When COVID-19 hit, businesses scrambled to go fully remote as employees worked from home.

Many provided company-issued devices, but others had to rely on their employees using their own laptops and computers, which left security holes.

Cybercriminals love holes, and they love the kind of chaos that the coronavirus brought.

In fact, approximately 24% of firms in a Malwarebytes survey said they paid unexpected expenses to address a cybersecurity breach or malware attack following shelter-in-place orders, and many that thought they were on top of security were actually lacking some fundamentals like updated antivirus solutions.

“It could have been a lot worse, but there’s always room for improvement,” says Adam Kujawa, director of Malwarebytes Labs, the intel arm of Malwarebytes, a Santa Clara, California-based provider of anti-malware software.

He said firms were increasingly on the path of becoming more remote-enabled before COVID, but “until the pandemic hit we didn’t know how these remote enablement tools would fare under such heavy use.”

And it can be costly considering the average ransomware payment in Q4 2019 was $84,116, up from $41,198 in Q3 2019, according to Coveware, a ransomware recover company.

Malware threats such as Ave Maria, which lurks on a computer stealing critical information and passwords, saw a bump of 1,219% from January to April 2020, according to the Malwarebytes report. It’s often installed on a user’s device via malicious phishing emails masked as legitimate ones, where the user might click an innocent-looking link or download a file, Kujawa says.

Phishing emails are the biggest threat factor that Michael Maser has seen during the pandemic. He is chief technology officer at Plainview-based UOTech.co, which specializes in IT-managed services,  and he said that, while his clients didn’t suffer breaches, UOTech assisted new clients that were attacked this year.

One such new client got attacked via a phishing email masked as a login page for a remote access software the firm was already using. An employee typed in login credentials giving the cybercriminal access to corporate systems. The attacker then block access to data and files and demanded one bitcoin (equivalent to about $18,000), Maser says. UOTech was able to recover systems via backup software, avoiding the need for the firm to pay ransom.

He said his clients are on a platform that enables UOTech to take ownership of the security and connectivity of any company-issued devices wherever employees are and provide automatic application and operating system updates, antivirus and anti-ransomware.

Sparkling Pointe Vineyards & Winery in Southold, one of UOTech’s new clients, had “peace of mind” knowing these programs were in place, general manager Michael Falcetta says.

As an agricultural manufacturer, Sparkling Pointe was deemed essential during COVID and was fully operational, but for a short period of time, its office team worked from home on secure company-issued laptops, Falcetta says.

“It was very seamless to be able to work from home,” he says.

In general, it’s always best for the company to issue work devices rather than relying on employees using their own home devices, says Jason Aptekar, a technology strategist and founder of Westbury-based The Mithril Cloud, a managed cloud services provider.

That’s because employees don’t take security as seriously on those devices as businesses do, says Aptekar, noting none of his clients had any security breaches.

For those firms that can’t provide company-issued devices, it pays to have a Bring Your Own Device (BYOD) policy that among other things clarifies employees’ responsibilities to the communications and data they interact with and their liabilities in the event something happens and they don’t meet company security standards or stated policies, he says.

Employee education is critical, says Malay Thacker, president of EMTEE Inc., a Plainview-based IT services provider.

“It is very important for every employee in a company to have some form of training to identify phishing scams and other threats,” he says. “One of the best ways to protect a company network is by applying security in layers and a very important layer is user training and awareness.”

Also consider who is responsible for your security, Thacker says.

If you don’t have a full-time IT staff or an IT services provider, you may be relying on ad hoc solutions that expose the business network to breaches and ransomware attacks, he says, noting the biggest security issue during COVID was lack of security software and policies for the work from home environment.

And remember: Hackers get trickier all the time.

“They continually evolve and grow and expand their capabilities,” Kujawa says.

Security holes:

44% of the over 200 respondents in the Malwarebytes report didn’t provide employees with cybersecurity training that focused on potential threats of working from home like ensuring home networks had strong passwords, or making sure devices were not left in the reach of unauthorized users.