The mass adoption of remote work transformed companies' attack surface overnight. From one day to the next, thousands of employees transitioned from controlled corporate networks to home offices with home Wi-Fi, personal devices, and improvised remote access. Cybercriminals quickly took advantage of this new reality: during 2020, attempts to intrude into exposed services skyrocketed. A clear example was the brute force attacks on Microsoft’s Remote Desktop Protocol (RDP), which increased by about 242% globally in 2020, rising from around 969 million attempts in 2019 to over 3.3 billion following the onset of working from home. In Spain alone, that same year, 178 million RDP attacks were recorded, compared to around 50 million the previous year. This explosion of malicious activity highlighted that extending the enterprise to every employee’s home brought with it new attack vectors and unforeseen vulnerabilities.

As of today, with hybrid work now normalized, digital threats linked to remote work remain very present. Various reports indicate that most recent security breaches originated from assets related to remote work. In Spain, a study revealed that 69% of organizations experienced at least one data breach in 2022, and in most cases, the incident started on remote employee devices, in attacks on exposed applications/infrastructure, or cloud services. More than a third of breaches were related to BYOD devices (personal devices connected to the corporate network), and 29% involved insecure Wi-Fi access points, while nearly another 30% were caused by improper use of corporate applications. At the same time, phishing attacks (identity theft via email) have solidified as the most frequent entry point for attackers, taking advantage of the lower physical and psychological protection of employees isolated at home. It is no coincidence that security officials cite remote worker access as one of their greatest current concerns – 33% highlight it as a critical vector – just behind cloud service attacks or ransomware, which have also been enhanced in recent years. The reality is that with a decentralized workforce, the traditional "perimeter" of the corporate network has blurred, multiplying potential entry points.

The economic consequences of these incidents have become difficult to ignore. According to estimates from IBM, the global average cost of a data breach reached a record high of $4.45 million in 2023. Part of this increase is specifically linked to remote work: when an incident involves remote work resources, its average cost can be nearly $1 million higher than that of a traditional breach. Spain is not immune to the problem: it is estimated that in our country, a security breach costs an average of 1.3 million euros in losses for the affected company, considering both the direct financial impact and the business disruption, loss of reputation, and remediation costs. Attacks during the pandemic revealed how a simple compromised VPN access or a lost corporate laptop can trigger very costly incidents. In fact, it is estimated that the main cause of immediate losses in recent breaches has been system crashes and downtime (affecting business continuity), followed by data manipulation or theft and ransomware-induced system lockouts. All of this confirms that a cybersecurity incident in the era of remote working can paralyze operations and result in million-dollar damages for companies.

In the face of this situation, companies have had to react by reinforcing their security policies and defensive capabilities. A critical factor is the human: with employees working outside the controlled office environment, awareness becomes vital. Many organizations in Spain recognize that human error is behind a good part of the incidents – it is estimated that approximately 6 out of 10 attacks exploited oversights or human failures in 2024 – which is why they have intensified training and awareness campaigns. In fact, 66% of Spanish companies claim to have invested in additional cybersecurity training for their remote employees recently. The aim is to turn the worker into the first line of defense rather than the weakest link: from training to identify phishing emails, to periodic attack simulations, alongside clear protocols on handling sensitive information outside of the office. The corporate security culture is adapting so that protection travels with the employee, wherever they are.

Of course, technology plays an equally pivotal role in the response. One of the strongest trends has been the adoption of the Zero Trust model. Given the dissolution of the classic perimeter and employees connecting from anywhere and any device, Zero Trust proposes "never trust, always verify". In practice, this means that every attempt to access corporate systems is validated as if coming from an insecure network, requiring robust authentication (multi-factor, certificates, etc.) and assessing the security posture of the device before granting permissions. Moreover, the principle of least privilege is applied, so that every remote user only accesses the resources essential for their role. Many companies, both in Spain and globally, are migrating towards this approach; not surprisingly, it is estimated that by 2024 around 40% of organizations will have traced strategies to implement Zero Trust-based SASE (Secure Access Service Edge) architectures. SASE solutions integrate software-defined networks with cloud security services, providing high-performance secure access without relying on legacy VPN backhauls. With SASE, the remote worker's connection passes through distributed security nodes that inspect traffic, apply corporate policies, and filter threats in real time, whether the user is in the office, at home, or on the move. The result is a smoother yet more controlled experience, reducing exposure to malware, data leaks, and other risks when working in cloud and remote environments.

