Why remote working security matters
Hybrid and remote working expand your attack surface. Home networks, personal devices, and off-site data handling create risks that office-only policies don't cover. Insurers and auditors increasingly ask about remote access controls, device security, and acceptable use. A short checklist helps IT and HR align on expectations and reduce risk.
Device and access
- Corporate devices are used for work where possible; otherwise, baseline security is defined for BYOD — Corporate devices with managed config are lower risk. If BYOD is allowed, define minimum requirements (e.g. encryption, screen lock, supported OS).
- Multi-factor authentication (MFA) is required for all cloud and remote access — MFA is the single most effective control for remote access. No exceptions for "convenience."
- VPN or zero-trust access is in place for sensitive systems — Don't expose internal systems directly to the internet; use VPN or zero-trust access for sensitive data.
- Disk encryption and screen lock are enforced on laptops and mobile devices — Lost or stolen devices are a common cause of data exposure; encryption and lock reduce the risk.
Data and behaviour
- Clear policy on where work data may be stored (no unauthorised personal cloud or USB) — Define approved storage (e.g. OneDrive, SharePoint) and prohibit personal cloud or unencrypted USB for work data.
- Staff know how to report lost devices or suspected phishing — Simple, clear process; test that people know who to contact.
- Home network guidance is available (e.g. router updates, separate work SSID where practical) — Basic guidance reduces risk; don't assume staff know how to secure their home network.
What good looks like vs common gaps
Good: Policy is written and communicated; MFA enforced; device and access controls evidenced (e.g. MDM, conditional access).
Common gaps: No policy or policy not enforced; MFA only on "important" systems; no visibility into device or access.
Review your remote working security—we help organisations define and implement secure homeworking practices.