Staying at home has revolutionised the workplace. While the move towards remote working has been a long-term trend, the pandemic supercharged it. The first lockdowns saw millions of businesses worldwide switch almost overnight to homeworking. Subsequent restrictions reinforced the practice and ensured it became a core part of the new normal even after opening up.
Homeworking is here to stay
According to the International Labour Organization (ILO), there were 260 million home-based workers in the world in 2019 prior to the COVID-19 pandemic – amounting to just 7.9% of total employment. Fast-forward only three years, and the ILO estimates that almost 560 million people globally were working from home in 2020, during the height of the pandemic.
In the UK, according to the Office for National Statistics (ONS), the proportion of working adults who did any work from home in 2020 jumped ten percentage points from 2019, from 27 per cent on average to 37 per cent. In information and communication, and professional, scientific and technical industries, figures were much higher (81 per cent and 71 per cent).
That rapid shift online has brought long-lasting change. The ONS figures showed that 85 per cent of homeworkers wanted to use a hybrid approach of both home and office working in the future, and it’s a similar story elsewhere. This is not just a UK trend either. A recent survey of working adults based in the US by the Pew Research Center found that by early this year, almost six in ten (59 per cent) whose jobs could be done from home were working there – most of them (83 per cent) even before the breakout of the Omicron variant.
The same survey found that of those working from home, it was a choice in most cases. More than half of respondents (61%) said they are working from home instead of the office by choice rather than necessity.
In July 2022, Bloomberg even reported that the Netherlands is planning to make working from home a legal right to ensure employers are considering the needs and wishes of today’s workforce. Likewise, a recent survey by IDC revealed that 56% of employees based in the Asia Pacific region want flexible work with options to work both in the office and remotely to remain, even beyond the pandemic.
The security gap
The rollout of companies’ remote working strategies was among the outstanding achievements during the pandemic, but it was not without problems. In particular, industries were ill-prepared for the security implications. Many mid-market businesses’ cybersecurity strategies were built almost entirely around the corporate network and office locations. Meanwhile, equipment shortages meant staff often used personal laptops or technology without sufficient security such as standard desktop builds and accessing corporate networks via Virtual Private Networks (VPNs), in addition to strong password controls.
Moreover, the confusion, disruption and change the pandemic brought created new opportunities for attackers. Increased and exceptional public communications from various health organisations, governments and other bodies through SMS and email saw scammers look to capitalise on the disarray.
Ransomware, particularly, remains a key risk, with an organisation suffering an attack every 11 seconds in 2021, according to UK analysis from RSM. And that’s forecast to fall to every two seconds by 2031. Cybersecurity risk overall, meanwhile, remains the biggest threat to organisations’ growth through to 2024.
That is despite the fact that most businesses have by now had time to make significant changes to their security to adapt to homeworking. Virtual private networks have been set up; network and firewall configurations reviewed and revised; laptops refreshed with the latest anti-malware and security tooling; open ports closed to prevent workers from using removable media; and policies and procedures for homeworking reviewed and updated. Added to this, the confusion and disruption during the early stages of the pandemic have dissipated.
An evolving threat landscape
There are several reasons why companies are failing to manage the security risks. One is simply scale. As home and hybrid working has become normalised, the number of workers connecting remotely has massively increased. Businesses have now had time to adapt, but the IT risk landscape remains significantly more complex than when staff were almost all office-based. That complexity will only grow in many industries with the increasing breadth of connected devices and the Internet of things.
Moreover, while attackers no longer benefit from the confusion caused by initial spread of COVID-19, they can – and do – exploit the longer-term move online it has brought about. At least some of the surge in online shopping during the pandemic has persisted, for instance, with global worldwide eCommerce sales expected to exceed $5 trillion for the first time this year. That’s providing increased opportunities for phishing and other attacks linked to delivery notification emails and text messages.
The sophistication of these attacks also continues to grow. Old methods like fake emails that facilitate phishing, hacking or ransomware attacks continue to be effective because new technologies make them more convincing. Robotic process automation and artificial intelligence help bad actors produce messages indistinguishable from the real thing. Meanwhile, the number of potential attackers has multiplied. Developments such as ransomware-as-a-service are providing access to sophisticated attack tools for those without the technical expertise to develop them themselves.
Finally, as the risk has grown, so have expectations and consequences. Regulatory concern, particularly around critical infrastructure and other regulated industries, has led to increased requirements for resilience and security and the potential for sanctions and penalties in the case of failures.
Crucially, all this means that efforts to bolster security post-pandemic must be on-going, because the risk is always evolving. On the technical side, the increasing use of managed services is one way to address that: Giving businesses access to the up-to-date and sophisticated security, experts and infrastructure that they would struggle to match in-house – perhaps now particularly, given the skills shortages for technical staff.
However, even where they opt for this, the internal challenge remains. Our survey found that most cybersecurity breaches (95%) are still caused by human error: Configuration mistakes, weak passwords, or just opening the wrong email, website or link. Staff training is critical to addressing these to improve cybersecurity, and it needs to be regularly repeated and reviewed to respond to the ever-changing risk. In too many cases, that is not happening. Whilst our polling shows that over half of mid-market businesses (57%) are conducting regular (at least annual) cyber security and awareness training, but almost half are not.
As the world focuses on the economic recovery following the pandemic, businesses wherever they are based in the world are considering the increased productivity flexible working has brought and the demand from employees for it to continue. To meet the evolving security challenges that home working brings, and to safeguard the future of your business, the approach has to change. Homeworking looks here to stay. And that means regular, robust cybersecurity training must be part of the new normal, too.