Working from home security risks and how to address them

The shift to remote work permanently changed where company data lives. It used to sit behind a firewall, on a company network, accessed from company devices in a company building. Now it sits on a laptop in a spare bedroom, connecting over a home Wi-Fi router that nobody has updated since it was installed, possibly alongside a teenager’s gaming PC and a smart fridge that has a known vulnerability in its cloud connector.

Most of the security controls that protected businesses in the office era assumed the office as a boundary. Remove the office, and a lot of those controls quietly stop working. The good news is that none of these risks are unsolvable. The bad news is that most small businesses have not addressed them yet, usually because nobody sat down and listed them out.

This guide lists them out, and explains what to do about each one.

The home network problem

The employee’s home network is not built for business security. It was set up by the internet service provider’s installer, or by the employee during a move-in weekend, with default settings that rarely get touched again. The router firmware is probably out of date. The admin password may still be the factory default. The Wi-Fi password is almost certainly shared with houseguests, kids’ friends, and the dog walker.

What can go wrong

• Unpatched router firmware. Routers are one of the most commonly exploited devices on the internet. A known vulnerability in a home router lets an attacker intercept traffic, redirect DNS queries to phishing sites, or pivot into connected devices. The employee has no idea this is happening, because the router keeps working the way it always has.
• Shared network with personal devices. The work laptop sits on the same network as a smart TV, a gaming console, a personal phone, a smart speaker, a kid’s tablet, and whatever IoT device nobody remembers installing. Any of those can be compromised and used as a pivot point to attack the work laptop.
• Unsecured or weak Wi-Fi. Older routers may still be running WPA or even WEP. Guest networks are often unencrypted. A neighbor or drive-by attacker within range can see traffic or join the network.
• Public network use. Remote workers are not always at home. Coffee shops, airports, and hotels are standard remote work environments, and the public Wi-Fi in those places cannot be trusted.

How to address it

The employee’s home router is not something IT can manage directly. You cannot remotely reboot their gateway or push firmware updates. What you can do is remove the assumption that the network provides any security at all, and design around that.

• Require encrypted traffic for everything. All business applications should use HTTPS. Internal resources should be accessed over a VPN or zero trust access that encrypts traffic regardless of the underlying network. If the network is hostile, the encryption protects you. Our VPN vs zero trust comparison walks through which approach fits which kind of business.
• Use conditional access policies. Microsoft 365 conditional access can require compliant devices, block risky sign-ins, and force MFA. This shifts trust from the network to the identity and the device.
• Educate employees on the basics. A short onboarding document that covers updating the router, changing the default admin password, and keeping work traffic separate from guest devices goes a long way. Most employees will do the right thing if they know what the right thing is.
• Consider a business-class router program. For senior employees, remote IT staff, or anyone handling unusually sensitive data, providing a managed router or firewall for their home office puts the edge of the network under your control. This is common at larger companies and increasingly practical for SMBs, and often pairs with a broader connectivity program that covers stipends and backup options.

Personal device use (BYOD)

If you do not provide a laptop, the employee will use their personal one. If you do not provide a phone, they will read email on their personal phone. Once company data lands on a device you do not manage, your ability to protect it drops sharply.

What can go wrong

• No disk encryption. A lost personal laptop with company files on it is a data breach waiting to happen.
• Shared device access. Family members using the same laptop, kids who know the PIN, a partner who “just needed to check something” – all of these mean company data is accessible to people it should not be accessible to.
• Outdated operating system. Personal devices are patched on the employee’s schedule, which is to say, rarely. An unpatched Windows or Mac vulnerability is the kind of thing ransomware operators exploit.
• Unknown software. The personal device may have pirated software, browser extensions, or old utilities with known vulnerabilities. You have no way to audit it.
• No management or remote wipe. When the employee leaves, the company data on their personal device stays there unless you have a way to remove it.

How to address it

The cleanest solution is to not allow BYOD for work that involves sensitive data. Issue company laptops, and require them for anything involving customer data, financial records, or intellectual property.

When BYOD is unavoidable, use Mobile Application Management (MAM) instead of trying to manage the whole device. Microsoft Intune can apply app protection policies that require a PIN for Outlook and Teams, prevent copying company data into personal apps, and wipe only company data when the employee leaves. The personal side of the device is untouched, which is both a privacy win for the employee and a management win for you.

Write the BYOD policy down. It should cover what devices are allowed, what apps are required, what can and cannot be stored locally, what happens on termination, and what level of visibility IT has into the device. A clear policy prevents arguments later, and typically sits inside a broader remote work IT policy.

Phishing and credential theft

Remote workers are a higher-value phishing target than on-site workers, and they are more likely to fall for attacks. The reasons are structural: no coworker to lean over and ask about a suspicious email, more reliance on text-based communication (which is where phishing lives), and a working environment full of interruptions from home life that erode attention.

