A Business Guide to 90% of IT Professionals Are Confident in Cybersecurity for Remote Work

A widely shared piece of survey data has been making the rounds: more than 90% of IT professionals say they are confident their organization can protect sensitive information when people work remotely or in a hybrid setup. On the surface that is reassuring, and it is a useful counterweight to the constant drumbeat of alarming security headlines. But a single confident-sounding number deserves a closer look before you let it shape your decisions, because the same data that produced it also reveals some uncomfortable gaps. This guide walks through what the figure actually says, where the confidence may be outpacing reality, and what remote work security really requires for a small business.

Where the 90% Figure Comes From

The number is worth attributing properly rather than treating as a free-floating fact. It comes from a survey conducted for the security company Huntress, which polled 227 United States IT professionals in December 2024. In that survey, the majority described themselves as confident in their organization's data security measures for remote and hybrid work, and a further portion described themselves as at least somewhat confident, which together produced the headline that more than 90% expressed confidence. So the figure is real, but it reflects the opinions of a specific group at a specific moment, not a measured fact about how secure remote work actually is.

That distinction matters because confidence and security are not the same thing. People can feel protected while gaps remain, and a survey of how IT professionals feel tells you about perception, not about the state of any particular network. The 90% figure is a fair description of optimism in the field. It is not evidence that your business, or any business, is actually safe when staff work from home, and the rest of the same survey makes that point on its own.

Where Confidence Outpaces Reality

The most revealing detail sits a little further down in the same Huntress survey. While more than 90% expressed confidence, only around two in five respondents said their organization actually uses multi-factor authentication, one of the single most effective protections against the account takeovers that drive so many remote-work breaches. That is a striking gap. A large majority feel protected, yet a basic and widely recommended control is missing in most of their organizations. When a foundational safeguard like strong authentication is absent, confidence may be running ahead of the actual defenses in place.

This is exactly why multi-factor authentication deserves attention before almost anything else. When people sign in from home networks and personal devices, a stolen password is often all an attacker needs, and a second factor is what stops that password from being enough. Adopting strong, modern authentication, as covered in our guide to phishing-resistant MFA, closes one of the widest gaps in remote work security, and the survey suggests it is precisely the gap many confident organizations have left open.

The Data Is More Mixed Than One Number Suggests

It is also worth knowing that not every survey paints the same optimistic picture, which is a good reason to be cautious about any single statistic. Other research has found the opposite mood entirely, with a large share of IT professionals saying they believe remote workers are not secure and pose a greater risk than staff in the office. Both findings can be true at once, because they measure different groups, ask different questions, and reflect different moments. The honest takeaway is not that remote work is safe or that it is dangerous, but that broad confidence figures should be read carefully and never substituted for an honest look at your own situation.

For a business owner, the practical lesson is to treat reassuring headlines as a prompt to check rather than a reason to relax. The question that matters is not how IT professionals feel in a survey, but whether your own remote setup has the protections it needs. Partnering with a provider for ongoing managed cybersecurity is one way to make sure that judgment is based on what is actually configured in your environment, not on a general sense of optimism.

What Remote Work Security Actually Requires

Behind the survey numbers, the controls that make remote work reasonably safe are well understood and within reach of a small business. Strong authentication comes first, as discussed, because it addresses the most common path attackers take. Close behind is securing the cloud tools that remote teams live in, since email and file sharing are where most sensitive work now happens. Tightening the security of securing Microsoft 365 and similar platforms removes many of the openings that remote work creates, because a poorly configured cloud account is exposed no matter where staff happen to be sitting.

The way access is granted also matters more when the office boundary disappears. A model that verifies every request and gives each person only the access their role requires limits how far an attacker can get if they do compromise an account. This approach, explained in our overview of zero trust architecture, is well suited to remote and hybrid work precisely because it does not assume anyone is safe simply for being inside the network. For a distributed workforce, that assumption was never reliable to begin with.

