Strong WFH cybersecurity is what hackers least expect.  Hackers noticed the abrupt upheaval of an incredibly high percentage of previous business processes.  And, they saw opportunity.  They saw the speedy move away from office-based work environments as exactly the kind of tumult they wanted.  It caused well-intentioned companies and well-intentioned employees to let down their guard as the threat landscape grew and evolved.  Let’s dig into how hackers apply old, new, and revised threat vectors to make the most of what they believe will be a cavalier attitude towards WFH cybersecurity.

What’s Old is New Again

First, lets discuss a phrase that we’ve heard all-to-often from companies that were accustomed to occasionally allowing work from home.  As we all know, those same companies abruptly transitioned to almost always allowing (requiring?) employees to work from home.  A concerning storyline goes like this: “WFH isn’t new to us at all, we’ve been working from home occasionally for many years… so why would we have any new cybersecurity concerns about WFH now?”

Exercise caution if this is a storyline you are hearing inside of your organization.

More WFH Equals a Bigger Target for Hackers

Let’s start by looking at some crucial census data analyzed in 2017.  We know that around that time approximately 5.2% of employees worked completely from home.  Put yourself in the shoes of a hacker in 2017. Would you have been more focused on vulnerabilities of WFH team members – 5%, or in-office team members — 95%?  I bet you’d be focused on the 95%.

In comparison, in a PwC study from June 2020, approximately 70% of survey respondents were working from home.  Where now, would you put your focus?  Put on your pretend-devious-hacker hat.  I assume you’d choose to focus your attacks on the burgeoning 70%+ WFH population.

Top Threats to Manage with WFH Cybersecurity

Now that WFH employees are squarely in the crosshairs of hackers, lets evaluate some of the cybersecurity weaknesses that are most damaging to strong WFH cybersecurity:

1. Unpatched Routers

39% of routers do not have any new security patches installed in the past 12mo.  That’s bad — really bad.  It implies that readily available exploits can be broadly applied to a substantial portion of home networks.  And don’t get us started on WEP, UPnP, and other problematic configurations — even if the router is patched.

2. Phishing

Imagine you are in the office and receive the all-too-common phishing attempt that claims to be from some trusted member of your management chain, requesting you to take some particular urgent action.  In the office, there is a good chance that you can pop up from your desk and casually walk by that person’s workspace to confirm the task.  At home, you might find yourself contemplating the notion of  willfully interrupting your boss, or your bosses boss, or your bosses bosses boss, via an unexpected phone call, to ask if the email is legitimate.  Will you?  Maybe.

3. Shadow IT

We’ve covered Shadow IT extensively.  In a recent post on this blog, we offered six ways to minimize, mitigate, and manage Shadow IT.  Unfortunately, WFH brought an explosion of the prevalence of Shadow IT.  If you need some particular SaaS tool or mobile app to do your job, it’s pretty easy to just decide to go directly to the provider’s website and create an account.  Especially if there is a free trial.  The alternative, going through the “correct” channels, sounds like something that would be full of red tape and slow down your progress.  So, Shadow IT creeps in, and continues to expand its reach.  Especially in a WFH environment where it can be difficult to determine a tactful / frictionless way to go through the “correct” channels.  A casual walk past the IT person’s desk is no longer an option.


You can achieve strong WFH cybersecurity.  The above concerns are manageable, but they take a strong focus and an awareness of the growing threat landscape.  Want a hand?  We can help with all of the above topics.  We’re standing by to spring into action as your trusted cybersecurity provider.