The COVID-19 pandemic has forced many businesses to allow employees to work from home or to adopt hybrid working, where employees spend some of their time in the office and some time working form home. During the lockdowns imposed by governments, most workers were using corporate-owned or personal devices to work from home.
A recent survey conducted by cybersecurity firm Tessian explored the perceived risks of home working among 250 IT leaders. Around 2,000 employees were also polled. A majority of IT leaders (82%) believe home working has increased the risk from phishing attacks and 78% said there was a higher risk of insider breaches as a result of employees working from home. 46% of IT leaders were concerned that the unsafe data practices of their employees could compromise their company’s security.
30% of IT leaders reported an increase in ransomware attacks via phishing emails between March and July 2020, 29% said SMS phishing attacks had increased, 27% reported an increase in email phishing attacks, 27% said there had been more insider threats, and 22% reported an increase in BEC attacks. Despite the risks, 75% of IT leaders said they believed that remote working or hybrid working was here to stay.
Working from home has made email the main method of communication. Tessian reports there was an increase in email traffic of 129% when employees started working from home. The increased reliance on email for communication increases the opportunity for cybercriminals to conduct email-based attacks. Between March 2020 and July 20202, half of all security incidents detected by Tessian occurred via email.
IT leaders expressed concern about employees connecting to risky public Wi-Fi networks when working remotely. There appears to be a legitimate cause for concern, as 58% of employees said they had connected to public Wi-Fi networks or had considered doing so.
The rush to allow employees to work from home due to the pandemic meant employers had to allow employees to use personal devices for work purposes. These devices tend not to have the same level of security as corporate-issued devices, which is a concern, especially considering that 78% of employees who used their personal devices had received a phishing email in their work or personal inbox while working from home. 68% said they clicked a link or opened an attachment in unsolicited emails.
To make matters worse, security solutions have not been updated to account for the change in working practices. Many companies still have legacy security solutions that have been deployed to protect office-based workers, which struggle to protect a largely at-home workforce. That places a huge strain on the IT department who are finding it difficult to mitigate risks and identify potential breaches. 34% of IT leaders were concerned that their IT teams were being stretched to far in terms of time and resources and were concerned about the increase in workload due to home working.
A separate survey conducted by the app security firm Promon revealed two thirds of remote workers in the UK had not received any cybersecurity training in the past 12 months, even though many had changed to working from home which has increased risk. 77% of remote workers said they were not worried about cybersecurity working from home, which is also of concern, as overconfidence could easily lead to mistakes being made or workers engaging in risky behaviors. The survey similarly showed that personal devices are often used that lack the security controls used to protect office devices. 61% of at home employees said they were using personal rather than corporate devices when working from home.
Working from home or hybrid working may now be the new normal, but companies clearly have a long way to go to ensure the same level of security that they had when workers were office based. IT teams are already stretched and overworked, which is likely to mean that the issues surrounding WFH security may take time to address, In the meantime companies will face a much higher risk of suffering a damaging and costly cyberattack and data breach.