Another fundamental layer in the technological strategy is the protection of endpoints that go outside the corporate umbrella. Here, modern EDR (Endpoint Detection and Response) tools stand out, replacing traditional antivirus to equip each company laptop and mobile device with intelligence. EDR continuously monitors system behavior, detecting indicators of attacks or anomalies, and allows for automated or remote responses to any incident (isolating a compromised device, for example). Thus, if an employee suffers an attack while working from home, the security team can be notified instantly and contain the threat before it spreads across the network. Together with unified endpoint management solutions (MDM/EMM), data encryption, and conditional access, companies are creating a kind of "security bubble" around each remote employee. Even small and medium organizations in Spain have adopted comprehensive security packages that include next-generation anti-malware, real-time threat detection, and centralized patch management to prevent an outdated laptop from being the entry point for an attack. This professionalization of endpoint security has become essential not only to meet industry standards but also to comply with new regulatory requirements.

Indeed, regulations are catching up with this hybrid reality. A recent milestone in Europe is the enforcement of the NIS2 (Network and Information Systems Directive) directive in October 2024, which obliges companies in many sectors to strengthen their cybersecurity practices. NIS2 expands the scope of the original 2016 regulation to cover more industries (transport, energy, finance, digital providers, etc.) and imposes stricter requirements on risk management, protection measures, and incident reporting. For example, organizations must conduct periodic assessments of critical vulnerabilities, implement “security by design” controls in their systems, and even ensure that their digital supply chain meets minimum security standards. In case of non-compliance, penalties can be significant – similar to GDPR fines in magnitude – in addition to the reputational damage of being seen as a negligent security actor. In Spain, this has motivated many companies to accelerate improvement plans: from deploying advanced monitoring and response solutions to hiring specialized personnel and cybersecurity intelligence services. The NIS2 directive, along with international standards and frameworks such as ISO 27001 or the National Security Scheme, is pushing even top business management to engage more in cyber resilience in this era of distributed work.

Ultimately, the impact of remote work on corporate cybersecurity has been both a catalyst for risks and advancements. On one hand, it has been demonstrated that expanding the boundaries of the office elevates the level of exposure: phishing threats multiply, the surface for ransomware increases, and the complexity of protecting dispersed data grows. On the other hand, this very situation has driven an accelerated evolution in corporate defenses. Spanish companies, in line with their global counterparts, have adopted technologies and policies in just a few years that might have taken a decade to assimilate were it not for the pandemic. Zero Trust models, more secure cloud platforms, mandatory multi-factor authentication, network segmentation, behavior analysis using AI… are now part of the everyday vocabulary of IT departments. There is greater executive awareness of digital risk, and more is being invested in prevention, cyber insurance, and incident response plans. Although the general sentiment among some executives is that the peak risk has passed – only 34% of Spanish companies currently consider their level of exposure to be “very high,” a percentage that has indeed been declining since 2022 – experts warn against complacency. Adversaries continue to fine-tune their tactics and exploit any gaps, whether technical or human, especially in flexible work environments. The challenge, therefore, is ongoing: to combine the productivity and comfort of remote work with robust security that protects the organization. After these first years of forced experimentation, companies face the immediate future by applying the lessons learned: maintaining constant vigilance, fostering a culture of security in every employee, and investing in resilient technological architectures. Only then can they continue to reap the benefits of a more distributed workforce, minimizing risks in a landscape of continuously evolving cyber threats.

- José R. Estrella (CTO - Cybersecurity Beryon)