The coronavirus is sweeping across the globe, and as countries enforce lockdowns and send people into quarantine, working from home has become the new normal. For some, this is business as usual; for others, it introduces new challenges and strains on both business operations and information security. IT infrastructure may not be designed for remote work, and security weaknesses quickly become apparent.
Home Office Challenges
For many, remote work during the coronavirus pandemic isn’t a choice—it’s a necessity. Many employees are not used to working from home, and business processes and infrastructure were never adapted for widespread remote work. This creates a significantly increased risk of data leakage. As users adjust to these changes, IT and security leaders must take an active role in ensuring information security is upheld.
Some of the key risks include:
1. Cybercriminals
Cybercriminals have seized this opportunity and are already launching phishing emails, fake websites, malicious attachments, and more. With users working alone and actively seeking updates about the pandemic, the coronavirus phishing industry is booming. While it's too early to say how many will fall victim, historically, 90% of successful cyberattacks begin with phishing.
2. Bring Your Own Device (BYOD)
BYOD—when employees use personal devices for work—is becoming more widespread. While it may stem from personal preference or convenience, during quarantine it becomes necessity. Personal laptops, smartphones, tablets, and other devices are being used to access and store company data.
This poses major risks:
- Businesses lose visibility and control over data.
- It’s unclear where sensitive information is stored, for how long, or who has access.
- Personal devices may not follow security best practices.
3. Poor Patching
Security updates and patch management may suffer during the crisis—especially for endpoints like laptops now disconnected from corporate networks.
Users working on personal devices may:
- Be running outdated software (e.g., Windows 7)
- Miss critical patches
- Rely on unsupported applications
Even major vendors have warned of delayed patch releases due to COVID-19. For example, Microsoft left a critical vulnerability unpatched during a recent Patch Tuesday, merely issuing a warning instead.
4. Rogue or Shadow IT
Shadow IT has long been a problem for security teams. Employees or departments often bypass official tools, setting up unauthorized software or cloud services to avoid red tape.
In a remote work environment, this trend accelerates:
- Users turn to WhatsApp, Dropbox, Gmail, OneDrive, and Box
- They transfer and store sensitive documents outside approved channels
- Leakage becomes inevitable without IT visibility
5. Insecure Home Networks
Corporate Wi-Fi networks are (hopefully) secured with WPA2 encryption and strong passwords. Home networks? Not always.
Many home users:
- Still use default router settings
- Run on outdated WEP encryption
- Share Wi-Fi passwords with others
Some attackers even use tools like Wi-Fi Pineapple to set up rogue access points and intercept traffic—especially if you’re a high-profile target.
What Can Be Done?
Some businesses had a Business Continuity Plan (BCP) in place. Others were caught off guard. Regardless of preparation, every organization can benefit from the following best practices:
Security Awareness Program
If you don’t have one, start now. If you do, dust it off and re-engage users.
No technology can substitute for a well-informed employee. Even with the best security tools, an unaware user can:
- Click on a phishing link
- Download malicious files
- Bypass secure systems
Security-aware employees are more likely to follow secure procedures, spot risks, and avoid costly mistakes.
Move to the Cloud
The cloud enables secure, remote access to systems from anywhere.
Benefits include:
- Multi-Factor Authentication (MFA)
- Geo-restricted logins
- Built-in security powered by AI-based threat detection
Cloud adoption also makes it easier to manage updates, access controls, and user behavior.
Conduct Risk Assessments
Risk assessments help organizations:
- Identify and prioritize vulnerabilities
- Understand their risk tolerance
- Implement effective mitigation strategies
During COVID-19, reevaluate processes and stop or adjust any that pose unacceptable risk levels.
Classify Your Data
To protect your data, you must first know what you have.
Why classify data?
- Unstructured files (documents, spreadsheets) often contain more risk than structured databases
- They are harder to track, replicate more easily, and are distributed across multiple endpoints
Automated classification should:
- Run on every device (servers, endpoints, cloud)
- Identify the sensitivity level of each document
- Provide a centralized overview of access, location, and volume
This is especially critical now, as users download data to work offline, increasing the risk of exposure.
Monitor and Log Activity
Monitoring doesn’t directly protect your data, but it enables early detection of threats.
Logs should be actively reviewed, not just stored. Otherwise, they serve only for post-incident analysis.
Key things to monitor:
- Logins from unusual locations or times
- Multiple failed login attempts
- Unusual download activity
- Privilege escalations
- Creation of unauthorized users
- Large amounts of encrypted outbound traffic
Keep IT Security Involved
As users adapt workflows to avoid bottlenecks, IT security must remain part of the conversation. If not, shortcuts will be taken, and security will suffer.
Just as HR handles people-related risks, and Legal handles compliance, IT Security must be embedded in all processes that involve information and data flow.
In Conclusion
COVID-19 has reshaped the way we work. While remote work brings flexibility, it also opens the door to significant data security risks.
Businesses must act swiftly to:
- Adapt their security posture
- Train employees
- Implement automation and classification tools
- Build resilience through better visibility and governance
Data leaks don't stop during a pandemic—they accelerate.
Preparation and awareness are your best defense.
