- Every access to corporate resources from outside the company network must go through an encrypted channel -- VPN is the standard, ZTNA the more modern alternative.
- Endpoint security on remote devices requires at minimum EDR, full-disk encryption, automatic updates, and a host firewall. Without these baseline measures, no device should access corporate data.
- A remote work policy defines the binding technical and organizational conditions under which employees may work outside the office.
- Personal devices (BYOD) require separate rules: at minimum MDM enrollment, a container solution, and the ability to remote-wipe corporate data.
- Clean desk, secure disposal, and screen lock apply in the home office just as in the regular office -- they must be explicitly anchored in the policy and included in training.
Remote work is no longer a special case
A few years ago, home office was the exception for most mid-market companies. A privilege for certain positions, a stopgap during illness or childcare, sometimes a concession to particularly sought-after professionals. The pandemic changed that radically. What began in 2020 as improvisation -- with personal laptops at the kitchen table -- has evolved into a permanent work model that employees expect and companies have accepted.
But while work models have changed, the security concepts in many organizations have not kept pace. The firewall protects the office network, the proxy filters web traffic, group policies apply to domain-joined machines. In the office, all of this works. But when an employee sits at home with their laptop, working over their personal Wi-Fi while their child uses the same network for gaming, many of these protections no longer apply.
ISO 27001 addresses remote work in Annex A.6.7 (Remote working) and requires that security measures be implemented to account for the particular risks of activities outside company premises. NIS2 goes further and explicitly requires in its minimum measures security in the acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure. This naturally encompasses endpoint devices operated outside the organization.
This article covers the technical and organizational measures you need to make remote work secure. Not theoretically, but in a way you can implement with a realistic budget and a small IT department.
VPN: The encrypted tunnel to the corporate network
A Virtual Private Network is still the standard when employees need to access internal resources from outside. The VPN client on the endpoint establishes an encrypted tunnel to the VPN gateway in the corporate network. All data traffic flowing through this tunnel is protected against eavesdropping and manipulation, even when the employee is on an insecure Wi-Fi network.
VPN protocols: What you should use
Not every VPN protocol offers the same protection. PPTP is outdated and insecure; L2TP/IPsec has known weaknesses in certain configurations. The recommended protocols for enterprise use are:
WireGuard is the most modern protocol: fast, lean, well audited, with a minimal codebase that keeps the attack surface small. Many current firewalls and VPN appliances now support WireGuard natively.
OpenVPN is the proven standard with a long track record in enterprise use. It is flexibly configurable, supports both TCP and UDP, and runs on virtually every operating system. Configuration is somewhat more complex than WireGuard, but enterprise features like certificate-based authentication and RADIUS server integration are more mature.
IKEv2/IPsec is the native VPN solution in Windows and macOS and offers good performance with a stable connection. IKEv2 has particular advantages on mobile devices because it handles network switches (e.g., from Wi-Fi to cellular) seamlessly.
MFA on VPN is mandatory
A VPN access secured only with username and password is a wide-open barn door. Compromised credentials are the most common attack vector, and a VPN without a second factor gives an attacker with stolen credentials direct access to the internal network.
Every VPN access must be secured with multi-factor authentication. Most VPN solutions support TOTP (authenticator apps), RADIUS integration, or SAML-based authentication through an identity provider. If your VPN gateway does not support this, it is time for an upgrade.
Split tunneling: Yes or no?
Split tunneling means only traffic to corporate resources is routed through the VPN tunnel, while private internet traffic (YouTube, streaming, personal email) goes directly to the internet. Full tunneling routes all traffic through the tunnel.
The decision is a trade-off between security and usability. Full tunneling provides more control because all traffic passes through the corporate firewall and proxy. But it puts significant load on the VPN infrastructure, slows down the internet for the employee, and can cause quality issues with video conferences.
Split tunneling reduces infrastructure load and improves user experience but has the disadvantage that the employee is simultaneously in the corporate network and on the open internet. A compromised device can exfiltrate data through the direct internet connection without the corporate firewall noticing.
