Why Working From Home leaves us all desperately vulnerable to malign hackers, writes Professor ANTHONY GLEES

Millions in lost sales, a share price plunge of almost 7 per cent and more than 230 new job-hires frozen.

Those were the horrifying numbers suffered by High Street stalwart M&S this week after the devastating, targeted cyber-attack that left shelves empty, customers frustrated and shareholders furious.

As I write, a raft of experts are trying to discover who was responsible, with suspicion currently falling on a shadowy group called ‘Scattered Spider’: a loose network of teenage hackers from across Britain and America.

Amid this high-street meltdown, it also emerged on Wednesday that the Co-op has been forced to shut down part of its IT system after discovering an attempted hack. Yesterday Harrods was also targeted by online attackers.

However, the chilling fact is that for every one of these cyber attacks we hear about, dozens of others are unfolding in our midst that remain secret.

Indeed, it emerged this week from the National Cyber Security Centre that 76 per cent of UK businesses reported an attempted cyber attack in the past year.

This is an astonishing figure – and, crucially, my contacts in the security services have told me they are very clear that a huge shift in our working culture has significantly contributed to the risk.

That shift is working from home: a phenomenon forced upon us by the pandemic but that has since become common practice even after Covid has receded.

Last month, Forbes magazine reported that in Britain 27 per cent of workers now engage in ‘hybrid working’ – meaning they split their time between home and their workplace – with a full 13 per cent working remotely full time.

It has been a seismic cultural change.

And, while no doubt welcome to those who prefer to work in their pyjamas, it has undoubtedly had damaging effects.

As multiple business leaders have outlined in these pages – this includes a notable decline in productivity. A 2023 report from Stanford University, California found there is up to a 20 per cent reduction in efficiency in those working remotely.

Many others have pointed to the loss in the vital sharing of ideas that unfolds in a communal workspace.

Now we are seeing another, altogether more alarming consequence, in the form of staff and businesses’ increased exposure to devastating cyber attacks.

Several details of the M&S attack have yet to emerge.

But it’s notable that when the incident happened, the retailer immediately cut off remote access to some of its IT systems to stop the spread of ‘ransomware’, a specific type of malware that shuts the victim out of their computer and demands money in return for access back.

M&S clearly recognised that any staff logging in from home were intrinsically more vulnerable to cyber attack than those in the office.

The reality is that when people work from home – usually on a laptop or phone – they are more likely to be using antiquated software and machinery.

In a domestic setting distractions are far greater, vigilance is reduced and basic security measures such as critical updates are often ignored. 

Without the beady eyes of their bosses, the IT department, or even their co-workers upon them, those at home are more likely to visit dodgy sites, from gambling to pornography, that contain malware – software that is specifically designed to disrupt, damage or gain unauthorised access to a computer system. 

Once a device is infected, the malware can be introduced to the office system by clever and dedicated hackers.

The ‘entry’ into your device usually comes by way of an innocent-looking email, perhaps purporting to be from your IT department, or from a shopping website with tempting free orders.

Once you open it, you’re asked to click on a link.

In an office, you might turn to your colleague to enquire if they have received the same, but alone at home the temptation to take a look is so much greater.

The dangers are obvious.

And yet, such is the vice-like grip that the alleged ‘right’ to work from home has exerted on our culture – that even the workers at GCHQ are now entitled to enjoy the practice.

Indeed, the director of the ‘cyber command unit’ at GCHQ, charged with gathering intelligence and protecting the UK’s national security, makes a virtue of it. It’s notable that in her online biography Anne Keast-Butler boasts both of her extensive experience in cyber security and her passionate advocacy of flexible working.

As an expert specialising in intelligence-led security, I would say those two things are a clear contradiction in terms. Multiple wi-fi and broadband networks are another Achilles’ heel: prior to working from home, an employer had responsibility for just one.

Now, especially in the case of big organisations, devices are connected to hundreds of different networks, expanding any areas of weakness in the process.

Many people do not update their wi-fi systems if they seem to be working and that is where danger lurks: the security measures on older systems are easier to override.

Once they have cracked into the wi-fi, nefarious actors can gain access, intercept data and control the connected devices.

Indeed, not long ago my wife and I learned that the Chinese restaurant near our home was using our rather old system to tune into Chinese television.

The working from home craze also means that many computers and tablets are being carried to and from offices, enabling another risk.

Last month it emerged our MPs and parliamentary staff have had dozens of workplace digital devices stolen from locations including pubs and trains in the past year, with nearly 70 recorded losses of iPads, phones and laptops.

Certainly all the key data of our lives can now be found on a person’s phone and laptop which potentially exposes owners to blackmail. I do not need to spell out the frightening consequences of those devices falling into the wrong hands and the national security crisis that might follow.

And while to date (and as far as we have been told) hackers have not been able to penetrate Britain’s defence networks and the systems that maintain our nuclear power stations and electricity substations, it would be naive to think that these are not at risk given the damage already unleashed on other institutions.

The total cost of cyber-crime to the UK economy is estimated to be around £27 billion per year, and the NHS Counter Fraud Authority estimates the total annual loss from all types of fraud (of which cyber attacks play a huge part) to be around £1.3 billion per year.

That is equivalent to the salaries of 40,000 nurses or the purchase of 5,000 ambulances.

Now, I believe we are approaching an inflection point where the people who want to do us harm are more skilled than the people we’re paying to protect us.

That in turn calls for a significant response. It means that our leading institutions must invest heavily in sophisticated new software and hardware.

GCHQ, until now almost exclusively a protective organisation, must change into an offensive body to stay one step ahead of our online enemies.

Finally, there needs to be a ban on working from home for companies who play a role in our national economic wellbeing, or our national welfare.

The hackers themselves may be working from their bedrooms, but we must remove the same indulgence from their victims in order to ensure we are not making their evil missions easier. 

• Professor Anthony Glees is a security and intelligence expert from the University of Buckingham.