What can go wrong

• Business email compromise (BEC). An attacker steals credentials, sits in the mailbox for a week to understand how the business operates, then sends a convincing fake invoice or wire transfer request at the right moment.
• MFA fatigue attacks. The attacker has the password and hammers the MFA prompt until the employee, annoyed or assuming the notification is legitimate, approves it.
• Adversary-in-the-middle (AiTM) phishing. A fake login page proxies through to the real Microsoft login, capturing the session token after the employee completes MFA. This bypasses standard MFA entirely.
• Lookalike domains. An email from “company-support.com” instead of “company.com” asks for a password reset. Rushed remote workers click it.
• Vishing and smishing. Phone calls and text messages claiming to be from IT, asking the employee to confirm credentials or install remote support software.

How to address it

Phishing prevention is a layered problem. No single control stops every attack.

• Strong MFA, not just SMS. The Microsoft Authenticator app, hardware security keys (FIDO2), or number-matching MFA resists fatigue attacks in ways that SMS does not.
• Conditional access with device compliance. Even if an attacker steals a session token, conditional access can block the sign-in because it is coming from an unmanaged device. This neutralizes AiTM attacks.
• Email filtering beyond the basics. Microsoft Defender for Office 365, or a third-party secure email gateway, catches far more than built-in spam filtering. Look specifically for safe links (which rewrite URLs and scan them at click time), safe attachments (which detonate attachments in a sandbox), and impersonation protection.
• Security awareness training with phishing simulations. Regular, realistic simulated phishing tests (not the embarrassingly obvious kind) followed by short training for employees who click. This is the single highest-impact training investment for remote teams.
• Make reporting easy. A “Report phishing” button in Outlook that sends suspicious messages to IT (or a managed security provider) without forcing the employee to fill out a form. If reporting is easier than deleting, more things get reported.
• Know that MFA alone is not enough. Modern phishing kits bypass basic MFA. Plan for what happens when MFA is bypassed, not just when it catches an attack.

Unsecured file sharing and shadow IT

When employees do not have easy, sanctioned ways to share files with each other, clients, and vendors, they find their own ways. When they find their own ways, IT loses visibility into where company data is going.

What can go wrong

• Personal Dropbox, Google Drive, or iCloud sync clients installed on work devices. Company files get mirrored to a personal cloud account the business has no control over.
• Public sharing links with no expiration. An employee shares a file with a client via “anyone with the link can view,” the link gets forwarded, indexed by search engines, or persists for years after it is needed.
• Unapproved SaaS tools. The marketing team signs up for an AI writing tool with a free trial, pastes proprietary content into it, and now that content is in someone else’s training data or cache.
• Consumer messaging apps for work. WhatsApp, personal Slack workspaces, Discord – business conversations and files flowing through channels IT cannot audit or retain for compliance.
• Sending files via personal email. An employee forwards a contract to their personal Gmail to work on it from their phone. That contract is now in Google’s servers under an account the business does not control.

How to address it

The solution is not to clamp down harder on employees. It is to make sanctioned sharing easier than shadow sharing.

• Standardize on OneDrive and SharePoint for file sharing. Configure default sharing policies that expire links automatically, block external sharing for sensitive libraries, and require sign-in for external access.
• Block installation of unauthorized sync clients on company devices. Intune app control policies can prevent personal Dropbox and Google Drive clients from installing on managed Windows devices.
• Provide an approved tool for every common need. If employees need to send large files, give them a tool. If they need to collaborate with external partners, configure guest access in Microsoft 365. If they need a chat tool, standardize on Teams and give it to everyone.
• Maintain a list of approved SaaS tools. Not to be restrictive, but to be clear. Employees should know what is approved, and should have a low-friction process for requesting approval of something new.
• Audit periodically. Microsoft 365 has reports that show external sharing, OAuth app consents, and anomalous file access. Review them monthly. Finding shadow IT early is much easier than finding it during an incident.

Physical security in a home or public setting

The office had locked doors, badge access, CCTV, and a receptionist. The home office has none of that. Public spaces have even less. Physical security is the category that most remote work policies skip entirely, and it is the category where the gap is most obvious.

What can go wrong

• Unattended screen in public. Someone walks past the employee’s open laptop in a coffee shop, sees a client email with sensitive data, takes a photo. This is not a theoretical scenario.
• Shoulder surfing. Passwords, multi-factor codes, and sensitive content visible to anyone sitting behind or beside the employee.
• Stolen device. A laptop or phone stolen from a car, a cafe table, or a hotel room. Without disk encryption, everything on it is accessible.
• Sensitive conversations in public. Client calls taken at a busy coffee shop where other patrons can hear.
• Home visitors. Contractors, cleaners, houseguests, or family members of other residents who have physical access to the employee’s workspace.
• Paper documents. Printed contracts, customer lists, or notes left on a home desk that gets photographed during a real estate viewing or accessed during a home repair.

