The Security Implications of Remote Work
The mass transition to remote working in 2020 was, for many organisations, the largest unplanned IT migration in history. Whilst businesses focused on maintaining productivity and keeping operations running, cybersecurity often became a secondary concern — and threat actors were quick to exploit this shift.
The National Cyber Security Centre (NCSC) reported a significant increase in phishing campaigns during 2020, many of which used pandemic-related themes to trick recipients into clicking malicious links or surrendering credentials. Ransomware attacks also rose sharply, with criminals targeting organisations whose defences were weakened by the sudden shift away from office-based infrastructure.
For small and medium-sized businesses in particular, the combination of limited IT resources and an urgent need to enable remote access created a perfect storm of vulnerability.
Understanding the Expanded Attack Surface
When employees work from a centralised office, the organisation's security perimeter is relatively well-defined. Corporate firewalls, managed network infrastructure, and physically secured devices create layers of protection. When those same employees move to home working, the attack surface expands considerably.
Home Network Vulnerabilities
Home Wi-Fi networks frequently use weak passwords, outdated router firmware, or older encryption standards. Many home networks are shared with other household members who may be using devices with their own security vulnerabilities, creating potential lateral attack vectors.
Device Risks
Personal devices might be shared with family members, lack the security configurations applied to company-issued hardware, run outdated operating systems, or have software installed that would not be permitted on a corporate device. Even company-issued laptops, once removed from the corporate network, lose some of the protections that office infrastructure provides.
Shadow IT Concerns
In the rush to maintain productivity, many employees adopted tools and services without IT department approval — file-sharing platforms, messaging applications, and collaboration tools that may not meet the organisation's security standards. This shadow IT phenomenon created data governance challenges that many organisations are still addressing.
Essential Security Measures
Several measures proved particularly important for securing remote teams in 2020 and remain fundamental today.
Virtual Private Networks (VPNs)
A properly configured VPN encrypts traffic between an employee's device and the corporate network, providing a secure tunnel that protects data in transit. Organisations should ensure their VPN infrastructure can handle the increased load of a fully remote workforce, that split-tunnelling policies are appropriate, and that VPN clients are kept up to date.
However, it is worth noting that a VPN alone is not sufficient. It protects data in transit but does not secure the endpoint itself or protect against threats that originate on the device.
Multi-Factor Authentication (MFA)
Requiring a second form of verification beyond a password significantly reduces the risk of account compromise. Even if credentials are stolen through a phishing attack, MFA provides an additional barrier that prevents unauthorised access in most cases. MFA should be enabled on all business-critical systems, including:
- Email and calendar platforms
- Cloud storage and document collaboration tools
- Customer relationship management (CRM) systems
- Financial and accounting software
- Code repositories and development environments
- Remote desktop and VPN connections
Endpoint Protection
Every device that connects to company resources should run up-to-date antivirus and anti-malware software, have its operating system and applications regularly patched, and be configured according to the organisation's security baseline. Mobile device management (MDM) solutions can help enforce these requirements across a distributed fleet of devices, providing visibility into compliance and the ability to remotely wipe data from lost or compromised devices.
Security Awareness Training
Technical controls are only part of the solution. Employees need to understand the threats they face and how to recognise suspicious communications. Regular training sessions, simulated phishing exercises, and clear guidance on reporting suspected incidents can significantly reduce the likelihood of a successful social engineering attack. The most effective training programmes are ongoing rather than annual, and they adapt to reflect the current threat landscape.
Developing a Remote Work Security Policy
A clear, written security policy for remote working is essential. This document should cover several key areas:
- Acceptable use of company and personal devices for work purposes
- Requirements for home network security, including minimum Wi-Fi encryption standards
- Data handling and classification procedures, including rules about storing sensitive data locally
- Approved tools and platforms for communication, file sharing, and collaboration
- Incident reporting processes, including who to contact and what steps to take if a breach is suspected
- Guidelines for using public Wi-Fi networks and the requirement to use VPN connections
- Physical security considerations, such as locking screens when away from the device and securing printed documents
The policy should be reviewed regularly and updated as threats evolve and the organisation's remote working practices mature.
Incident Response in a Distributed Environment
Responding to security incidents is more complex when the workforce is distributed. Organisations should ensure their incident response plans account for remote scenarios, including how to isolate a compromised device when it is not on the corporate network, how to communicate with affected employees during an incident, and how to conduct forensic investigation remotely.
Tabletop exercises that simulate security incidents in a remote working context can help identify gaps in the response plan before a real incident occurs.
Building a Security-First Culture
Perhaps the most important lesson from 2020 is that cybersecurity must be embedded into organisational culture rather than treated as a purely technical matter. When every team member understands their role in maintaining security, recognises the threats they may encounter, and feels empowered to report concerns without fear of blame, the organisation as a whole becomes far more resilient.
Leadership plays a crucial role in establishing this culture. When senior management visibly prioritises security, follows the same policies as everyone else, and allocates appropriate resources to security initiatives, the message resonates throughout the organisation.
At GRDJ Technology, we work with businesses to assess their security posture, identify vulnerabilities, and implement practical measures that protect both data and reputation. The shift to remote working may have been sudden, but the security practices it demands are here to stay.