The pragmatic middle ground for mid-market companies: allow split tunneling, but with clear rules. Only corporate devices with current EDR and full-disk encryption may use split tunneling. DNS filtering must be active on the endpoint to block known malware domains. Split tunneling configuration is managed centrally so the employee cannot define their own exceptions.
ZTNA: The modern alternative to classic VPN
Zero Trust Network Access is the counterpart to classic VPN in a Zero Trust architecture. While a VPN grants the user access to the entire network (or a segment) after authentication, ZTNA grants access to individual applications -- and only those the user actually needs.
The difference is fundamental: with a VPN, once you connect you are in the network and can reach anything the firewall rules allow. With ZTNA, you are never in the network. You access a specific application through a broker, and the broker verifies identity, device state, and context with every access.
For mid-market companies, ZTNA is an interesting option that does not fit every scenario. If you primarily use cloud applications (Microsoft 365, Google Workspace, SaaS tools), you do not need a VPN to access them anyway. Conditional access through the identity provider achieves the same as ZTNA. If you still have many on-premises applications (ERP system, file server, line-of-business applications), a VPN is more pragmatic because ZTNA must be configured for each application individually.
A hybrid approach often works best: secure cloud applications through conditional access, on-premises applications through VPN with MFA. Over time, publish individual on-premises applications through ZTNA solutions like Microsoft Entra Private Access or Cloudflare Access, and gradually phase out the VPN.
Endpoint security: The device is the new perimeter
When an employee works from home, their endpoint device is the last and most important line of defense. The office firewall no longer protects them. The proxy no longer filters their web traffic. Network segmentation no longer applies. Everything standing between the attacker and corporate data is the device itself and the software running on it.
EDR instead of traditional antivirus
Traditional signature-based antivirus is no longer sufficient for remote devices. What you need is an Endpoint Detection and Response (EDR) solution that detects not only known malware but also suspicious behavior indicating an attack. EDR monitors processes, network connections, and file operations on the endpoint and raises alerts when something unusual occurs.
Microsoft Defender for Business is included in Microsoft 365 Business Premium licenses and provides EDR functionality that is entirely sufficient for mid-market companies. Alternatives like CrowdStrike Falcon Go or SentinelOne Singularity offer comparable features as standalone solutions. What matters is that the EDR solution is centrally managed and IT can see alerts even when the device is not on the corporate network.
Full-disk encryption is non-negotiable
A laptop left on a train or stolen from a car is a data breach if the hard drive is not encrypted. With full-disk encryption enabled, it is an annoying loss of hardware but not a data protection issue because the data on the drive is unreadable without the key.
BitLocker (Windows) and FileVault (macOS) are included in the operating systems and can be centrally activated and managed through group policies or MDM. A detailed overview of the algorithms and key management can be found in the article on encryption in the enterprise. Recovery keys must be stored centrally -- either in Active Directory, in Entra ID, or in the MDM solution. When an employee forgets their password or the device won't boot, IT must be able to provide the recovery key.
Full-disk encryption must be active on every device that processes corporate data. No exceptions -- not even for the CEO who claims they take good care of their laptop.
Automatic updates and patch management
An unpatched device is an open door. Known vulnerabilities in operating systems and applications are actively exploited by attackers, often within days of a patch being released. Structured patch management is therefore essential for remote devices as well. The risk is especially high for remote devices because they are not on the corporate network and may bypass the internal patch management process.
Ensure automatic updates are enabled on all remote devices. Windows Update for Business allows centralized management of update rings, even for devices outside the corporate network. For third-party software (browsers, PDF readers, office applications), you additionally need a patch management tool or MDM solution that can distribute software updates.
Define a maximum tolerance: critical security updates must be installed within 72 hours. Devices that have not received an update for more than two weeks receive a warning at the next VPN connection; after four weeks, access is blocked until the device is updated.
Host firewall and DNS filtering
The Windows Firewall or macOS firewall should be enabled and configured on remote devices. They provide basic protection against inbound connection attempts that may originate from other devices on the employee's home network.
I also recommend DNS filtering on the endpoint. Services like Cisco Umbrella, NextDNS, or Cloudflare Gateway route DNS queries through a filtered DNS server that blocks known malware domains, phishing sites, and command-and-control servers. This works independently of the VPN and protects even private internet traffic with split tunneling.
Wi-Fi security in the home office
The employee's home Wi-Fi is not a controlled corporate environment. The router was likely provided by the internet provider; the default password has hopefully been changed (but not always); the firmware is possibly outdated; and on the same network hang smart TVs, game consoles, and the children's IoT devices.
You cannot manage your employees' home Wi-Fi. But you can define minimum requirements and anchor them in the remote work policy:
WPA3 or WPA2-PSK with a strong password. WEP and open networks are not acceptable. The Wi-Fi password must be at least 16 characters long and must not be the router's default password.
Keep router firmware current. Many consumer routers have automatic updates, but not all. Employees should be instructed to check for firmware updates regularly -- at least quarterly.
Secure the router management interface. Change the admin password, disable remote management, disable UPnP.
Use a guest network for IoT devices. Many modern routers offer a guest network isolated from the main network. Smart home devices, game consoles, and other IoT devices should be moved to this guest network so a compromised IoT device cannot access the work laptop.
These requirements cannot be technically enforced. But you can: write them into the policy, address them in awareness training, and if needed provide a brief guide explaining how to change the router password and set up a guest network. Employees who are unsure should be able to contact IT without feeling embarrassed.
Printing and secure disposal in the home office
A topic often forgotten in many remote work concepts: what happens with printed documents in the home office?
In the office, there are ideally locked waste containers for confidential papers and a shredder for especially sensitive documents. In the home office, the printed document ends up on the desk after the meeting, gets used as drawing paper by a child, or goes into the recycling bin unshredded.
The policy must define clear rules: printing confidential documents in the home office is only permitted if a shredder with at least security level P-4 (cross-cut) is available. If the company does not cover the cost of a shredder, the alternative must be: confidential documents are not printed. Period.
Confidential documents that are no longer needed must be destroyed -- not thrown in the household waste. This also applies to sticky notes with meeting notes, handwritten sketches of system architectures, and similar remnants of the workday.
When employees return from the home office to the office, they should be asked to bring back all remaining printed documents and dispose of them properly in the office. This sounds like a minor detail, but an auditor will ask about exactly this.
Clean desk in the home office
Clean desk is not a concept limited to the office. ISO 27001 Annex A.7.7 (Clear desk and clear screen) applies everywhere corporate information is handled -- including the home office.
In practice, this means: when the employee leaves the workspace -- even just for a coffee break -- confidential documents must be covered or put away. The laptop must be locked (Windows key + L; on macOS, Ctrl + Command + Q). During longer absences, documents should be stored in a lockable cabinet or drawer.
This sounds obvious but is neglected more often in the home office than in the office. At home, everything feels safe -- after all, only the family and the cat are in the apartment. But the plumber repairing a burst pipe, an overnight guest, or the child showing a friend mommy's laptop -- these are all scenarios where confidential information can be unintentionally exposed.
Automatic screen lock must be enforced on all devices: after a maximum of 5 minutes of inactivity on laptops, after a maximum of 2 minutes on mobile devices. This can be configured centrally through group policies or MDM and is non-negotiable.
Personal devices (BYOD): Regulate or prohibit
Bring Your Own Device is a topic where opinions diverge. Some companies allow it generously, others prohibit it categorically. Both extremes have drawbacks.
A complete BYOD ban is often unenforceable. Employees will still check their work emails on their personal smartphones even if it is prohibited. And when you employ freelancers or external contractors, the use of personal devices cannot be avoided anyway.
Conversely, uncontrolled BYOD is a security nightmare. You have no control over the device's patch level, do not know if antivirus is installed, cannot remote-wipe corporate data in case of loss, and have no ability to forensically examine the device during a data protection incident.
The middle ground: Controlled BYOD
If you allow BYOD, then only under clearly defined conditions. The following requirements should be the minimum:
MDM enrollment. The personal device must be registered in the company's mobile device management solution. In Microsoft environments, that is Intune; alternatives include JAMF (for Apple devices) or Workspace ONE. MDM enrollment does not mean the company controls the entire device -- it means basic security requirements can be enforced and verified.
Container solution. Corporate data and personal data must be separated on the device. On smartphones, Intune containers (MAM) or Samsung Knox solve this. Corporate apps (Outlook, Teams, OneDrive) run in an encrypted container isolated from personal apps. Data cannot be transferred from the container to personal apps via copy-paste or screenshots.
Minimum security standards. The device must have a current operating system (at least the latest or second-latest major version). A lock screen with PIN, password, or biometrics must be enabled. The device must not be rooted or jailbroken.
Remote wipe of corporate data. In case of loss, the company must be able to wipe corporate data on the device without affecting personal data. This distinguishes the selective wipe from the full wipe, which resets the entire device -- something you must not do on a personal device without creating massive data protection issues.
Consent form. The employee must consent in writing that their personal device is registered in the MDM, that a selective wipe can be performed in case of loss, and that the company may verify basic security requirements. Without this consent, no BYOD.
When BYOD should be prohibited
There are scenarios where BYOD should not be allowed, regardless of technical protections. For workplaces that regularly handle especially sensitive data (personnel data, health data, financial data), the company should provide dedicated devices. The same applies to administrators and IT staff, whose devices carry a higher attack potential.
The remote work policy: What belongs in it
All technical measures are of little use if they are not documented in a binding policy. In ISMS Lite, you can store the remote work policy with version control and link technical measures as controls with implementation status. The remote work policy is the central document governing the conditions under which employees may work outside the office, what technical prerequisites must be met, and what behavioral rules apply.
Scope and definitions
Define who the policy applies to: all employees who occasionally or regularly work from a location outside company premises. This includes home office, mobile work (e.g., on a train or at a customer site), and co-working spaces. Also define what counts as a corporate device versus a personal device.
Technical prerequisites
This section lists the minimum requirements for technical equipment: VPN client installed and configured, MFA activated, full-disk encryption active, EDR solution installed, automatic updates enabled, host firewall active, screen lock configured. For BYOD devices: MDM enrollment, container solution, minimum OS version.
Behavioral rules
Here the organizational measures are regulated: clean desk obligation, locking the screen when leaving the workspace, no use of public Wi-Fi without VPN, no printing of confidential documents without a shredder, no use of personal cloud storage for corporate data, no sharing of VPN credentials.
Physical security
The workspace in the home office must be arranged so that unauthorized persons cannot view the screen or access documents. In shared apartments, this may mean the workspace must be in a lockable room. Devices must not be left unattended in publicly accessible areas.
Reporting obligations
If a device is lost, stolen, or a security incident is suspected, the employee must report it immediately. Define the reporting path (to whom, through which channel) and the expected response time. Clarify that no sanctions are imposed for an honestly and promptly reported loss, but that delayed reports are treated as a policy violation.
Approval process
Define whether remote work is generally permitted or requires individual approval. Who approves? What are the prerequisites? Is there a difference between occasional home office and permanent remote work? For particularly sensitive positions, an additional security review of the workspace may be required.
Video conferences and screen sharing
An aspect of remote work frequently overlooked in security concepts: video conferences. When an employee shares their screen, all participants see what is on it. This can inadvertently include email notifications with confidential content, open tabs with sensitive applications, or desktop notifications from messaging apps.
The policy should cover the following: close all unnecessary applications and tabs before screen sharing. Enable the operating system's notification mode (Windows: Do Not Disturb; macOS: Focus). Share only individual windows or applications, not the entire screen, when possible. In confidential meetings, disable the recording function or enable it only with all participants' consent.
For video conferences in shared spaces (e.g., in a co-working space): use headphones so the meeting audio cannot be overheard. For especially confidential conversations, move to a private room.
Special case: Working in public spaces
Cafes, airport lounges, trains, hotels. Mobile work in public spaces is part of everyday life for many. From a security perspective, this is the riskiest form of remote work because both visual and network-side protection is minimal.
Use a privacy screen. A privacy screen filter on the laptop ensures the screen content is readable only from a narrow viewing angle. For employees who regularly work on the go, the company should provide privacy screens.
No open Wi-Fi without VPN. In public Wi-Fi networks, data traffic is unencrypted and potentially visible to other users on the same network. VPN is mandatory in public networks without exception. If the VPN connection cannot be established, work must not proceed.
Hotspot instead of public Wi-Fi. Where possible, employees should use their smartphone's cellular hotspot instead of connecting to public Wi-Fi. The cellular connection is not 100 percent secure but is significantly harder to intercept than open Wi-Fi.
Never leave devices unattended. Not even briefly, not even when the person at the next table looks friendly. A laptop can be stolen in seconds. When you stand up, take the device with you. Always.
Technical implementation: A realistic checklist
Let us summarize the technical measures in a checklist you can use as a foundation for your implementation:
| Measure | Priority | Implementable with built-in tools? |
|---|---|---|
| VPN with MFA for all remote access | High | Yes (WireGuard/OpenVPN + TOTP) |
| Full-disk encryption on all devices | High | Yes (BitLocker/FileVault) |
| EDR on all endpoints | High | Yes (Defender for Business) |
| Automatic updates enforced | High | Yes (Windows Update for Business/MDM) |
| Screen lock after 5 min. inactivity | High | Yes (GPO/MDM) |
| Conditional access on cloud services | Medium | Yes (Entra ID/Google Workspace) |
| DNS filtering on endpoints | Medium | Yes (NextDNS/Cloudflare Gateway Free) |
| MDM enrollment for BYOD | Medium | Yes (Intune/JAMF) |
| Container solution for BYOD smartphones | Medium | Yes (Intune MAM) |
| Privacy screens for mobile employees | Low | Yes (hardware procurement) |
Remote work in the audit
When an auditor reviews the implementation of Annex A.6.7 (Remote working), they will typically want to see the following evidence:
The remote work policy as an approved, communicated document demonstrably known to employees. Technical evidence that VPN with MFA is configured, full-disk encryption is active on all devices, and EDR is centrally managed. Training records showing employees know the rules for secure home office work. Logs demonstrating that security incidents related to remote work have been reported and handled.
Auditors pay particular attention to the gap between policy and practice. A perfect policy that is not enforced in practice is worse in an audit than no policy at all -- because it shows the organization knows the risks but knowingly does nothing about them.
Making remote work secure is achievable
Securing remote work is not rocket science. The technical building blocks -- VPN with MFA, full-disk encryption, EDR, automatic updates -- are proven and implementable with the built-in capabilities of modern operating systems and cloud services. What makes the difference is combining these technical measures with a clear policy that tells employees in understandable terms what is allowed and what is not, and with regular training that keeps awareness of the particular risks of remote work alive.
Start with the basics: VPN requirement, MFA, full-disk encryption, EDR. These are four measures you can roll out in a few weeks that address the bulk of the risks. Write the policy in parallel and train employees before the technical measures take effect. Build the rest -- ZTNA, DNS filtering, BYOD containers -- step by step.
Remote work is here to stay. Your security concept must reflect that.
Further reading
- Mobile device policy and BYOD: How to manage mobile devices
- Zero Trust for mid-market companies: Implementing the principles without an enterprise budget
- Creating a password policy: Requirements, length, complexity, and alternatives
- Implementing MFA: How to secure access to your corporate systems
- Network segmentation for SMEs: How to meaningfully partition your network