Remote work didn’t just change where people work — it permanently expanded the attack surface every business has to defend.
When your team was in one office on one network, the security perimeter was relatively clear. Now your employees work from home networks, coffee shops, hotel WiFi, and vacation rentals. Their devices leave the building. Their credentials get used on personal computers. Their home routers haven’t been patched since the ISP installed them four years ago. The network perimeter you used to defend is largely gone — and most businesses haven’t rebuilt their security posture to account for it.
Here’s what actually needs to be in place for remote and hybrid work to be secure.
The old security model asked: "Is this device on our network?" If yes, trust it. If no, block it. That model broke when the network became everywhere.
The Zero Trust model asks: "Who is this user? Is this a known, managed device? Is this request consistent with normal behavior?" It verifies every access attempt explicitly — regardless of whether the device is in the office, at home, or in an airport lounge. Identity becomes the perimeter.
The practical implication: MFA and SSO aren’t optional extras in a remote work environment. They’re the foundation. Without MFA, a compromised credential from a phishing attack or a credential stuffing attack becomes a full account takeover with no friction.
For years, VPN was the standard answer to remote access security. A VPN tunnels the remote employee’s traffic through an encrypted connection back to the office network, making their device appear as if it’s physically in the building.
The problem with VPN in a modern environment: once the tunnel is established, the device is on the network — with access to everything the user’s credentials allow. If the device is compromised, or if the credentials are stolen, an attacker on that VPN connection has broad network access. VPN treats the tunnel as a trust boundary, and trust boundaries are exactly what attackers exploit.
Zero Trust Network Access (ZTNA) is the emerging alternative. Instead of creating a tunnel to the whole network, ZTNA provides access to specific applications based on verified identity and device health. The user gets access to the file share they need, or the application they need, without being on the network in a way that allows lateral movement. The blast radius of a compromised credential is dramatically smaller.
For many small businesses, a well-configured VPN with MFA, device health checks, and network segmentation is still appropriate. For businesses with regulated data, complex environments, or elevated risk profiles, ZTNA is increasingly the right answer. We evaluate both options in the context of each client’s environment and risk requirements.
A remote employee’s device is doing things a device in a supervised office isn’t: connecting to unknown networks, going home in a bag, getting used for personal tasks after hours, and potentially being accessed by family members. Device management for remote workers has to account for all of this.
MDM enrollment. Every device used to access company data — company-issued or personal under a BYOD policy — should be enrolled in mobile device management. This enables encryption enforcement, screen lock requirements, patch management, and remote wipe capability if the device is lost or the employee leaves.
EDR on every endpoint. EDR watches device behavior regardless of what network the device is on. A remote employee’s laptop browsing a compromised website over home WiFi is protected the same way it would be in the office. Behavioral detection doesn’t depend on network perimeter.
Patch management without gaps. Office devices get patched when they’re on the office network. Remote devices can go weeks or months without connecting to a managed update environment if patching isn’t designed for distributed deployment. Our RMM platform pushes patches regardless of where the device is connected. Unpatched remote devices are one of the most common attack vectors in hybrid work environments.
The home network is outside your control — but the risks it creates aren’t. Common home network vulnerabilities that affect business security:
Remote work creates pressure to access files quickly and conveniently. The path of least resistance — emailing documents to a personal account, storing them on a personal cloud service, using USB drives — creates data leakage risks that are very difficult to detect after the fact.
The right answer is secure, managed cloud storage that’s accessible from anywhere without requiring workarounds: SharePoint and OneDrive for Microsoft 365 clients, properly configured with appropriate permissions and access controls. Files stay in the managed environment. Access is controlled, logged, and revocable. When an employee leaves, their access ends — not their local copy of the files.
Remote work creates specific compliance obligations that didn’t exist when everyone was in one office. HIPAA’s physical safeguard requirements apply to remote work settings — which means screen lock policies, workstation use policies, and controls against unauthorized access to PHI on home devices. GLBA’s Safeguards Rule requires that the information security program account for the risks created by remote access. PCI-DSS has specific requirements about remote access to in-scope systems.
For regulated businesses with remote or hybrid workers, the compliance program needs to explicitly address the remote work environment — not assume that office-based controls transfer automatically to a home office.
Remote work security is built into the standard managed IT stack we deploy for clients — MFA, SSO, MDM enrollment, EDR on every endpoint, patch management that works regardless of location, and cloud storage configured for secure remote access. For clients in regulated industries, we document the remote work security controls as part of the compliance program. For clients transitioning from fully in-office to hybrid, we conduct a remote work security review that identifies gaps and builds a remediation plan before the first employee works from home on a regular basis.