The COVID-19 pandemic has been a boon to cybercriminals, who are having a heyday exploiting people’s fears about the virus and the vulnerabilities in work-from-home (WFH) networks. It exposes major gaps in enterprises’ business continuity plans and network security as CISOs scrambled to accommodate their newly remote workforce in just a matter of weeks. The silver lining here, should CISOs choose to take a glass-half-full approach, is that business can learn from the pandemic, beef up their security posture and employees’ security readiness, and be ready for the next big event, whatever that may be.

While the pandemic isn’t over, a few key themes have emerged from recent interviews with security executives. From these conversations, here are the top three security lessons learned (so far) from COVID-19.

While many companies already did some level of security training for employees prior to the pandemic, now’s the time to step up these efforts and extend them to employees’ family members as well.

There are several reasons to do security training for your employees and their families. First, family members and roommates are essentially now co-workers, and the shared WiFi network — and devices connecting to that network — “become an extension of your work,” said Chris Henderson, director of information security at Datto. “There’s concerns I have around the laptops of your teenage kids, and the laptops of our spouses. Are their security practices as good as yours? It’s important to touch on security awareness training as everybody’s working on personal machines. And really focusing in on how to detect phishing emails, voice phishing, and try to lower the overall susceptibility somebody is to social engineering attacks.”

Considering that more than 75% of targeted cyberattacks start with an email, and remote workers rely more heavily on email and other forms of electronic communication, training employees not to fall for phishing emails is a must, according to Dennis Dillman, VP of security awareness product management at Barracuda Networks.

He suggests sending out COVID-19-themed emails that look like those currently being used by attackers, and using gamification for security training. But, he cautioned: “I don’t recommend any gamification that is engineered to create losers. It should be engineered to create varying degrees of winners.”

In addition to training employees on remote-work security best practices, Tom Kellermann, head cybersecurity strategist at VMware Carbon Black, also recommends conducting regular threat-hunting exercises that include executives’ homes and devices they use at home. Kellermann admits this “used to be taboo. But that needs to change.”

And RSA CTO Zulfikar Ramzan strongly recommends all organizations do tabletop exercises to simulate a security breach where the security operations center and 100% of the responders are remote.

In addition to being concerned about remote employees’ security preparedness, companies should also pay attention to the devices WFH employees use to connect to the corporate network and access company systems and data. This requires visibility — and Ramzan predicts that one of the lessons learned from the pandemic will be “a bigger shift toward thinking about visibility directly at the endpoint versus just the network.”

There is a very specific reason for this: “Because the network is not yours,” Edgewise Networks CEO Peter Smith said. “My home network isn’t my company’s.” This lesson also applies to cloud security and using public cloud networks.

Your company doesn’t own Amazon Web Services’ network. And as such, your company doesn’t have the same control and injection points that you do over your corporate data center and WAN, for example. “So you have one alternative: shift the security focus to the applications and the devices, not the network itself,” Smith said.

While network security versus endpoint security isn’t a new debate, COVID-19 has certainly highlighted the risk involved in employees’ using their home laptops and phones for work. “Today’s threats are sophisticated enough to bypass traditional defenses like anti-virus and that sort of thing,” Ramzan said. “So it becomes more critical to get that endpoint visibility to actually know what’s happening at the scene of the crime.”

This includes identity and authentication controls, which become more important in bring-your-own-device scenarios that will extend beyond the pandemic-induced lockdown. “If you look at every single breach that’s ever happened, every single intrusion, at some point there was some abuse or misuse or co-opting of an identity,” Ramzan said. “So getting identity right first and foremost is paramount in these types of situations.”

Although zero-trust security has been around for over a decade, it’s received a lot of attention lately because of the pandemic and related spike in remote workers.

This approach assigns rules and policies to workloads, virtual machines (VMs), or network connections, and then only allows necessary actions and connections in a workload or application while anything else gets blocked. It provides high levels of assurance that only the correct users and devices are accessing what they need without requiring physical access.

“Organizations are trying to figure out not just how do I get access, but how do I do so securely,” Smith said. “Zero trust is this philosophy around remote access and workload protection that gives you the convenience you desire with the security you need.”

Edgewise and other vendors including Akamai sold zero trust networking products before the pandemic. And in April, Google made available an enterprise product based on its BeyondCorp zero-trust approach that it has used internally for almost a decade. (It’s worth noting that other companies including Duo Security, now owned by Cisco, have been selling their own products based on BeyondCorp for years.)

Google’s goal in developing BeyondCorp was to enable every Google employee to work from untrusted networks without the use of a virtual private network (VPN).

“Fast forward 10 years later, inside Google we have 100,000-plus employees who, within two weeks or a few weeks, we went from our majority being internal employees to external employees with no major ramp up of any additional technology,” said Sunil Potti, VP and GM of Google Cloud.

As other enterprises face similar networking and security challenges related to a newly all-remote workforce, Potti says BeyondCorp provides a simpler and more secure alternative to traditional remote-access VPNs. These can be difficult to deploy and manage, and can be tough to scale to meet demand from an enterprise’s employees, contractors, and partners.

Akamai CTO of Security and Strategy Patrick Sullivan says the COVID-19 pandemic gives zero-trust network access more urgency.

“It certainly is an accelerant of the trend that was already happening,” Sullivan said. “Trying to remove trust from the network, and moving security controls to the edge, [the COVID-19 pandemic] isn’t causing people to think of a brand-new area. But instead of the three-year plan it might be a three-week plan.”