The dust has largely settled around the pandemic-accelerated shift to remote working, and most companies have now learned to embrace — and employees come to expect — a greater or lesser degree of hybrid employment between the office and the wider world. However, the cybersecurity risks associated with this shift are still a live question, with average weekly cyber attacks still on the rise.

Malicious actors wasted no time taking advantage of the cybersecurity weak points offered by the shift to remote working. In 2020, at the height of the pandemic, Russian hacking group Evil Corp launched attacks against at least 31 businesses, deploying the WastedLocker ransomware virus to lock file systems and demanding up to $1m for their release. The group targeted the VPNs used by remote workers to access company systems; those allowed the group to identify which company an individual worked for and then infected the employee’s device when they visited a public site.

As companies have worked to adapt their day-to-day processes to the new remote working world, the sophistication of these hacking attempts has increased. In July 2024, security software provider KnowBe4 revealed that a bad actor from North Korea had passed four video conference-based interviews and other background checks while impersonating an IT worker in an attempt to be hired at the company and gain access to internal systems. The criminal effort was only discovered after the company delivered an Apple Macbook workstation to the would-be employee and it immediately started to load malware.

Harvey Copplestone, founder and CEO of Phishr, says: “The pandemic didn't just change where we work – it transformed how criminals attack us. Pre-pandemic, cybercriminals were fishing with nets; now they're fishing with spears.”

As these examples show, hybrid working brings new challenges for cybersecurity teams. It offers fresh attack surfaces for hackers, exposes organizations’ devices and data, and gives employees plentiful opportunities to neglect good practice.

It’s no surprise cyberattacks are still rising. In Q3 2024, an average of 1,876 cyber attacks per organization per week were recorded — a 75 percent increase on Q3 2023. In this environment, what practical measures should businesses take to protect themselves and their data?

Building a full picture

A truly comprehensive cybersecurity regime isn’t just aimed at specific points or addressing areas of weakness as and when they arise. Full security means full awareness, taking a thorough view of the business’s operations.

Chief Information Security Officer at EQT, João Pedro Gonçalves, describes how the firm mapped out relevant risks and then worked with employees to address those issues. This meant equipping employees with the skills to spot and prevent social engineering attacks — whether via email, text, or video — rather than focusing solely on potential data exfiltration.

Companies need to identify and understand their own cybersecurity risks, implement adequate controls that will lead to the protection of threats against the company, Gonçalves says.

This includes password hygiene and secure data-sharing practices, as well as continuous training to help staff identify telltale signs of phishing, smishing, or vishing attempts, and recognize when they’re being manipulated or scammed in real time.

“There’s then the governance around building the team, being at the table with the board, and putting cyber on the table of the executives,” he says. “Then, in the middle of these two, is to work with people, to educate them on the dos and don’ts of cyber threats.”

The human element

Social engineering, whereby employees are tricked or manipulated into making mistakes or giving away sensitive information, or phishing, where users are tricked into clicking a link in a fraudulent email, are among the most popular means of gaining illicit access to a network or file system. Verizon’s 2024 Data Breach Investigations Report found that more than two-thirds of breaches involved some kind of non-malicious human element, such as clicking the wrong link or being lured into making a mistake.

In August 2023, Caesars was the target of a variation of this kind of attack, in which the hacker called the company’s IT helpdesk pretending to be an employee locked out of their account. Duly provided with new login details, the attackers gained administrator access and shut down swathes of the company’s operations. Caesars paid $15m in ransom to get their systems back online.

Employees — especially those on the front line, like IT staff — should be taught how to handle these kinds of threats. When a purported employee gets in touch with a request, take extra care to verify that the inquiry is genuine. Has the individual provided any personal details which can’t be found on LinkedIn or otherwise publicly? Has the issue they are complaining about, like a locked account, been independently verified? It’s harder to do this when you can’t walk over to the person’s desk to check that they are who they say they are.

And as much as employees need to be trained to recognize the immediate risks posed by bad actors making a direct move against a company, good cyber hygiene also means teaching people how to handle data properly on a day-to-day basis. Ensuring employees are aware of the importance of handling and sharing data correctly, and the threat posed by opportunistic data exfiltration, can go a long way towards mitigating cybersecurity risks.

“Organizations need to rebuild the informal security checks that naturally existed in the office,”Phishr’s Copplestone says. “This means creating virtual spaces for those quick ‘Does this look suspicious?’ conversations, like dedicated Slack/Teams channels for flagging potential threats or providing easy access to security teams.”

As well as the ongoing technical work of regular security audits and updates, companies should, for example, have clear guidelines for remote work and strict rules on the handling of sensitive personal and commercial data.

Planning and precautions

It’s not just the direct risks of loss and ransom that companies have to contend with. Cybersecurity has been a growing concern of authorities and regulators for several years, and those watchdogs have become just as attuned to the increased risks posed by hybrid working as companies. While preventing a breach from happening is always the primary goal, if one does occur, it can be just as important for a company’s bottom line and reputation to show that it took every precaution.

Managing these growing regulatory requirements requires a concerted effort from businesses through more rigorous security protocols and greater attention to human risks.

“We are navigating the complexities of diverse regulatory frameworks to ensure we meet evolving requirements,” Gonçalves says.

As AI technology rapidly evolves, so do the security and regulatory requirements that corporations must navigate. “There are the deepfakes, but also how you work withAI tools. Building that understanding now, that knowledge, that’s the next frontier,” says Gonçalves.