Key Takeaways
- The home network is the weakest link in most remote work setups — old routers with default credentials, no network segmentation, and mixed personal/work devices.
- MFA is the single most impactful control for remote work: if an attacker steals a VPN or email password, MFA is what stops them logging in.
- Shadow IT accelerates in remote environments — if the approved tool is worse than the personal tool, employees will use the personal tool. Fix the tool, not the behaviour.
- Physical security matters: screen locks, not reciting passwords on video calls, and a locked screen when away from keyboard are policies that need deliberate reinforcement in home environments.
- Remote work endpoint management (Jamf, Intune) gives IT visibility and control over devices that are no longer on a monitored corporate network.
Most corporate IT security policies were written for the office. The firewall sat between the internet and everything that mattered. Employees were on a managed network. The building had physical access controls. Remote work dissolved all of that, and many policies haven't been rewritten to reflect it.
This guide covers the gaps: what the home environment introduces as new risk, what controls actually address it, and what both employees and employers need to do differently.
The Home Network Problem
The average home router is years old, hasn't had a firmware update since it was installed, and is still using the default admin credentials printed on a sticker underneath it. That router is also carrying the work laptop, the personal phone, the kids' tablets, the smart TV, and possibly a handful of IoT devices with their own unknown security histories.
This is the environment where your company's email, customer data, and internal systems are being accessed. IT has zero visibility into it.
The basics are straightforward and take twenty minutes: log into the router admin panel (typically 192.168.1.1 or 192.168.0.1 — check the sticker), change the default admin password to something strong and unique, disable WPS (Wi-Fi Protected Setup, a feature with a well-documented brute-force vulnerability), and ensure wireless security is set to WPA3 if supported, or WPA2 at minimum. Check whether the router manufacturer has issued firmware updates and apply them.
If the router is more than five or six years old and the manufacturer stopped issuing firmware updates, replacing it is the right call. A new mid-range router costs £50–£80 and fixes a category of risk, not just a single vulnerability.
Work Devices and Personal Devices Should Not Share a Network
A compromised personal device on the same network segment as a work device is a problem. If malware on a personal device can observe network traffic or reach the work machine directly, it can capture credentials or attempt lateral movement. Most home routers support a guest network — putting personal devices on the guest network and work devices on the main network creates basic segmentation without requiring enterprise hardware. It's not a complete solution, but it meaningfully reduces the blast radius of a personal device compromise.
The cleaner version of this is simply not using personal devices for work at all. Mixing creates risk in both directions: personal browsing habits and installed software on the personal device can expose work credentials, and work data on personal devices sits outside the company's backup and access control policies.
VPN: When It's Necessary, When It Isn't
VPN requirements in remote work policies are frequently set by assumption rather than analysis. If employees are accessing internal systems — file servers, internal databases, on-premise line-of-business applications — a VPN is necessary. Without it, those systems need to be exposed to the public internet, which is usually worse.
If the entire workday runs through SaaS services (Google Workspace, Microsoft 365, Slack, Salesforce, or similar), a corporate VPN adds friction without adding meaningful security. Those services authenticate per session, use HTTPS encryption end-to-end, and are not improved by routing traffic through a corporate gateway. Forcing a VPN in this context creates overhead and often leads employees to disable it when it causes problems — which is worse than not having the policy at all.
Audit the access requirements before writing the VPN policy.
MFA Is Not Optional
If an employee can access a system from home, an attacker with their credentials can try to as well. Multi-factor authentication is the control that breaks this: a stolen password is not enough to log in.
MFA should be mandatory on email, VPN, HR systems, finance tools, and any application that holds customer data or can initiate financial transactions. The right implementation is an authenticator app (Google Authenticator, Microsoft Authenticator, Authy) rather than SMS — SMS codes are vulnerable to SIM-swapping, and authenticator app codes are not.
The priority order if you're rolling this out: email first, always. Email is the recovery mechanism for every other account. Whoever controls the inbox can reset everything else. Protect it first.
