Nine months of remote work: how the attack surface changed
By autumn 2020, companies that shifted to remote work in the spring had accumulated new security risks - often without realising it. What changed and what to look at now.
In spring 2020, the shift to remote work happened in a matter of weeks. Decisions were made quickly: VPN services for access, corporate messengers, video calls. Security was usually secondary - the first priority was simply getting people working.
By September, nine months had passed. Temporary solutions had become permanent. And over that time, the company's attack surface changed - often significantly.
I am not saying everything is broken. I am saying it is time to audit what has accumulated.
What was added over these months
Personal devices in the work perimeter. Not every employee had a corporate laptop. Many worked from personal machines with whatever software was installed, no corporate antivirus, no disk encryption. Through those machines they connected to work systems.
VPN without segmentation. Quickly deployed VPNs often granted broad access - "employee is connected to the network". But access to the network is not the same as access to specific systems. Where segmentation was absent, an employee whose machine was compromised could potentially see everything.
Cloud tools chosen by teams independently. When IT could not keep up, people took whatever was handy: free Zoom, personal Dropbox, public Notion pages. Data started living outside any perimeter anyone controlled.
Phishing with COVID themes. Attackers adapted quickly. Emails with "remote work policy update" or "important information about payments" - these are not theoretical examples, they were actively circulating.
Why this deserves attention now
In the first few months people were more careful - the situation was new and everyone was alert. After nine months, fatigue had built up and vigilance declined. Meanwhile the tools and access granted in the spring were still in place.
This is a standard pattern: the risk is not where things started, it is where things accumulated.
Three things to check right now
Access audit. Who has access to what? Who was given expanded access in March and April "temporarily"? Was it revoked?
Inventory of cloud tools. What are teams using for work and file sharing beyond the corporate systems? Not to ban it - but to understand where the data lives.
Device policy. Who is working from personal devices without corporate security policies? This does not necessarily need to be banned immediately, but it needs to be known.
Security in remote-work mode is not a one-time setup. It is a process that requires regular attention. Nine months is a good moment to start that process.