Keeping Remote Workers Secure After COVID-19

From Emergency Response to Permanent Architecture

In March 2020, UK businesses scrambled to enable remote working under emergency conditions. VPN licences were expanded overnight, personal devices were hastily approved, and video conferencing tools were deployed without security review. Five years later, many of the workarounds adopted in those weeks have calcified into permanent infrastructure.

The security implications are significant. Remote working arrangements implemented as temporary emergency measures often lacked the controls that would have been applied in a planned migration: proper endpoint management, Conditional Access policies, MFA enforcement, data classification and governance controls. For businesses that never returned to full office working, these gaps remain open.

The Threat Landscape for Remote Workers

Remote workers face a different and in some ways more complex threat environment than office-based employees:

• Home network risk: Home routers often run outdated firmware, use default credentials and are shared with family devices — including children's gaming consoles and IoT devices that may be compromised.
• Phishing and social engineering: Remote workers are more isolated from colleagues and may be more susceptible to phishing emails, phone-based vishing attacks and business email compromise. The NCSC has consistently noted elevated phishing activity targeting remote workers.
• Shadow IT: Without IT oversight in the immediate environment, remote workers are more likely to use personal cloud storage, personal email accounts or unapproved collaboration tools to work around inconvenient access controls.
• Insider threat: Remote work reduces visibility of employee behaviour on systems. While the vast majority of employees are trustworthy, the monitoring controls that exist in an office environment are not present at home.

Lessons from the Pandemic Period

VPNs Are Not Sufficient Alone

The pandemic accelerated VPN deployments as the mechanism for remote access to corporate resources. VPNs protect the network tunnel between the device and the corporate network, but they do not validate the security state of the device itself. A compromised personal laptop connecting via VPN can introduce malware into your corporate network.

The Zero Trust model — which assumes no device or user should be trusted by default, regardless of network position — has become the recommended architecture for remote access. Conditional Access policies that verify device compliance, user identity and access context before granting access to applications represent a meaningful improvement over legacy VPN-only approaches.

MFA Should Have Been Mandatory From Day One

Many businesses enabled remote access to Microsoft 365 and other cloud applications during the pandemic without enforcing MFA. The result was a substantial increase in account compromises — password spray attacks, credential stuffing and phishing for Microsoft 365 credentials became the dominant attack vector against remote workers in 2020–2022, a pattern that continues today.

MFA is not optional for remote workers. According to Microsoft's data, MFA blocks over 99.9% of account compromise attacks. If your organisation still has remote workers accessing business systems without MFA, this is the single most urgent control to implement.

Endpoint Visibility Was Lost

When employees moved home with corporate or personal devices, many IT teams lost the endpoint visibility they had in the office — the ability to see what software was running, whether patches were applied and whether antivirus definitions were current. Deploying an EDR (Endpoint Detection and Response) agent across all devices accessing corporate systems restores this visibility and provides the threat detection capability that consumer antivirus cannot match.

The Controls That Matter for Permanent Remote Work

For businesses where remote or hybrid working is now the norm rather than the exception, the following controls should be in place:

• MFA enforced on all cloud accounts without exception, including shared accounts and service accounts where technically feasible
• Conditional Access policies requiring device compliance checks before accessing Microsoft 365 or other cloud applications
• EDR deployed on all endpoints accessing corporate systems, including personal devices enrolled via MDM
• Microsoft 365 secure configuration — Secure Score review, mailbox auditing enabled, external sharing controls reviewed, legacy authentication blocked
• Regular security awareness training with phishing simulation — remote workers benefit from more frequent, shorter training sessions rather than annual compliance exercises
• Clear acceptable use and BYOD policies — documented, signed by employees and actively enforced
• Network segmentation at home — guidance for remote workers on setting up a separate network segment for work devices on home routers that support VLANs

Reviewing Your Remote Working Security Posture

The right time to review your remote working security architecture is before an incident drives it. AMVIA works with UK businesses to assess their remote working security posture against the NCSC's guidance and identify the gaps most likely to be exploited. A structured review typically takes half a day and produces a prioritised remediation plan based on your actual risk exposure.