Remote and hybrid working is not going away. For most businesses, it has become a permanent part of how they operate. That is fine, but it does change your security requirements. When everyone was in the office using company equipment on a managed network, security was simpler. Now your staff are logging in from home networks, coffee shops and kitchen tables, and your data is flowing through connections you do not control.
The good news is that securing a remote workforce is not impossibly difficult or expensive. It does require some planning and the right tools. Here is what you need to focus on.
MFA on Everything, No Exceptions
Multi-factor authentication is the single most effective security measure you can implement. It means that even if someone's password is stolen, the attacker still cannot get in without the second factor, typically a code from an authenticator app or a push notification on a phone.
MFA should be enabled on every account that supports it. That means email, cloud storage, VPN, accounting software, CRM, remote desktop, and anything else your staff log into. No exceptions, not even for the managing director who thinks it is inconvenient.
The reality is that password-only authentication is not good enough any more. Password databases get leaked regularly. People reuse passwords across multiple services. Phishing attacks trick people into entering their credentials on fake websites. MFA stops all of these from turning into a full breach.
Use an authenticator app like Microsoft Authenticator or Google Authenticator rather than SMS codes. SMS can be intercepted through SIM swapping attacks, though it is still better than no MFA at all.
Company Devices vs Personal Devices
There are two approaches to remote working devices. You either provide company-owned equipment that you manage and control, or you allow staff to use their own personal devices, known as Bring Your Own Device (BYOD).
Company devices are the more secure option. You control what software is installed, you can enforce security policies, you manage updates and patching, and you can remotely wipe the device if it is lost or stolen. The device is configured to your standards before it reaches the employee.
BYOD is cheaper upfront but introduces significant risks. You have limited control over a personal device. It might be running outdated software. It might be shared with family members. It might have applications installed that are not secure. If the employee leaves, your company data is on a device you do not own and cannot easily wipe.
If you do allow BYOD, use a Mobile Device Management (MDM) solution that can create a separate, encrypted container for work data on the device. This lets you manage and wipe company data without affecting personal files. But the best approach for most businesses is to provide company devices. The cost of a laptop is small compared to the cost of a data breach.
VPN: When You Need One and When You Do Not
Virtual Private Networks used to be essential for remote work because they created a secure tunnel between the remote worker and the office network. If your staff needed to access files on an office server or use an application hosted on-premises, a VPN was the only way to do it securely.
That is still true if you have on-premises resources that remote workers need to reach. But if you have moved your email to Microsoft 365, your files to SharePoint or OneDrive, and your applications to the cloud, the need for a traditional VPN is much reduced. Your staff are connecting directly to cloud services that have their own security, so routing all their traffic through your office first just adds latency and complexity.
What matters more in a cloud-first world is identity and access management. Instead of securing the network connection, you secure the user's identity. That means strong authentication, conditional access policies (only allowing logins from compliant devices or known locations), and monitoring for unusual sign-in activity.
If you are running a hybrid setup with some resources in the cloud and some on-premises, you probably need a VPN for the on-premises stuff and cloud-based access controls for everything else.
Patching and Updates: The Remote Challenge
Keeping devices updated is one of the most important things you can do for security, and it is significantly harder when those devices are not on your office network.
In the office, a patch management tool on your server could push updates to all devices on the network. When a laptop is sitting in someone's spare bedroom connecting over home broadband, that same approach does not always work. Updates may not get pushed, or they get delayed because the device is not connected to the management server.
Cloud-based device management tools like Microsoft Intune solve this problem. They can manage and push updates to devices regardless of where they are, as long as they have an internet connection. If you have remote workers, you need a cloud-based management tool. Relying on workers to update their own devices manually is not a strategy.
Set policies that require devices to be updated within a reasonable timeframe. Configure automatic updates where possible. Monitor compliance and follow up with users whose devices fall behind. An unpatched device is a vulnerable device, and a vulnerable device connected to your company data is a risk to the whole business.
Phishing Is the Biggest Risk
You can have the best technical security in the world and it will not matter if someone clicks on a phishing email and hands over their credentials. Phishing remains the most common way that attackers gain initial access to business systems, and remote workers can be more vulnerable because they are isolated from colleagues who might spot something suspicious.
In the office, someone might turn to a colleague and say 'does this email look right to you?' At home, they are more likely to just click the link. The informal, spontaneous security awareness that happens in shared spaces does not exist when people work alone.
Train your staff on how to recognise phishing emails. Do it regularly, not just once a year. Use simulated phishing tests to see who is clicking and provide additional training for those who need it. Make it easy for staff to report suspicious emails without fear of being told off for raising a false alarm.
Combine training with technical controls. Use email filtering to catch as many phishing emails as possible before they reach inboxes. Enable safe links and safe attachments in Microsoft 365 if you have the right licence. These will not catch everything, but they significantly reduce the volume of malicious emails your staff are exposed to.
Have a Clear Policy That People Actually Read
A remote working security policy does not need to be a 50-page document that nobody reads. It should be short, clear and practical. Cover the essentials and write it in plain language.
Your policy should cover:
- What devices can be used for work and how they must be configured
- Password requirements and the mandatory use of MFA
- How to connect securely, whether that means VPN, cloud access or both
- Rules about storing company data, including not saving files to personal devices or personal cloud storage
- What to do if they suspect a security incident or receive a suspicious email
- Physical security basics like locking screens when stepping away and not working on sensitive documents in public spaces
Get everyone to read it and sign it. Review it annually and update it when things change. A policy only works if people know about it and understand it.
Endpoint Protection on Every Device
Every device that accesses company data needs endpoint protection. This goes beyond basic antivirus. Modern endpoint protection tools monitor for suspicious behaviour, detect ransomware activity, block malicious websites and can isolate a compromised device from your network.
Products like Microsoft Defender for Business, SentinelOne and CrowdStrike provide this level of protection and can be managed centrally through a cloud dashboard. Your IT team or provider can see the security status of every device, respond to threats and push out updates from a single console.
Make sure endpoint protection is installed on every device before it is used for work. That includes laptops, desktops and any mobile devices that access email or company files. Monitor the dashboard regularly and investigate any alerts promptly.
Do not rely on the free version of Windows Defender on its own. It is better than nothing, but for a business with remote workers, you need a managed endpoint protection solution that gives you visibility and control across all your devices.
Putting It All Together
Securing remote workers is not about any single tool or policy. It is about layering multiple controls so that if one fails, another catches the threat. MFA protects identities. Company devices give you control. Endpoint protection catches malware. Patching closes vulnerabilities. Training reduces the risk of human error. And a clear policy ties it all together.
None of this requires a massive budget. The tools are affordable, especially for businesses already using Microsoft 365, which includes many of these capabilities in its higher-tier plans. What it does require is commitment. Security is not something you set up once and forget about. It needs ongoing attention, regular reviews and a culture where everyone understands their role in keeping the business safe.