4 Major Cybersecurity Risks of Working From Home And how your company should prevent and manage them.

By Sam Curry Edited by Jessica Thomas

Opinions expressed by Entrepreneur contributors are their own.

monkeybusinessimages | Getty Images

Unprecedented numbers of people are working from home for the forseeable future, and we're dealing with everything from childcare to simply trying to find a quiet space for a call or to get work done. Our homes have become our offices, and in the rush to keep things going, we're using new systems and adhering to security policies in a way that's spotty at best.

At the same time, the boundaries between work and private life are breaking down: Business is being done over home ISPs, with unmanaged routers and printers, home automation systems in the background and even partners and children listening in on conversations or sharing machines while working for different organizations.

Related: 7 Cybersecurity Layers Every Entrepreneur Needs to Understand

And all the while, new security threats are surfacing. Some are old attacks brought back now that we're more vulnerable, and others are new scams that prey on our desires to get news, buy basic supplies, avoid infection and recover quickly if we do get sick. Traditional security measures that have been used daily for years can't protect a fully remote staff without adaption. That means we need to rethink our mindsets and approach to security right now.

The most important element of effective security in a time of change is to realize that while you can do anything, you can't do everything. The job of security is not to eliminate all risks, because all threats are not equally dangerous or likely, and they won't all be exploited at once. Discuss risk early and often, and revisit triage on a regular basis. The risks you face today will not be the ones you face next week or the week after.

These are four major risks businesses need to address to get ahead in this period of adjustment:

Hackers can manipulate VPNs without a view of the whole

Virtual private networks, or VPNs, have become the new lifeline for many businesses, extending encrypted networks to our homes. However, many home networks are already infected with malware or compromised hardware that can be exploited for staging attacks through machines with VPN termini. A compromised identity or a machine, especially when behavioral baselining on the backend is in flux, can allow hackers to piggyback through the VPN. It's critical to have endpoint integrity checking and strong authentication in place at this stage once the VPN is in place and active.

Related: Five Ways To Protect Your Company Against Cyber Attacks

There are also vulnerabilities for VPNs that require really understanding and internalizing rather than blindly trusting, and many applications that are becoming the new critical IT infrastructure will see new vulnerabilities. This is not cause for panic, but it does mean you need to talk to vendors and plan for patching and failover. Remember, vendors, too, are going through change and doing triage on their support and escalations, but start the dialogue now. Contact your hardware or software providers to ensure configurations and policies are in order, starting with the VPN, endpoint and identity solutions.

Endpoint first, then mobile

Although there are many endpoint challenges, the first priority is to ensure critical business processes recover. Then, make sure the new enterprise footprint is brought into the fold from a policy and control perspective. Next, focus on mobile, which is the most pervasive and ubiquitous platform in our personal lives. Employees who have to learn new devices and applications will turn to their phones even more than usual because they feel familiar. Most companies have established policies defining what can and can't be done with mobile phones, but set these policies if you don't already have them. Cyber criminals will start with identity theft and classic machine exploits, but they'll think of new ways to target them before moving on to other devices. Get ahead of mobile threats before dealing with other devices.

Information can be weaponized

In the past few weeks, attackers have started taking advantage of human weaknesses. For example, hackers developed a malicious mobile application posing as a legitimate one developed by the World Health Organization. A vulnerable person could easily mistake this malicious app for a real WHO app. Once installed, the application downloads the Cerberus banking trojan to steal sensitive data. These types of attacks essentially weaponize tools and information, because they can easily be done with applications that provide legitimate benefits, too. Before, attackers had to plan their cons for diverse interests and lures, but right now the entire world has a shared crisis. COVID-19 has become our common watering hole, but with the right awareness and education, we will be able to defend ourselves.

Physical location matters again

When employees take their machines home or use their home machines for work, those machines now sit in a physical and digital space unlike any within the office. Between routers, printers, foreign machines, devices, gaming consoles and home automation, the average home has a more complex and diverse communication and processing system than some small companies.

Related: The One Cybersecurity Risk You're Probably Not Even Thinking About

Employees might be taking conference calls within earshot of family members or even employees of other companies. Nothing should be taken for granted when it comes to the privacy of employee homes. Simple policies are important — these are relevant not only to security but also to privacy in general. Should employees have cameras on or off for meetings? Should they wear earphones? Should they take notes on paper or digital applications? How should they handle viewed or created IP or PII? What communications applications are acceptable? What happens when others intrude, see notes or overhear discussions? These questions might seem trivial, but you need to address them up front. Above all, listen and adapt when things aren't working.

These four areas are far from a complete list of the cybersecurity concerns you need to address. If you've got these under control, enumerate the risks that remain, sort them by order of importance and deal with them methodically.

Security is never "finished" because the opponent is never finished; cyber criminals are endlessly innovative and adaptive. In the words of Winston Churchill, "Never let a good crisis go to waste." Use this as the chance to start a new, ongoing security dialogue within your business.

Related: 5 Cybersecurity Tools Your Company Should Have

Sam Curry

Chief Security Officer at Cybereason

Sam Curry is CSO at Cybereason. He is a security visionary and thought leader and has been interviewed by dozens of journalists, has published broadly and has talked in media on security trends, threats and the impact of "cyber" on us all.

Want to be an Entrepreneur Leadership Network contributor? Apply now to join.

Science & Technology

This AI is the Key to Unlocking Explosive Sales Growth in 2025

Tired of the hustle? Discover a free, hidden AI from Google that helped me double sales and triple leads in a month. Learn how this tool can analyze campaigns and uncover insights most marketers miss.

Business Ideas

63 Small Business Ideas to Start in 2024

We put together a list of the best, most profitable small business ideas for entrepreneurs to pursue in 2024.

Business News

A New Hampshire City Was Named the Hottest Housing Market in the U.S. This Year. Here's the Top 10 for 2024.

Zillow released its annual lists featuring the top housing markets, small towns, coastal cities, and geographic regions. Here's a look at the top real estate markets and towns in 2024.

Business News

'We're Not Allowed to Own Bitcoin': Crypto Price Drops After U.S. Federal Reserve Head Makes Surprising Statement

Fed Chair Jerome Powell's comments on Bitcoin and rate cuts have rattled cryptocurrency investors.

Business Ideas

Is Your Business Healthy? Why Every Entrepreneur Needs To Do These 3 Checkups Every Year

You can't plan for the new year until you complete these checkups.