Skip to content
Breachroad
Back to the blog
Remote work

Secure remote work: a standard, not an exception

Remote work is here to stay — and with it company data on home networks and private hardware. A practical standard: devices, access, Wi-Fi.

KR
Karol Rapacz
12 May 2026 · 11 min read
Secure remote work: a standard, not an exception

The corporate network perimeter has ceased to exist: today “the company network” is a hundred home routers, a dozen cafés and an airport. Most companies moved to hybrid work faster than they managed to think through its security — and it shows in the incidents: hijacked accounts without MFA, company data on private laptops “because it was quicker”, remote access exposed to the world. The good news: secure remote work isn’t exotic — it’s a set of a dozen decisions you can implement in a quarter.

The threat model: what really changes outside the office

Remote work doesn’t create new attack classes — it increases exposure to existing ones:

  • Identity becomes the only gate. With no “trusted office”, everything hinges on the login — which is why password attacks and phishing are more effective than ever.
  • The device leaves physical control. A laptop on a train, a child on the work computer, theft from a car — scenarios the office never had.
  • Home and public networks. A router on its factory password, smart gadgets on the same network, open hotel Wi-Fi.
  • People without a corridor. “Desk-side” verification doesn’t exist; an urgent transfer request on a messenger looks the same from the CEO and from a fraudster (BEC).

Pillar 1: identity — MFA and conditional access

The foundation of remote work is well-deployed MFA: policy-enforced for everyone, phishing-resistant (passkeys/FIDO2) for admins and finance. Add conditional access: sign-in to company systems only from a known, compliant device — that single setting eliminates the “work email on a flatmate’s private computer” scenario. The philosophy behind it — trust no network, verify identity and device on every access — is covered in our piece on Zero Trust.

Pillar 2: devices — managed, encrypted, up to date

The minimum standard for any hardware touching company data:

  • full disk encryption (BitLocker/FileVault) — a lost laptop is then a hardware loss, not a reportable data breach,
  • MDM/EMM management — enforced updates, screen lock, remote wipe capability,
  • EDR on every endpoint — outside the office it’s your only pair of eyes on the device (why EDR, not antivirus),
  • a non-admin account for daily work,
  • automatic updates for OS and browser, without “remind me next week”.

On BYOD (private hardware) there are two honest options. Full access — only from company devices or private ones under management (at minimum a work profile on the phone). Alternatively, limited access: browser-based, no file downloads, selected apps only. “Full access from any private laptop” is not a policy — it’s the absence of one.

Pillar 3: access to resources — VPN and beyond

The classic VPN still has its place, but demands hygiene: mandatory MFA, the gateway patched as a priority (VPN appliance vulnerabilities are a favourite of ransomware groups — see the Ivanti or Fortinet history), and “access to the network” replaced by “access to applications” (segmentation: accounting doesn’t need a route to the dev servers). The more modern direction is ZTNA — per-application access with device posture checked at every connection. RDP exposed directly to the internet: never, no exceptions.

Pillar 4: home and public networks — simple rules

You won’t manage a hundred home routers, but you can give the team a short list:

  1. change the router’s factory password and disable the remote admin panel,
  2. Wi-Fi with WPA2/WPA3 and a strong password; work equipment on a separate (guest) network from TVs and “smart” bulbs,
  3. update the router firmware twice a year (at clock change — easy to remember),
  4. on public networks: avoid logging into critical systems; if you must — a phone hotspot beats hotel Wi-Fi; the company VPN always on,
  5. a privacy filter on the screen when travelling — the neighbour’s gaze on a train is also a “leak”.

With pillars 1–3 in place, the network stops being critical (everything is end-to-end encrypted anyway) — but these rules cost an hour of communication and remove real risk.

Pillar 5: processes and people

  • Second-channel verification for anything touching money or access: a request by email/messenger = voice confirmation on a known number. No exceptions “because it’s urgent from the CEO”.
  • An incident reporting channel that works remotely: an employee who clicked something suspicious at 7 p.m. must know where to report it immediately — and not be afraid to.
  • Remote off-boarding: a procedure for recovering equipment and cutting access (SSO simplifies this greatly — shadow IT accounts hurt most exactly here).
  • A clean desk, home edition: screen lock, headphones for sensitive calls, company documents not on the family kitchen table.

Frequently asked questions (FAQ)

Can an employee work from abroad? Technically it’s the same; legally — not always: tax, GDPR (data transfers) and sometimes sanctions issues come into play. On the security side, define: allowed/forbidden countries (and enforce them with sign-in policies), a mandatory VPN, and no equipment in checked luggage. Conditional access with country blocking does most of the work here.

A home printer, private monitor, keyboard — a problem? Monitor and keyboard — no. A printer — moderately (govern printing of sensitive documents at home with a classification policy, not technology). The real problem is USB sticks and private drives — block removable media on company hardware, with exceptions on request.

How do we reconcile monitoring with privacy in a home office? Monitor the device and security events (sign-ins, EDR, traffic to company systems), not the person (no activity tracking, screenshots or cameras). That’s not just GDPR — it’s the condition for people not working around your controls. Write the rules down and communicate them openly.

Does remote work increase ransomware risk? Indirectly yes — more remote access means more gates to attack, and a home machine without EDR is a great foothold. But companies with MFA, managed devices and segmented access are safer remotely than the “trusted” office networks of a decade ago. The work model matters less than the quality of the controls.

Where do we start if we have none of this today? The highest-return order: (1) MFA everywhere, (2) disk encryption + screen lock, (3) EDR on endpoints, (4) conditional access “known devices only”, (5) the second-channel rule for payments. That closes most real scenarios. Want to see your remote model through an attacker’s eyes? We’ll test it — from VPN gateways to social engineering. Write to us.

Summary

Secure remote work rests on four shifts: from network to identity (MFA + conditional access), from location to device (encryption, MDM, EDR), from trust to verification (a second channel for money) and from guesswork to visibility (logs and monitoring independent of where people work). Companies that make these shifts don’t have to choose between flexibility and security — they get both.

Share this article

Services Book a consultation