top of page

Why WFH can leave employers and employees vulnerable to cyber-attacks

The BBC recently revealed the results of a survey from the UK and US-based security firm, Tessian. It discovered that 56% of senior IT technicians believe their employees have picked up bad cyber-security habits while working from home during the pandemic. It also unveiled that many employees agreed with that assessment.

Nearly two in five (39%) admitted that their cyber-security practices at home were less thorough than those practised in the office. And perhaps worryingly, half of those surveyed admitted that this is a result of feeling less scrutinised by their IT departments during the pandemic.

"One of the main mistakes we've seen is moving company data to personal e-mail accounts," says Henry Trevelyan-Thomas, Tessian's vice-president of Customer Success.

"When you do that, it's likely you don't have any sort of two-factor authentication. This then makes it easier for attackers to exploit that data. If data is leaked, attackers compromise it and it can end up in the wrong hands."

Also, as we have highlighted in previous blogs and on social media, there has been a vast growth in the number of coronavirus-themed phishing emails and texts targeting employees.

During the height of the pandemic in 2020, network security firm Barracuda Networks said it had seen a 667% increase in malicious phishing emails. Google also reported, at the time, that it was blocking over 100 million phishing emails daily.

"Social engineering and phishing work best when there's a climate of uncertainty," Casey Ellis, founder of security platform, BugCrowd, told the BBC. "As an attacker in that scenario, I've got a base of fear to work off of."

Mr Ellis said that hackers were using the pandemic, and the subsequent vaccines for Covid-19, as a hook-in, targeting people in a way that lures them in with the promise of appointments for those who are currently unvaccinated against the virus.

"You've got an entire population wanting the pandemic to end. They're more likely to click on that," he says. "I think that companies should proactively consider that it's a really good time to invest in training to work through these kinds of scenarios."

The consequences of phishing attacks can often be disastrous. Large, multi-national companies may have the ability to recover from financially-motivated cybercrime like ransomware, but such cyber-attacks can be catastrophic for both small or medium-sized businesses and individuals.

In November 2020, a Sydney-based hedge fund went bust after a senior executive clicked on a fake Zoom invitation. The company - Levitas Capital - reportedly lost $8.7m to the cyber-attack and was forced to close.

"The hackers were able to access their systems, sending out multiple fraudulent invoices, and the damage was so great that their largest client pulled out of a planned multi-million-dollar investment," says Tony Pepper, the co-founder of security firm Egress. "With enough pressure, businesses will fold."

Now, with many employers welcoming back workers to the office, experts say there are several steps companies should take to ensure that proper security procedures are put in place to keep both themselves and their employees safe.

Mary Guzman, the founder of Crown Jewel Insurance, is urging firms to carefully screen personal devices that have been used for work on a remote-basis during the pandemic.

"Before anyone is allowed to use them, or connect to any corporate network, appropriate analysis, and protective measures should be taken to ensure malware is not present," she told the BBC. "Until that can safely take place, perhaps personal devices should not be allowed back in the office."

Mrs. Guzman stressed that employers now have two options to consider; they can re-train their employees to be aware and responsible for their own cyber security now the country is slowly re-opening, or prepare themselves to "face the ramifications are for failing to do so."

Meanwhile, Tessian's Henry Trevelyn-Thomas says that the number one priority is for companies to take urgent steps to address threats if they haven't already. He believes the current heightened risk of cyber-attacks is likely to remain and become normality.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page