Remote and hybrid working is now a permanent feature of how most businesses operate. The tools and habits that enabled it were adopted quickly — often out of necessity — and security considerations frequently came second.
Several years on, the security posture of many small businesses still reflects the environment of rapid adoption rather than considered design. Staff connect to business systems from home networks, personal devices, and public Wi-Fi with varying levels of protection and no central visibility.
How Remote Working Expands Your Attack Surface
When all staff worked from a single office on company hardware, the network perimeter was relatively well-defined. Traffic could be monitored, devices could be managed, physical security meant something.
Remote working dissolves that perimeter. Now your business systems are being accessed from:
- Home networks of variable quality, shared with family members and personal devices
- Personal laptops and smartphones that may run outdated software
- Public Wi-Fi in cafés, hotels, and co-working spaces
- Personal email accounts (if someone forwards a work file to themselves for convenience)
- Consumer cloud storage used as a workaround
Each of these is a potential vulnerability. And because the connections originate from different locations, unusual access patterns are much harder to distinguish from normal behaviour without the right tooling.
The Home Network Problem
Your staff member’s home router is not your router. You have no visibility into what else is connected to that network, whether it’s running current firmware, whether the password has ever been changed from the default, or whether any other device on that network has been compromised.
A compromised device on a home network sharing a segment with a work laptop creates risk. Particularly if the work laptop has full access to business systems and no endpoint protection.
Specific Risks to Address
Unencrypted connections. Without a VPN, traffic between a remote worker and business systems may traverse the internet without encryption. This is particularly risky on public Wi-Fi.
Unmanaged endpoints. Personal devices used for work typically lack the endpoint protection, encryption, and update management that company devices should have. A personal laptop running an old operating system is a significant vulnerability.
Credential exposure. Remote access often relies on username and password. Without MFA, stolen credentials from a home network compromise directly translate to business system access.
Shadow IT. Staff who find official tools cumbersome will find unofficial alternatives. Files shared via personal Google Drive, communications in personal WhatsApp groups, business data in a consumer Dropbox account — all outside your visibility and control.
Physical security. A work laptop left open in a café, a screen visible over the shoulder, a device left in a car — physical security matters for remote workers in ways that differ from an office environment.
What Good Remote Security Practice Looks Like
A VPN for business system access. A properly configured VPN encrypts traffic and routes it through a controlled endpoint before it reaches business systems. Not all VPNs are equal — consumer VPN services are not appropriate for this purpose.
MFA on everything remote-accessible. Email, VPN, cloud systems — any system accessible from outside the office should require MFA. This is the single highest-impact control for remote working security.
Endpoint management. Ideally, remote workers use company-managed devices with current software, encryption, and endpoint protection. Where personal devices are unavoidable, a clear acceptable use policy and minimum standards help.
A clear policy on approved tools. Staff need to know what’s approved and what isn’t. The alternatives to Shadow IT are either better official tools or better communication about why unofficial tools create risk.
Monitoring and alerting. Logins from unusual locations, access at unusual times, large data downloads — monitoring for anomalous behaviour in your business systems enables detection of compromised credentials before they lead to a full breach.
Remote working security isn’t about distrust of staff — it’s about recognising that the environment has changed and ensuring your business’s security posture reflects the reality of how it now operates.
W3IT assesses remote working security as part of our standard security review, including connectivity, endpoint practices, and identity management. If your remote working setup was put in place quickly and hasn’t been reviewed since, it’s worth taking a closer look.