Phishing in the Remote Context
In an office, when someone receives a suspicious email from "IT" asking them to reset their password, they can turn to the person next to them and ask if it's real. Working from home removes that check. The social engineering surface expands beyond email to include Slack and Teams messages, LinkedIn connection requests with embedded links, and phone calls purportedly from IT or senior management.
The mitigation is not a one-off training video. It's normalising a specific behaviour: when an unsolicited message asks you to click a link, enter credentials, or transfer money — regardless of who it appears to be from — verify through a separate channel before acting. Call the person. Use a known contact number. Open the relevant site directly, not via the link provided.
Physical Security at Home
Screen locks are not optional on a work laptop. Set the lock to trigger after two minutes of inactivity, and make it a habit to lock manually (Windows key + L on Windows, Ctrl + Cmd + Q on Mac) any time you step away, including briefly.
Working from public spaces — coffee shops, libraries, co-working spaces — introduces additional considerations. A privacy screen filter is worth the £20 it costs. Be conscious of who can hear your calls: reciting a password, discussing a client situation, or reading out account numbers in a public space are all information disclosures that the physical office environment naturally prevented.
Shadow IT: Fix the Tool, Not the Behaviour
Remote employees are more likely to find their own solutions when approved tools are inconvenient. The approved file share requires VPN to access from home? The employee finds that sharing files via their personal Google Drive is faster and just starts doing it. The approved collaboration tool requires IT to provision access? The team starts using a personal Slack workspace instead.
Company data in personal services is outside the company's visibility, backup policy, and access controls. When that employee leaves, the data may leave with them.
The answer is not to police it harder — it's to make approved tools usable enough that the workaround isn't more attractive. If people are routing around the approved solution, that's a signal about the approved solution.
Endpoint Management for Remote Devices
When company devices were on the office network, IT had visibility. Off the network, that visibility disappears unless endpoint management is in place. Mobile device management (MDM) platforms — Jamf for Mac, Microsoft Intune for Windows — ensure that company devices have disk encryption enabled, are patched to current OS versions, comply with password and screen lock policies, and can be remotely wiped if lost or stolen.
These are not enterprise-only tools. Both Jamf and Intune scale down to small teams, and the capability to remotely wipe a lost laptop before its contents are accessed is worth the subscription cost many times over.
What to Do If Something Goes Wrong
The instinct when you suspect your device or account is compromised is to investigate quietly and hope it was nothing. This is wrong. Delayed reporting gives an attacker more time inside the system, and the blast radius grows with every hour.
The correct response: disconnect the affected device from the network immediately — WiFi off, VPN disconnected. Report to IT or your manager right away, even if you're uncertain. Do not attempt to investigate or remediate on your own. Change passwords for any accounts that may have been accessed, and do it from a different, unaffected device. Immediate isolation limits the damage; delay compounds it.
Frequently Asked Questions
Do remote workers need a VPN?
It depends on what they access. If employees reach internal systems — file servers, internal databases, on-premise applications — a VPN is necessary. If work is entirely SaaS-based (Google Workspace, Microsoft 365, Slack, Salesforce) with MFA enabled, a corporate VPN adds overhead without meaningful security improvement: those services already use encrypted HTTPS connections and authenticate per-session. The decision should be driven by the actual access requirements, not a blanket policy.
What is shadow IT and why is it a security problem?
Shadow IT is the use of unauthorised software or services for work purposes — an employee storing client files in their personal Dropbox because the company's approved file share is difficult to access from home, for example. The security risk is that company data in personal services is outside the company's visibility, backup policy, and access control. If that employee leaves, the company may lose access to those files. The solution is ensuring approved tools are usable enough that workarounds aren't attractive.
How should a remote worker respond to a suspected breach?
Disconnect the affected device from the network (WiFi and any VPN) immediately — this prevents further access if credentials are compromised. Report to IT or your manager immediately, even if you're not certain. Do not attempt to investigate or remediate on your own. Change passwords for any accounts that may have been accessed, from a different device. Time matters: the faster the isolation, the smaller the blast radius.