Email deserves particular care, because it is the channel attackers use most against remote staff. When people cannot turn to a colleague at the next desk to check whether a request is genuine, they are more likely to act on a convincing fake, which is how schemes like the takeover of a trusted account succeed. Understanding and guarding against business email compromise is therefore a core part of remote work security, not a separate concern, and training staff to pause on unusual requests is one of the cheapest protections available.

One more piece is easy to overlook: the devices themselves. When work happens on laptops and phones spread across many locations, keeping those devices updated and protected becomes both more important and harder to manage, because there is no office network quietly handling it. Ensuring that remote devices receive security updates, run protection, and are configured consistently closes a gap that grows naturally as a team spreads out. It is unglamorous work, but unpatched and unmanaged devices are among the most common ways attackers reach a remote workforce, which makes this one of the more valuable habits to keep.

Confidence Is Not the Same as Coverage

Even with the right controls in place, remote work security depends on someone actually watching, because protections that are never checked tend to drift. Devices fall behind on updates, a new account is created without the usual safeguards, or a setting is changed and never reviewed. Ongoing around-the-clock monitoring is what keeps a remote setup from quietly slipping out of shape, catching the gaps that open over time rather than discovering them after an incident. This is the difference between feeling secure and being able to show that you are.

It is also a reasonable reading of why so many surveyed professionals feel confident even with gaps present. Nothing has gone visibly wrong, so the assumption is that everything is fine. But the absence of a known incident is not proof of security; it can simply mean a problem has not surfaced yet. Treating confidence as a starting question rather than a conclusion is the healthier posture, and it is the one that actually protects a business over time.

Why Confidence Forms Even When Gaps Remain

It is worth understanding why a group of professionals might feel confident while basic protections are missing, because the same reasoning probably operates in many businesses. The most common cause is simply that nothing has visibly gone wrong. When there has been no obvious breach, people naturally assume their defenses are working, even though the absence of a known incident says little about whether one is brewing or has already happened unnoticed. Security failures are often quiet, and an attacker who has gained access frequently stays hidden for a long time, so a calm surface can hide real trouble underneath.

A second cause is mistaking the presence of tools for the presence of protection. Having antivirus installed, a firewall running, and a cloud subscription can create a feeling of being covered, even when those tools are misconfigured, out of date, or missing a key control like strong authentication. The tools are necessary, but owning them is not the same as having them set up and maintained correctly, and the gap between the two is exactly where confidence outruns reality. Remote work widens this gap further, because when staff are spread across home offices and personal devices, problems are harder to see, and a setting that drifts out of place on someone's laptop may never come to anyone's attention.

For a small business, the value of understanding this is that it points to a simple correction. Rather than asking whether you feel secure, ask what you can actually verify: whether multi-factor authentication is switched on, whether your cloud accounts are configured properly, who has access to what, and whether someone is watching your systems and keeping them current. These are answerable questions, and answering them honestly is far more protective than any general sense of confidence. The professionals in the survey were not wrong to feel optimistic, but optimism is a feeling, and security is a set of facts you can check. Closing the distance between the two is the whole task, and it rewards a small business far more than reassurance ever could.

What to Take From the Numbers

The headline that more than 90% of IT professionals feel confident about remote work is genuine, and there is nothing wrong with optimism in a field that often dwells on threats. But the same survey shows that many of those confident organizations lack basic protections like multi-factor authentication, and other research finds far more concern, which together argue for reading any single figure with care. For your own business, the sensible response is not reassurance but a quick, honest check of whether the fundamentals are in place. A provider offering managed IT services in Los Angeles can run that review and tell you where you genuinely stand, rather than where a survey says the field feels it stands.

The same goes for businesses across the wider region. Remote and hybrid work is now a permanent part of how most organizations operate, and the protections it requires are well within reach, but they only help if they are actually in place and maintained. A local team offering support across the IT support across the San Fernando Valley can help close the gaps that confidence tends to hide, so that your sense of security is backed by the controls to justify it. Strong remote work security comes from what you have configured and maintained, not from how the field happens to feel this year.

If you want to know whether your business is actually protected when your team works remotely, rather than just confident that it is, GlobeVM can review your setup and close the gaps, so your remote work security rests on real controls instead of optimism.