While Amazon, Dell, JP Morgan, and many others have asked their employees to return to the office and adopt a full-time work culture, Southeast Asia (SEA) has been swimming against the tide, becoming a vibrant hub for “digital nomads.” 

The Philippines introduced a digital nomad visa (DNV) aiming to attract remote workers employed by foreign entities. Singapore’s flexible work arrangement mandate, along with Thailand’s Destination Thailand Visa, are decentralising the workforce and redefining the traditional workplace.  

For leaders in the C-Suite, this shift presents a challenge: we are now legally and culturally obligated to support a workforce that operates entirely out of sight.  

To thrive in this borderless landscape, we must embrace three fundamental changes in how we define and build trust.  

The device, not the login, is the new perimeter 

For decades, enterprise security has been anchored on a simple yet effective principle: the castle and moat. If an IT administrator could physically handle a laptop, configure it behind a corporate firewall, and hand it to an employee, the device was inherently trusted. This “chain of custody” ensured that IT teams could verify, secure, and trust every endpoint. It was a model built on tangible control and physical proximity. 

However, hybrid work dissolves the boundaries that the castle-and-moat approach depends on. Devices are now being shipped directly from manufacturers to homes in Manila, coworking spaces in Bangkok, or coastal cottages in Cebu.  

In this new reality, the digital perimeter can no longer be confined to networks or passwords alone. While the industry has made strides towards passwordless authentication, leveraging facial recognition and fingerprints, these advancements are not impervious. Sophisticated deepfakes and other emerging threats have demonstrated their ability to circumvent biometric systems.

Moreover, most modern attacks, such as session token theft and Adversary-in-the-Middle (AiTM) attacks, occur after a user logs in. The biometric check was valid, but if the device itself is compromised, the attacker inherits that trust. 

To effectively counter these threats, the endpoint itself must become the new perimeter. 

Security must evolve beyond simply asking “Who is the user?” Instead, it must question: Is the device compliant? Where is this access coming from? Is the user behaviour consistent with expected patterns?

These questions require rich, continuous context and not a single data point. To gather and interpret this context effectively, organisations will have to orchestrate two technologies that used to work in silos: identity management (IdP) and unified endpoint management (UEM). When integrated seamlessly, IdP tools provide robust identity verification, while UEM ensures the device posture. In this model, trust is not granted once but continuously verified until the device proves itself worthy of access. 

Moreover, adopting an endpoint management strategy ensures that security is built into the enrollment process the moment the user unboxes the hardware. This means that by the time your employee boots the device, it’s health-certified, encrypted, and identity-verified, all without IT touching a key. 

Also Read: How hybrid learning is revolutionising the landscape of education

Shadow IT isn’t the real problem, but a symptom of friction  

We’ve consistently treated unauthorised tech as one of the greatest risks —and for good reason. In the past, employees would slip in removable drives without the business’s knowledge or approval. Then the cloud arrived, opening a can of worms. And just when we thought we had a handle on things, with generative AI and large language models, we’re facing a new frontier of what we call shadow AI. 

However, this ongoing effort to eliminate Shadow IT has always been a losing one.  

When we impose clunky, multi-layered VPNs or restrictive protocols on a digital nomad working out of a co-working space, we create friction. And imposing a zero-use mandate doesn’t eliminate usage; instead, it drives the stealth usage up. Employees seek new tools to bypass security. And often, they don’t even see it as wrongdoing. Nearly 40 per cent of GenZ workers use AI to automate tasks without their manager’s approval, and one in five say they couldn’t perform their current job without AI tools. 

So clearly the answer isn’t to impose a blanket ban on new apps.  

It’s important to understand the “why” behind Shadow IT. Engage your employees, ask what they need to do their jobs effectively, listen to their preferred and recommended tools, and then work to onboard them safely. 

This approach gives two things. First, it gives you visibility into what’s being used and what shouldn’t be. If a tool poses questionable risk, step in and blacklist it. Second, it reveals gaps in your own ecosystem. Employees are often signalling what’s missing, and addressing those gaps could dramatically improve productivity while maintaining security. 

Instead of building a higher wall, build a smarter system — an orchestration layer where security is invisible. We secure the enterprise best when the employee doesn’t even know we’re doing it. Because the real risk isn’t shadow IT; it’s refusing to adapt to it. 

Also Read: AI human hybrid support: Why customers still prefer real conversations

Compliance must be continuous 

Being merely “flexible-compliant” is no longer sufficient. Across Southeast Asia, regulators are intensifying their regulatory enforcement. In 2025 alone, Thailand’s Personal Data Protection Committee (PDPC) imposed fines totalling THB 21.5 million (US$0.66 million) for violations of the Personal Data Protection Act (PDPA) — including one case involving a state agency.

In markets like Singapore and Thailand, non-compliance carries severe financial and operational consequences. Organisations face fines of up to SG$1 million (US$0.79 million) or 10 per cent of annual turnover, potential imprisonment for responsible individuals, and lasting reputational damage. Beyond regulatory penalties, businesses may be subject to lawsuits from individuals affected by data breaches, including claims for emotional distress. In many cases, authorities can mandate immediate corrective orders, forcing organisations to implement security measures within extremely tight timelines. 

Compliance, therefore, should not be viewed as a one-time milestone but as an ongoing state that must be continuously maintained. 

To operate effectively across diverse jurisdictions, organisations need a centralised management layer that acts as a digital single source of truth. One that delivers unified visibility across every endpoint, enforces consistent policies regardless of location, and enables real-time responses that surpass geographic boundaries. Integrated systems become critical here: endpoint management solutions combined with audit automation tools allow organisations to generate reports on demand while continuously monitoring the fleet’s compliance posture across regions. While resilience ensures operational continuity in a hostile environment, compliance ensures you meet the law. 

Legislative shifts in Singapore and the Philippines have essentially turned every kitchen table and living room into a branch office. The perimeter, as we knew it, no longer exists. We must accept that the network is now perpetually hostile. While we may not control the router in a Manila apartment, we can surely secure the device and identity behind it. The leaders who define the next decade will be those who understand a simple truth: Security is no longer the gatekeeper of work. It is the enabler of it. 

—

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. You can also share your perspective by submitting an article, video, podcast, or infographic.

The post Borderless work, boundless risk: Securing the hybrid future appeared first on e27.