The cyber security risks of working from home

As organisations prepare for what life looks like in a post-pandemic world, one of the many issues they’ll have to address is IT security for home workers.

A remote workforce comes with myriad dangers, with employees relying on their home networks – and sometimes their own devices – to complete tasks. And you better hope they have technical skills, because should they experience any technical issues, there’s only so much your IT team can do to help.

According to the Velocity Smart Technology Market Research Report 2021, 70% of remote workers said they had experienced IT problems during the pandemic, and 54% had to wait up to three hours for the issue to be resolved.

Yet, for better or worse, remote working is here to stay, with the benefits simply too appealing.

Indeed, a Gartner survey has found that 47% of organisations will give employees the choice of working remotely full-time once the pandemic is over, and 82% said employees can work from home at least one day a week.

If you’re among the organisations giving employees that choice, you must take the time to review whether your remote working practices are suitable. You may have escaped unscathed so far, but it only takes one mistake for disaster to strike.

We explain everything you need to know in this blog, including our top tips to ensure remote workers stay safe.

Online work increases cyber security risks

Without the security protections that office systems afford us – such as firewalls and blacklisted IP addresses – and increased reliance on technology, we are far more vulnerable to cyber attacks.

The most obvious risk is that most of our tasks are conducted online. After all, if something’s on the Internet, then there’s always the possibility of a cyber criminal compromising it.

Your Cloud documents, emails and attachments, instant message clients and third-party services are all vulnerable – and with so much information being shared digitally, your attack surface has grown much wider.

Meanwhile, according to CISO’s Benchmark Report 2020, organisations are struggling to manage remote workers’ use of phones and other mobile devices.

Many employees are using their personal devices for two-factor authentication, and they may well have mobile app versions of IM clients, such as Teams and Zoom. These blurred lines between personal and professional life increase the risk that sensitive information will fall into an insecure environment.

There’s nothing your IT team can do to protect you from this, which is causing major headaches. Indeed, according to CISCO’s report, 52% of respondents said that mobile devices are a major challenge when it comes to cyber security.


You can find more tips on how to work from home safely and securely by taking a look at our new infographic.

This guide explains five of the most significant risks you and your organisation face during the coronavirus crisis.


Another threat that remote workers face is the possibility of attackers sending phishing emails. These are scams designed to fool people into handing over your details or downloading a malicious attachment containing a keylogger.

The dangers of phishing should already be a top concern, but things are especially perilous during the coronavirus crisis.

A recent report found that there has been a 600% increase in reported phishing emails since the end of February, with many of them cashing in on the uncertainty surrounding the pandemic.

To protect against this risk, all work where possible should be done on a corporate laptop subject to remote access security controls. This should include, at the very least, two-factor authentication, which will mitigate the risk of a crook gaining access to an employee’s account.

This ensures that the necessary tools are in place to defend against potential risks, such as anti-malware software and up-to-date applications.

It also gives your IT team oversight of the organisation’s IT infrastructure and allows it to monitor any malicious activity, such as malware and unauthorised logins.

Tired employees make mistakes

You may have felt over the past year that remote working is more tiring than being in the office. Perhaps you lose motivation in that post-lunch, not-quite-early-enough-to-clock-off window where you’re simply going through the motions.

If so, you are far from the only one. A Society of Human Resources Management study found that 35% of employees reported feeling tired or having little energy while working from home.

Similarly, the Velocity Smart Technology Market Research Report 2021 found that half of UK workers cited a lack of motivation while working remotely.

This should be a major worry for organisations, because tired or unmotivated employees are liable to make careless errors – whether that’s in the quality of their work or a poor decision that jeopardises the security of sensitive information.

Two of the contributing factors behind this are inherent to the nature of remote working. First, employees are more likely to be distracted. This is particularly true if they have spouses or children at home, but it could be as simple as knowing you have to do the washing up or the laundry to do.

By taking your mind off work, you become less attentive to the small details. Perhaps you’ll rush an email and send it to the wrong person, or you’ll file a confidential document in the wrong place.


The second issue is that, despite being distracted, remote workers might actually spend more time working.

An Office of National Statistics study found that remote employees worked five hours a week more on average than those who worked in the office. They also did six hours of unpaid overtime on average per week, compared to 3.6 hours for those who never work from home.

This is likely the result of home workers either overcompensating for the flexibility that’s afforded to them, or their temptation to put in a few extra hours in their spare time given the accessibility of the work environment.

With no need to commute into the office, it’s easy to stay late or log in again in the evening or on weekends.

And as admirable as it is to put in those extra hours, it makes you susceptible to mistakes. After a long, productive day, it’s so easy to make one critical mistake that undoes your good work.

It could be as basic as saving a document in the wrong location or not configuring the database you’ve been working on properly.

No matter what task you’re working on, you must give it the attention that it deserves – even if that means shutting off your laptop at the end of the day and coming back to it when you’ve had time to refresh your mind.

Control the risk

Any organisation with employees working from home must create a remote working policy to manage the risks.

If you don’t know what this should contain, our Remote Working Policy Template provides everything you need to know.

It includes guidance on storing devices securely, creating and maintaining strong passwords, and an acceptable use policy for visiting websites that aren’t work-related.

Organisations should also explain the technical solutions they’ve implemented to protect sensitive data and how employees can comply. For example, we recommend applying two-factor authentication to any third-party service that you use.

Although it shouldn’t be a concern during the lockdown, your remote working policy should also address the risks that come with employees handling sensitive information in public places.

For example, when business goes back to normal, staff may well use company devices in places such as trains and cafés, where opportunistic cyber criminals can lurk without drawing attention to themselves.

Security incidents are just as likely to occur even if there isn’t a malicious actor. Consider how often you hear about employees losing their laptop, USB stick or paperwork.

Recognise, respond, recover

It’s been rough sailing for organisations in the past year or so. In addition to COVID-19 and the risks of remote working, there has been – and still is – disruption caused by Brexit, increasing public awareness of data privacy and growing regulatory pressure around data protection.

If you’re looking for help navigating these risks, IT Governance is here to help. We offer a range of data protection and cyber security training, tools, software and consultancy services – all of which can be delivered remotely.


A version of this blog was originally published on 6 April 2020.

3 Comments

  1. Mohin Benning 10th March 2021
    • Luke Irwin 10th March 2021
  2. Markus 15th March 2021