaviour
One of the biggest mistakes businesses make is writing security rules for the way they wish people worked, instead of the way people actually work.
In practice, hybrid employees often switch between home broadband, office Wi-Fi and mobile hotspots. They use video meetings, shared documents, chat apps, customer portals and cloud storage tools all day. That creates convenience, but it also creates sprawl.
So your security approach should become more practical and more specific. You should review:
1. File sharing controls
Who can share files externally? Can staff create anonymous links? How long do links stay live? These settings should not be left wide open just because collaboration is important.
2. Shadow IT
If your staff find approved tools too slow or awkward, they may start using unauthorised apps. That creates security and compliance risks. You need visibility over what is being used and a better process for approving safe alternatives.
3. Session controls
Not every log-in needs the same level of freedom. Some sessions may need restrictions on downloads, copy and paste, or access from unmanaged devices.
4. Logging and alerting
The NCSC’s cloud security principles include audit information, alerting, secure user management and identity controls for a reason. If your workforce is hybrid, you need those signals to spot unusual behaviour early.
Training should be tied to hybrid working risks
Security awareness training is still important, but it should not be generic. If your people are working in a hybrid way, the examples need to feel familiar.
That means covering issues such as fake Microsoft 365 log-in pages, risky use of shared home devices, weak personal Wi-Fi settings, oversharing in collaboration tools, and the habit of approving prompts too quickly on mobile devices. A hybrid team faces slightly different risks from a team that only works in the office, so your training should reflect that.
This is especially important when phishing remains such a dominant threat in the UK. If most attacks still start by tricking a person, then secure cloud configuration and user awareness have to work together.
Resilience matters just as much as prevention
Cloud security is not only about stopping incidents. It is also about making sure your business can keep operating if something goes wrong.
The NCSC highlights asset protection and resilience as core cloud security principles. That should push you to think beyond log-ins and passwords. You should also review backup strategy, recovery testing, incident response plans and how quickly you can contain a compromised account or device.
If your workforce is hybrid, response speed becomes even more important. A suspicious sign-in, lost laptop or compromised mailbox can spread further when teams are distributed and heavily reliant on cloud systems. Your plan needs to work whether the user is in London, Leeds or logging in from home.
Cloud security for hybrid work should be simpler, clearer and stricter
The main change is this: you should stop thinking of cloud security as a technical layer sitting in the background. In a hybrid business, it becomes part of how work happens every day.
That means being stricter about identity, clearer about device standards, smarter about access, and more realistic about user behaviour. It also means accepting that convenience and security have to be balanced properly, not treated as opposites.
Hybrid work is here, and for many UK businesses it is now standard practice rather than an exception. If your security model still reflects the old office-first world, now is the time to update it. The cloud can absolutely support flexible working well, but only if your security approach evolves with the way your people actually work.
