Remote and Hybrid Working: Keeping Your Business Secure Off-Premises

Remote and hybrid working has become the default for a significant proportion of UK small businesses. The security implications of this shift are well understood in theory and poorly addressed in practice: the same work is being done, but in environments — home offices, coffee shops, client premises — with significantly less security infrastructure than a managed office network.

This post covers the specific risks that remote working introduces and the practical controls that address them, for both the organisation and individual staff members working away from the office.

The Specific Risks of Remote Working

Home networks. A staff member's home router is almost certainly less secure than the business network they connect to in the office. It may be running outdated firmware, using default credentials, or running on WPA2 with a password shared with every visitor to the house for the past five years. Devices on the home network — family tablets, smart TVs, IoT devices — may be compromised or vulnerable. The home network is not a trusted environment in the way that a managed corporate network is.

Public Wi-Fi. Coffee shops, hotels, airports, and client offices all offer Wi-Fi that staff may connect to for convenience. Public Wi-Fi provides no security guarantees: traffic may be visible to other network users or to the operator of the network. Malicious hotspots — devices configured to mimic the name of a legitimate network to intercept connections — are a real, if less common, threat in public spaces.

Blurred device boundaries. Remote workers often drift between work devices and personal devices in ways that wouldn't occur in an office. Personal devices accessing work email "just this once" when the work laptop is unavailable, work files saved to a personal device for convenience — these patterns create data exposure that the organisation doesn't know about and cannot control.

Visual and audio eavesdropping. Working in public spaces or shared homes creates the risk that screens are visible to others or conversations are audible. Sensitive calls, confidential documents visible on screen, and the general disclosure of business information in semi-public settings are risks that have no technical solution — they require awareness and habit.

The Essential Remote Working Security Controls

VPN for Accessing Business Systems

A Virtual Private Network (VPN) creates an encrypted tunnel between the remote worker's device and your office network or cloud services. Traffic flowing through this tunnel is encrypted even if the underlying network (a home router, a hotel Wi-Fi) is not secure. For any remote access to internal business systems — file servers, internal applications, the business network — a VPN should be the standard mechanism.

Key requirements for a business VPN: it must require strong authentication (ideally MFA), must use current, supported protocols (IKEv2/IPSec or WireGuard — not older PPTP or L2TP without additional protection), and must be configured so that all internet traffic routes through the VPN when connected (full-tunnel mode), not just traffic to internal resources (split-tunnel mode, which leaves general browsing unprotected).

Consumer VPN services marketed to individuals are not substitutes for a business VPN — they protect privacy from internet service providers but don't provide access to your business network or the management controls that business VPNs provide.

Endpoint Security on Remote Devices

Remote working devices need the same endpoint security as office devices — current operating system and application patches, endpoint detection and response software, full-disk encryption — with the additional consideration that they're frequently not on a managed network. Centralised patch management and security monitoring that relies on devices being on the corporate network when they were only ever on it occasionally needs to account for remote devices that may not connect to the corporate network for extended periods.

Securing the Home Network

Staff working from home cannot be expected to maintain enterprise-grade home networks. But they can be expected to take basic steps: change the router's default admin password, use WPA2 or WPA3 for the Wi-Fi, keep the router firmware updated, and use a separate network for work devices if the router supports it (most modern home routers support multiple SSIDs). A simple written guide provided to staff, covering the basic home router security steps, is a proportionate and useful measure.

Cloud Access and SaaS Security

Remote working has accelerated the migration to cloud-based tools — Microsoft 365, Google Workspace, project management platforms, cloud-based CRM. These services are accessed over the internet from any location, which makes them independent of the corporate network security perimeter. Their security depends on the account's credentials and authentication controls, not on network location.

MFA on all cloud services, as covered in an earlier post, is the primary control for cloud-based access in a remote working context. Conditional Access policies — where available via Entra ID or equivalent — can additionally restrict access to trusted devices or flag sign-ins from unusual locations for additional verification.

Clear Policies on Personal Device Use

The reality of remote working is that the boundary between work and personal devices is more permeable than in an office. Your acceptable use policy and BYOD policy should address this explicitly: which devices may access work data, what security standards are required on personal devices used for work, and what data may and may not be stored on personal devices.

The Awareness Dimension

Several remote working risks require awareness rather than technology:

• Use a privacy screen on laptops when working in public spaces — screens visible to others are information disclosures.
• Take sensitive calls somewhere private, not in a coffee shop or open-plan co-working space.
• Do not print sensitive documents at home unless the home printer environment is secure and the documents are properly disposed of afterwards.
• Be aware that working from home means your work conversations may be audible to family members and household visitors — the same standards of information security that apply in the office apply at home.