“Lockdown made a massive change – probably the biggest change I’ve seen in my career – to how we work,” says Jamie Moles, a security strategist at network security specialists ExtraHop. “And the vast majority of people weren’t ready.”

ExtraHop’s clients, like most organisations, had to find a way to work during the early days of the pandemic – and find it quickly. Kitchen tables became office desks, domestic wifi took over from the corporate network and the much-discussed “digital transformation” that was always six months down the line happened overnight.

After an uncomfortable start, most businesses have found a way to get by. So much so that some are grasping the opportunity, post-pandemic, to encourage regular work from home and cut their office space. A November 2020 report from Cisco showed 50% of businesses in the UK and US intended to continue working from home once the pandemic is over.

The report also found that for nine out of 10 organisations, improving cyber security had become their top priority. Thanks to cloud computing, it’s largely possible to do most of what you would do in the office from your sofa. But businesses have found, often to their cost, that it’s harder to do it securely.

The speed at which cloud services have been set up has been one of the most obvious security problems. “The cloud dramatically expands the attack surface,” Moles says. “And the biggest problem I see is simple lack of knowledge.”

According to ExtraHop’s statistics, 62% of cloud services are misconfigured. These might be simple fixes, such as not turning on security features, for example two-factor authentication (a login requiring a password and a code sent to a mobile), data encryption or closing ports through which attackers can gain access.

Misconfiguration might also lead to users not being able to do something simple like share important files or access the company’s systems using a virtual private network (VPN). In response, teams or departments may set up informal ‘shadow IT’ applications to share data that is not secured. “Every user wants to get the job done. If the company is struggling, they will provision their own services. You can’t blame them for that,” Moles adds.

The solution? Do not rush out important applications and listen to the needs of users.

Email is your biggest security leak

In the early weeks of the first lockdown, security professionals tracked a huge increase in phishing attacks delivered in email. These attacks use email to encourage users to click on a link that installs malware that can then lead to data being copied or retrieved without authorisation – or even a ransomware attack.

Thom Bailey, senior director for product and strategy at email security specialist Mimecast, says there has been “little innovation” in the sophistication of the hidden malware itself. The difference, he warns, is that the email exploits our isolation or feelings of stress during times of uncertainty. “Email has become the preferred choice as an attack vector,” he says. “It is successful because of the anxiety produced by the pandemic.”

Successful phishing emails may pretend to be from an entertainment service with a free offer, or a familiar organisation offering coronavirus advice. The fake login extracts our credentials, and then tries the combination of email and password on other services. Worse, it can install malware that does not immediately compromise the device, but allows a hacker to access corporate information at a later date.

The standard advice is never to click on a link in email. Anti-phishing security software will spot most attacks. Also, password manager software helps create strong passwords and means we don’t need to reuse our favourite combinations, making credential-stealing attacks less dangerous.

Sophisticated attacks

While the increase in email attacks is mostly due to the use the basic social engineering strategies designed to make already anxious people feel worse, more sophisticated attacks are also on the rise. Traditional security defences that block emails do it by keeping a list of fake domains and automatically comparing the links in incoming email, explains Dan Fein, director of email security products at Darktrace.

But with the price of domains at almost nothing, attackers are increasingly registering thousands of new ones that security software will not block. Partly as a result, spear phishing – in which cyber attackers go after small numbers of high-value targets – is also on the increase. “We’re starting to see domains being used in email attacks a single time,” he says. “New types of attack will skirt your legacy defences.”

Some spear phishing attacks don’t even contain a link in the first message. Instead they use information collected form corporate web sites, LinkedIn or other public sources to create a convincing email from a “colleague”, or a fake business partner, and establish an email dialogue.

Security providers like Darktrace counter these threats using machine learning to train its software to ask: “Does this email seem to belong?” The software then either holds back the email or delivers it with a warning.

Trust no one

A radical but effective security technique is called ‘zero trust’. It does exactly what it promises: trusts no one, no device and no connection.

Traditional security is built on the idea of a perimeter of trust, explains Mike Wronski, director of product marketing at IT management specialist Nutanix. Access to the company network is surrounded by a firewall. Inside it, every device is trusted according to company policy.

For the post-pandemic workforce, there is no equivalent perimeter. This may make it easier for attackers who have gained access from a remote user to move around inside the company network. 

Zero trust implements thousands of tiny firewalls whenever there is traffic from any device to any other, denying access unless it knows that this is a legitimate request. This is clearly extremely secure, but critics point out that building large-scale zero trust infrastructure may be difficult and expensive. And few businesses have a lot of time or money at the moment.

One solution, Wronski says, may be to treat zero trust as a journey, and build zero trust one application or resource at a time, targeting the most vulnerable or highest-value targets.

Balance security with accessibility

One of the most trivial but most important ways security is breached when we work remotely is users turning off complicated or tricky access controls. BlackBerry Cylance (yes, that Blackberry – the original smartphone maker reborn as a mobile security specialist) aims to deliver zero-trust access that users hardly notice.

“A lot of security technologies are reactive,” says engineer James Alderman from BlackBerry Cylance. “We aim to be predictive.” The application uses passive biometrics: it learns how you type, or the distinctive angle at which you hold a phone or swipe a screen. It also checks if the location of your device makes sense, or the time of day you seem to be working. If the application is unsure, it asks for an additional password. If something seems seriously wrong, it locks you out. But if everything checks out, access is quick and easy.

The lesson is that security is often improved if it is easy to use – and implementing some smart biometrics can encourage good habits without impeding productivity.