How to address it

• Require disk encryption on all devices. BitLocker on Windows, FileVault on Mac. Verify it is actually enabled through your MDM, not just assumed.
• Enforce short screen lock timeouts. 5 to 10 minutes is appropriate. The employee can adjust their own habits around it, but the device should lock automatically.
• Provide privacy screens for employees who regularly work in public. They are inexpensive and effective against shoulder surfing.
• Train on public space behavior. Rules like “don’t take sensitive calls in public,” “don’t leave your laptop at the table to go order,” “assume someone is watching your screen” sound obvious but need to be said.
• Secure physical documents. If remote workers handle paper, require a shredder and lockable storage. For most knowledge workers, the real answer is to stop printing anything that contains sensitive information.
• Require reporting of lost or stolen devices immediately. Not at end of day, not tomorrow, but immediately. Combined with Intune remote wipe and M365 session revocation, fast reporting limits the damage.

Shadow IT and personal cloud services

This overlaps with file sharing but is broader. Shadow IT is everything the employee uses for work that IT did not approve or provision.

What can go wrong

• Data in places you cannot audit or retain. Compliance frameworks (HIPAA, SOC 2, GDPR) require knowing where data is. Shadow IT defeats that by definition.
• No offboarding for shadow accounts. When the employee leaves, the personal tools they used for work do not get wiped. The data persists under their control.
• Security gaps. The free version of a SaaS tool the employee chose may not support MFA, audit logging, or encryption at rest. The business has no visibility into any of it.
• License and legal issues. Personal accounts on business SaaS tools may violate the terms of service. Free tools may use data for training or marketing in ways the business does not understand.

How to address it

• Make the approved tools actually good. Most shadow IT exists because the approved tools are missing something. If the approved project management tool is clunky, employees will switch to Notion or Trello on their own. Fixing the approved tool is better than fighting the shadow one.
• Publish an approved SaaS list. Clear, short, kept current. Include what each tool is approved for. Make it easy for employees to request additions.
• Monitor through the identity layer. Microsoft Defender for Cloud Apps and similar tools can detect SaaS usage across the business and flag unauthorized services.
• Include shadow IT audits during offboarding. When an employee leaves, review their activity for signs of data going to unapproved destinations.

Endpoint security on remote devices

On-site devices benefited from being behind a corporate firewall, on a monitored network, next to other devices IT could see. Remote devices have none of that. Each one is on its own, and each one needs to bring its own defenses.

What can go wrong

• Malware that was caught at the network perimeter in the office is no longer caught. The home network does not have the same controls.
• Late patching. Remote devices that are offline for days miss patch windows. Some stay unpatched for weeks.
• Disabled security tools. An employee frustrated with a slow antivirus scan turns it off. Nobody sees that happen.
• No detection of lateral movement or unusual activity. A compromised remote device can be used to escalate to M365 or other cloud services without anyone noticing.

How to address it

• EDR on every device. Endpoint detection and response replaces traditional antivirus with behavioral monitoring, alerting, and response capabilities. Defender for Business (included with M365 Business Premium) is a reasonable baseline. Third-party EDR from Huntress, SentinelOne, or CrowdStrike adds depth.
• Managed patching. Intune, WSUS, or a third-party RMM tool pushes patches and reports on compliance. Devices that fall behind get flagged automatically.
• Monitoring and response capacity. Tools generate alerts. Someone has to watch the alerts and act on them. This is where managed detection and response (MDR) fits – a 24/7 team watching for threats across the remote fleet so alerts do not pile up in an unmonitored inbox.

The role of identity as the new perimeter

A theme runs through all of the above: when the network stops being a security boundary, identity takes its place. The controls that matter most for remote work are the ones built around who the user is and what device they are on, not where they are connecting from.

The practical implication is that the highest-leverage security investments for a remote workforce are identity-focused:

• Strong MFA on every account (hardware keys or Authenticator app, not SMS)
• Conditional access policies that consider device compliance, user risk, and session signals
• Single sign-on through Microsoft 365 or a dedicated identity provider, reducing the number of separate passwords in play
• Privileged access management so admin accounts are separate from daily-use accounts
• Regular identity audits to catch dormant accounts, unused admin assignments, and permission creep

These controls matter more than they did in the office era, because they are doing more of the work. The perimeter is not going to catch an attacker for you anymore.

How Sequentur addresses these risks for clients

The recurring theme across every risk on this list is that remote work does not remove the need for security controls – it moves them from the network to the identity, the device, and the user. For clients with distributed teams, we configure and monitor the full stack: conditional access policies tied to device compliance, EDR on every endpoint, M365 hardening, MFA enforcement with phishing-resistant methods, approved SaaS tooling, and ongoing monitoring through an MDR service that catches the things the tools alone do not.

The businesses that get remote security right are the ones that treat it as an operational program, not a one-time setup. Policies get refined as threats evolve. Tools get tuned as the team grows. New hires come in through a secure onboarding process, and departures go through a clean offboarding that removes the access every time.

If you are looking at your own remote workforce and seeing gaps in this list, our managed IT support for remote and hybrid teams covers this stack end-to-end. Schedule a call and we will talk through your environment.