TL;DR: Remote work has expanded the attack surface of every business that adopted it. A staff member’s home Wi-Fi, personal devices, and unsecured cloud access are all potential entry points that did not exist when everyone worked in the office. This kit covers what remote workers need to do, what IT needs to set up, and what policies need to exist to make hybrid work secure.
The Remote Work Security Problem
When your team worked in the office, your network perimeter was well-defined: the office firewall, your managed devices, your controlled network. Remote work dismantled that perimeter. Now your data is accessed from home broadband connections with no security controls, personal devices with unknown security posture, coffee shop Wi-Fi, and hotel networks.
The numbers reflect this. Australian cyber incidents involving remote access vulnerabilities and compromised home network access points have increased significantly since hybrid work became standard. The attack surface grew; security controls did not always keep pace.
This guide gives you the framework to close those gaps.
Part 1: The Remote Worker Device Checklist
Company-Owned Devices
If your staff use company-owned devices for remote work, these are the minimum security requirements:
Endpoint protection:
- Microsoft Defender for Business (or equivalent EDR) installed and active
- Real-time protection enabled — not paused or overridden
- Device enrolled in Microsoft Intune for centralised management and policy enforcement
- Automatic OS updates enabled (Windows Update on schedule, not deferred indefinitely)
- Device encryption enabled: BitLocker (Windows), FileVault (Mac)
Access controls:
- Strong login password (minimum 14 characters) or biometric (Windows Hello)
- Automatic screen lock after 5 minutes of inactivity
- MFA required for Microsoft 365 sign-in (enforced via Conditional Access Policy)
- Local administrator rights removed for standard users
Software:
- Only approved software installed — no unlicenced or consumer freeware
- VPN client installed and configured (if applicable for your environment)
- Microsoft Authenticator app installed for MFA
- Password manager installed
Personal Devices (BYOD)
If staff use personal devices for work, the minimum requirements change — you cannot fully manage a personal device, but you can manage the company data on it.
Minimum BYOD security requirements:
- Device has a PIN or biometric lock
- Device is running a supported OS version (not end-of-life Android or iOS)
- Device is enrolled in Microsoft Intune Mobile Application Management (MAM)
- Company data access is via approved managed apps only (Outlook app, Teams app, OneDrive app — not via web browser where possible)
- Automatic OS updates enabled
- Remote wipe of company data authorised in BYOD agreement
What Intune MAM does on a personal device:
- Confines company data within the managed app container
- Prevents copy-paste from managed apps to personal apps (configurable)
- Enforces MFA when accessing company data
- Allows IT to remotely wipe company data only — not the whole device
See Top 10 IT Policies Template for the BYOD Policy template.
Part 2: Home Network Security
Most home broadband routers are configured with default settings that were fine for residential use but introduce risks when used for business work.
Router Security Basics
Change the default admin password. Every router brand ships with a known default admin password. If an attacker can reach your router’s admin interface (via the local network), they can change your DNS settings, intercept your traffic, or disable your firewall. Change the admin password to something unique and strong.
Update the router firmware. Router firmware updates patch known vulnerabilities. Most modern routers (Netgear, ASUS, TP-Link) have automatic firmware update settings — enable them.
Use WPA3 or WPA2 with AES encryption. If your router is still configured for WPA or WEP, upgrade it. WPA2-AES is the minimum for secure Wi-Fi in 2026.
Use a strong, unique Wi-Fi password. Not the one printed on the router’s label — that is often the default and may have been shared with many people.
Create a separate IoT network. Smart TVs, smart speakers, security cameras, and other IoT devices in your home are often poorly secured. Putting them on a separate SSID (Wi-Fi network name) prevents a compromised IoT device from accessing the same network segment as your work laptop.
Guest Network for Work
Consider configuring a dedicated SSID for work use — separate from family devices and guests. This provides network segmentation between work and personal traffic on your home network, and makes it easy to share guest Wi-Fi with visitors without giving them access to your work devices.
Part 3: VPN and Secure Remote Access
When VPN Is Required
A VPN (Virtual Private Network) encrypts your internet traffic and routes it through a secure server — either your company network or a third-party VPN service.
