The pandemic proved that remote work works. But it also proved that traditional 'castle and moat' security doesn't work anymore. When your staff are logging in from home WiFi, airport lounges, and coffee shops, you can't rely on the office firewall to protect them.
This checklist covers everything you need to secure a hybrid workforce in 2025.
Device Security
โ Use Company-Managed Devices
The number one remote work security risk is unmanaged personal devices. A home laptop shared with teenagers downloading games is a malware magnet.
- Issue company laptops enrolled in device management (Intune)
- If personal devices must be used, require mobile device management (MAM)
- Never allow sensitive data on completely unmanaged devices
โ Enable Full Disk Encryption
If a laptop is lost or stolen, encryption ensures the data can't be read:
- Windows: BitLocker (included in Pro editions)
- Mac: FileVault
- Store recovery keys centrally in case users forget passwords
โ Automatic Lock Screens
Configure screens to lock after 5 minutes of inactivity. It takes seconds for someone to read a screen in a coffee shop.
โ Endpoint Detection & Response (EDR)
Traditional antivirus isn't enough. EDR solutions detect behavioural threats:
- Files being bulk encrypted (ransomware)
- Data being copied to USB drives
- Unusual login times or locations
This is included in Microsoft Business Premium.
Identity Security
โ Multi-Factor Authentication (MFA) on Everything
Passwords get stolen. MFA stops attackers from using them:
- Microsoft 365: Mandatory
- VPN: Mandatory
- Banking: Mandatory
- Any app with company data: Mandatory
โ Conditional Access Policies
Go beyond basic MFA with intelligent access controls:
- Block logins from countries you don't operate in
- Require compliant devices for access to sensitive data
- Force password reset if login appears risky
โ Single Sign-On (SSO)
Reduce password fatigue by letting users log into all apps with one Microsoft credential. Fewer passwords = fewer passwords to steal.
Network Security
โ The VPN Question
Traditional VPNs are often slow, clunky, and create bottlenecks. For most modern cloud-based businesses, you may not need one:
- You need a VPN if: You have on-premise servers or applications
- You don't need a VPN if: Everything is in Microsoft 365, SharePoint, and cloud apps
If you do need VPN, use split tunnelling so only company traffic goes through it.
โ Secure DNS
Block malicious websites at the DNS level before they even load:
- Microsoft Defender SmartScreen
- Cloudflare Gateway
- Umbrella by Cisco
โ Home Router Hygiene
Advise staff to:
- Change default router passwords (not 'admin/admin')
- Update router firmware when prompted
- Use WPA3 encryption if available
- Create a separate guest network for IoT devices
Data Security
โ Cloud Storage, Not Local Storage
Data on local hard drives is:
- At risk if the device is lost
- Not backed up (usually)
- Not accessible from other devices
Use SharePoint/OneDrive with Known Folder Backup to automatically sync Desktop, Documents, and Pictures to the cloud.
โ Sensitivity Labels
Classify documents by sensitivity:
- Public
- Internal
- Confidential
- Highly Confidential
Labels can enforce encryption and prevent copying/printing of sensitive files.
โ Data Loss Prevention (DLP)
Prevent accidental data leaks:
- Block emails containing credit card numbers to external recipients
- Warn before sharing files with personal email addresses
- Audit who accessed what and when
Application Security
โ Approve Only Necessary Apps
Create an approved apps list and block installation of unapproved software:
- Prevents shadow-sm IT
- Reduces support burden
- Limits malware entry points
โ Browser Protection
Most work happens in the browser now:
- Use Microsoft Edge with SmartScreen enabled
- Install a password manager extension (not LastPass after their breaches)
- Block risky browser extensions
Physical Security
โ Privacy Screens
For staff who work in public spaces, privacy screens prevent shoulder surfing.
โ Webcam Covers
Paranoid? Maybe. But malware that activates webcams does exist.
โ Document Handling
Remind staff that paper documents at home need the same care as in the office:
- Shred sensitive documents
- Lock away confidential papers
- Don't leave client files visible during video calls
Training and Culture
โ Regular Security Awareness Training
One-off training doesn't stick. Regular reminders help:
- Monthly phishing simulations
- Quarterly security updates
- Immediate alerts when new threats emerge
โ Clear Reporting Channels
Make it easy and blame-free to report concerns:
- 'I think I clicked a bad link'
- 'My laptop was stolen'
- 'I received a suspicious call pretending to be IT'
The Bottom Line
Remote work security isn't about restricting your team - it's about enabling them to work from anywhere safely. The right tools, policies, and training mean your business can embrace flexibility without embracing risk.
Need help implementing this checklist? Our Managed IT Support includes all the technical controls, and our Cyber Security service covers training and policy development.