The Breach That Started in a Coffee Shop
An employee connected to airport WiFi to finish a presentation. A week later, customer data appeared on the dark web. The forensics report traced it back to that connection— a man-in-the-middle attack captured credentials that led to a full compromise.
Remote work is now permanent for most tech companies. But the security model designed for office networks doesn't work when "the network" is every coffee shop, home WiFi, and airport lounge in the world.
This guide covers practical remote work security for distributed teams—controls that actually work without making your team's lives miserable.
The Remote Work Threat Model
Remote work changes your attack surface. The threats aren't new, but they're amplified:
Network Threats:
- Untrusted WiFi networks
- Man-in-the-middle attacks
- Network eavesdropping
- DNS hijacking on public networks
- Malicious hotspots
Endpoint Threats:
- Unpatched personal devices
- Shared family computers
- Physical theft of devices
- Shoulder surfing in public
- Home network compromise
Traditional security assumed you could trust the network inside your office. Remote work means you can't trust any network. Your security model must assume every connection is potentially hostile.
The Remote Work Security Checklist
1. Identity and Access (Critical)
Why it matters: When devices are everywhere, identity becomes the perimeter. Strong authentication is non-negotiable.
- MFA on Everything — Email, cloud services, VPN, admin consoles. No exceptions.
- SSO Implementation — Single sign-on reduces password fatigue and centralizes access control.
- Phishing-Resistant MFA — Hardware keys (YubiKey) or passkeys for high-risk accounts.
- Session Management — Automatic timeouts, re-authentication for sensitive actions.
- Just-in-Time Access — Temporary elevated access rather than persistent admin rights.
Authenticator apps are the minimum. For admin accounts and sensitive systems, require hardware keys. SMS-based MFA is better than nothing but vulnerable to SIM swapping— upgrade when possible.
2. Device Security
Why it matters: Every laptop is now outside your physical control. Device security becomes critical.
- Full Disk Encryption — BitLocker (Windows), FileVault (Mac). Mandatory.
- EDR/Endpoint Protection — Modern endpoint detection (CrowdStrike, SentinelOne, etc.).
- MDM Enrollment — Device management for company devices. Remote wipe capability.
- Automatic Updates — Force OS and browser updates. Don't let users defer indefinitely.
- Screen Lock — Automatic lock after 5 minutes of inactivity.
- Local Firewall — Enable and configure host-based firewall.
3. Network Security
Why it matters: You can't secure every network your team uses. You can secure the connection.
- Zero Trust Architecture — Don't trust any network. Verify everything.
- HTTPS Everywhere — All internal tools must use HTTPS. No exceptions.
- VPN for Sensitive Access — Corporate VPN for accessing internal resources.
- DNS Security — Encrypted DNS (DoH/DoT) to prevent DNS hijacking.
- Split Tunneling Policy — Define what traffic must go through VPN.
VPNs aren't magic shields. They protect traffic between the device and your network—not the device itself. A compromised laptop with VPN access is worse than one without. VPN complements other controls; it doesn't replace them.
4. Data Protection
Why it matters: Data now lives on devices you don't physically control. Protect it accordingly.
- Cloud-First Storage — Prefer cloud storage over local files. Easier to secure and backup.
- DLP Controls — Prevent sensitive data from leaving approved channels.
- Encryption in Transit — TLS 1.2+ for all data transmission.
- Clipboard/Screenshot Policies — Consider restrictions for sensitive applications.
- Approved Applications — Define which apps can handle company data.
5. Physical Security
Why it matters: Devices get stolen. People shoulder-surf in coffee shops. Physical security matters even in a digital world.
- Privacy Screens — For employees who work in public spaces.
- Device Tracking — Enable Find My Device / remote locate.
- Remote Wipe — Capability to wipe devices if lost or stolen.
- Clean Desk at Home — Don't leave sensitive info visible on video calls.
- Secure Device Storage — Lock away devices when not in use at home.
BYOD vs. Company Devices
For employees with access to sensitive data, provide company devices. The control and consistency are worth the cost. For limited-access roles, BYOD with clear policies can work—but require MDM enrollment for any device accessing company resources.
Remote Work Security Policies
What to Document
- Acceptable Use — What employees can/can't do on company devices and networks.
- Public WiFi — Requirements for using public networks (VPN required, etc.).
- BYOD Terms — Conditions for using personal devices for work.
- Home Office Security — Basic requirements for home workspace.
- Incident Reporting — What to report and how (lost device, suspicious email).
- Travel Security — Extra precautions for international travel.
Sample Policy Provisions
Required:
- MFA on all accounts
- VPN for internal resources
- Full disk encryption
- Auto-lock after 5 minutes
- Report lost devices immediately
- Keep software updated
Prohibited:
- Storing passwords in browsers
- Sharing devices with family
- Using personal email for work
- Disabling security software
- Connecting to open WiFi without VPN
- Leaving devices in vehicles
Security Awareness for Remote Teams
Focus Areas
- Phishing Recognition — Remote workers face 3.5x more phishing. Train heavily here.
- WiFi Safety — How to evaluate network safety, when to use VPN.
- Physical Security — Protecting devices and screens in public.
- Social Engineering — Verifying requests, especially unusual ones.
- Incident Reporting — Lower the barrier to reporting concerns.
Annual training isn't enough for remote teams. Do monthly phishing simulations, quarterly refreshers on key topics, and real-time coaching when people make mistakes. Make it easy to ask "Is this legit?" without judgment.
Common Remote Work Security Mistakes
Mistake 1: VPN as Silver Bullet
VPN protects network traffic, not endpoints. A compromised device with VPN access is an insider threat with a direct connection to your network. Layer VPN with endpoint security, not instead of it.
Mistake 2: Ignoring Home Networks
Home routers are often unpatched, using default passwords, or running outdated firmware. While you can't control home networks, you can require VPN for sensitive access and provide guidance on securing home WiFi.
Mistake 3: Trust by Location
"They're logged in from home, so it must be them" isn't valid security logic. Implement zero trust—verify identity and device health regardless of location.
Mistake 4: Friction Overload
Every security control that slows people down creates incentive to work around it. Balance security with usability. If MFA takes 30 seconds, it gets adopted. If VPN disconnects every 5 minutes, people stop using it.
Quick Start: Your First Week
Day 1-2: MFA Audit
Verify MFA is enabled on all accounts for all remote workers. No exceptions. This single control prevents most attacks.
Day 3: Device Inventory
List all devices accessing company resources. Are they company or personal? Are they encrypted? Are they enrolled in MDM?
Day 4-5: Policy Review
Review your remote work policies. Do they exist? Are they current? Do employees know them?
Day 6-7: VPN/Network Security
Review VPN configuration. Is it required for sensitive access? Is split tunneling configured correctly?
Next Steps
Remote work security isn't about recreating office security at home. It's about securing work wherever it happens—with controls that assume hostile networks and distributed endpoints.
Start with identity. MFA everywhere, SSO for convenience, hardware keys for sensitive accounts. Build from there with device security, network controls, and clear policies.
Securing your distributed team? vCISO Lite helps you implement remote work security controls, track compliance across distributed devices, and maintain security posture regardless of where your team works.