You need a VPN connection when:
- Accessing on-premise resources (servers, network drives, internal applications) from outside the office
- Using public Wi-Fi (cafes, airports, hotels) for any work activity
- In environments where you are unsure of the network security (hotel networks, shared office spaces)
You may not need a VPN when:
- All your business applications are cloud-based (Microsoft 365, cloud CRM, cloud accounting)
- Your home network is properly secured
- Conditional Access Policies in Microsoft 365 enforce device compliance rather than relying on network location
Types of VPN for Business
Site-to-site VPN: Connects two networks (e.g., office network to cloud or between office sites). Managed by your IT provider.
Remote access VPN: Individual staff connect to the company network via a VPN client. Common solutions: Cisco AnyConnect, FortiClient, GlobalProtect. Requires a VPN gateway device at your office or cloud endpoint.
Zero Trust Network Access (ZTNA): A modern replacement for traditional VPN. Rather than granting access to your entire network, ZTNA grants access to specific applications based on device compliance, user identity, and risk assessment. Microsoft Entra Private Access is the Microsoft implementation. More secure and more granular than traditional VPN.
For most SMBs moving to cloud-first infrastructure, the combination of Microsoft 365 Conditional Access (requiring compliant devices) and Intune device management provides sufficient security without a traditional VPN.
Part 4: Cloud Access Security
With most business data in Microsoft 365 (email, SharePoint, OneDrive, Teams), securing cloud access is more important than securing a VPN connection to an office network.
Conditional Access Policies
Conditional Access Policies in Microsoft Entra ID (Azure AD) allow you to set rules for when and how users can access Microsoft 365. Essential policies for remote work environments:
Require MFA for all users: No exceptions. MFA stops account takeover attacks cold.
Block access from non-compliant devices: Require that devices meet minimum security standards (managed by Intune, encryption enabled, OS up to date) before they can access company data.
Block legacy authentication protocols: Older applications that do not support MFA use legacy protocols (Basic Auth) that bypass MFA. Block these.
Risk-based access: Azure AD can detect anomalous sign-in patterns (impossible travel, unfamiliar location, malicious IP) and automatically require additional authentication or block access.
Sensitive Data Controls
Do not allow company data on unmanaged personal cloud storage. OneDrive sync on a personal account is not the same as your company’s SharePoint. Ensure staff are saving work files to SharePoint/OneDrive for Business, not their personal Google Drive or personal OneDrive.
Disable or control external sharing. Microsoft 365 allows files and folders to be shared externally via a link. Without governance, sensitive files may be shared with external parties unintentionally. Configure sharing settings to require authenticated sharing (recipients must sign in to access the file).
Monitor for unusual access patterns. Microsoft 365 audit logs record all access activity. Set up alerts for large downloads, unusual login locations, or access from unexpected devices.
Part 5: The Remote Work Policy
Technology controls are only as effective as the policies that govern them. A Remote Work Security Policy should cover:
Approved locations: Where can staff work remotely? Home only, or any location? If any location, what additional requirements apply for coffee shops and public spaces?
Approved devices: Company-managed devices only, or BYOD with Intune MAM? Document this clearly.
VPN requirements: When is VPN required? Is it always-on or on-demand?
Screen privacy: Staff working in public spaces should use privacy screens and should not conduct confidential conversations in earshot of others.
Incident reporting: What does a remote worker do if they suspect their device has been compromised or they have clicked a phishing link? Who do they call? (Hint: your IT provider’s emergency number should be in their phone.)
Physical security: Company devices should not be left unattended in public, and should not be left visible in a parked car.
See Top 10 IT Policies Template for a full Remote Work Policy template.
Quick Reference: Remote Worker Security Checklist
Print this and give it to every remote worker:
Every day:
- Work from a secure, private location
- Use only company-approved devices for work data
- Keep your screen private in public spaces
- Lock your screen when stepping away
Every week:
- Ensure your device’s OS and applications are updated
- Review any unusual Microsoft 365 sign-in alerts
If something seems wrong:
- Suspect phishing: do not click; report to IT immediately
- Device lost or stolen: call IT immediately for remote wipe
- Unusual account activity: change your password and call IT
IT helpdesk number: _______________
Getting Remote Work Security Right
Remote work security is not a one-time configuration. It requires ongoing management: device compliance monitoring, access reviews, patch management, and regular assessment against evolving threats.
A managed IT provider who actively monitors your environment — including your remote workers’ devices — provides the visibility and response capability that makes hybrid work genuinely secure rather than theoretically secure.
If you want to assess your current remote work security posture, book a Right Fit Call with CX IT Services.
For related resources: