Keeping Remote Workers Secure After COVID-19
The rapid shift to remote working exposed security gaps in many UK businesses that have since become permanent vulnerabilities. This guide examines the lasting security lessons from the pandemic and the controls needed to secure hybrid and remote workforces in 2025 and beyond.
AMVIA Team
Editorial
Why Did Pandemic Remote Working Leave Security Gaps?
In March 2020, UK businesses enabled remote access under emergency conditions. VPN licences were expanded overnight, personal devices were waved through, and collaboration tools were deployed without review. The controls a planned migration would have included — endpoint management, Conditional Access, MFA enforcement, data governance — were skipped to keep people working.
Five years on, many of those workarounds have become permanent infrastructure. For businesses that never returned to full office working, the gaps opened in those weeks remain open today. The threat actors know it, and remote access is now a primary target.
What Threats Do Remote Workers Actually Face?
Remote workers operate in a more exposed environment than office staff: untrusted home networks, less oversight, and direct cloud access from devices IT cannot see. The four risks below account for most real-world breaches against distributed teams.
- Home network risk: Home routers often run outdated firmware, use default credentials, and share a network with family devices, gaming consoles, and IoT kit that may already be compromised.
- Phishing and social engineering: Isolated workers are more susceptible to phishing email, phone-based vishing, and business email compromise. The NCSC has repeatedly flagged elevated phishing aimed at home workers.
- Shadow IT: Without IT nearby, staff reach for personal cloud storage, personal email, and unapproved tools to route around inconvenient access controls.
- Lost endpoint visibility: When devices left the office, IT lost sight of patch status, running software, and antivirus state — the basics of knowing whether a machine is safe.
Is a VPN Enough to Secure Remote Access?
No. A VPN encrypts the tunnel between the device and your network, but it does not check whether the device itself is secure. A compromised personal laptop connecting over VPN can carry malware straight into your corporate environment. The tunnel is protected; the endpoint is not.
The fix is a Zero Trust model: trust no device or user by default, regardless of network position. Conditional Access policies verify device compliance, user identity, and sign-in risk before granting access to an application. For most UK businesses, Conditional Access has now superseded VPN as the primary remote-access control.
| Control | What it protects | What it misses |
|---|---|---|
| VPN only | The network tunnel in transit | Device health, identity risk, app-level access |
| MFA | Account access if a password leaks | Device compliance, malware on endpoint |
| Conditional Access + EDR | Identity, device state, sign-in risk, endpoint threats | Little — this is the target architecture |
Why Is MFA the Single Most Urgent Control?
Many businesses enabled remote access to Microsoft 365 during the pandemic without enforcing multi-factor authentication. Password spray, credential stuffing, and credential phishing became the dominant attack vector against remote workers from 2020 onward — a pattern that continues today.
According to Microsoft, MFA blocks over 99.99% of account compromise attacks (Microsoft). If any of your remote workers still reach business systems without it, MFA enforcement is the first thing to fix — ahead of every other project on the list. Even stolen credentials are near-useless against an account protected by a second factor.
What Controls Belong on a Permanent Remote Setup?
Where hybrid or remote working is now the norm, security has to be designed in rather than bolted on. The controls below form the baseline AMVIA implements for distributed UK teams, all delivered and accountable under one provider rather than stitched across vendors.
- MFA enforced on every cloud account, including service and shared accounts where technically feasible.
- Conditional Access requiring device-compliance checks before Microsoft 365 access.
- EDR on all endpoints — Microsoft Defender for Business, backed by managed phishing protection, gives detection consumer antivirus cannot.
- Microsoft 365 hardening — Secure Score review, mailbox auditing on, external sharing reviewed, legacy authentication blocked.
- Device management with Microsoft Intune to enrol corporate and BYOD devices and prove compliance.
- Regular phishing-simulation training — short and frequent beats an annual compliance tick-box.
- Clear, signed, enforced acceptable-use and BYOD policies.
Should You Issue Corporate Devices to Every Remote Worker?
It depends on data sensitivity and volume of remote work. For roles touching sensitive data, managed corporate devices give materially better control than personal kit and are worth the cost. For occasional access to non-sensitive systems, a well-run BYOD programme can be an acceptable alternative.
A defensible BYOD setup is not "use your own laptop and hope". It needs MDM enrolment, MFA, Conditional Access, and the ability to wipe corporate data without touching personal content. Get those four in place and personal devices become a controlled risk rather than an unknown one.
How Should You Review Your Remote Working Posture?
The right time to review remote-working security is before an incident forces it. A structured assessment measures your controls against NCSC home-working guidance, identifies the gaps most likely to be exploited, and produces a prioritised remediation plan ranked by your actual risk exposure — typically inside half a day.
Many businesses have not formally reviewed these controls since 2020. If yours is one of them, start with the high-impact, low-effort items: MFA enforcement, blocking legacy authentication, and a Secure Score review. They remove the largest share of risk for the least disruption.
When Did You Last Review Your Remote Working Security?
Many businesses have not formally reviewed their remote working security controls since 2020. A structured assessment identifies the controls you are missing and prioritises remediation by risk.
Frequently Asked Questions
A VPN encrypts the tunnel between device and network but does not validate whether the device itself is secure. Conditional Access — verifying device compliance, MFA status, and sign-in risk before granting access — is significantly stronger. For most UK businesses, Conditional Access has superseded VPN as the primary remote-access security mechanism.
Phishing and business email compromise remain the most common attack vectors against remote workers, followed by stolen credentials from breaches being reused against cloud accounts. MFA addresses both: even with a valid password, an attacker is blocked at the second factor. Awareness training and phishing simulation improve recognition of the attempts technical controls do not catch.
Without endpoint management, you cannot. Microsoft Intune and Microsoft Defender for Endpoint show device compliance — patch state, EDR status, and whether the machine meets your baseline. Conditional Access can then deny Microsoft 365 access from any device that falls short, turning compliance into an enforced requirement rather than a request.
Yes. Microsoft reports that MFA blocks over 99.99% of account compromise attacks. It is the highest-impact, lowest-cost control available for remote access. Enforce it on every cloud account before investing in more advanced tooling — most remote-worker breaches start with a credential that MFA would have stopped dead.
Microsoft Secure Score measures your Microsoft 365 security posture based on which recommended controls you have enabled, and benchmarks you against similar organisations. It hands you a prioritised list of actions to close configuration gaps. For any business on Microsoft 365, reviewing and improving Secure Score is a practical, fast way to find weaknesses before an attacker does.
A structured review of your remote-working controls typically takes around half a day. It assesses your setup against NCSC guidance, surfaces the gaps most likely to be exploited, and returns a remediation plan ranked by risk — so you fix the controls that matter most first, rather than spreading effort evenly across everything.
Related Reading
Home Worker Security | Using Personal IT Equipment Safely
How to manage the security risks of employees using personal devices for work, including BYOD controls.
Phishing Protection for UK Businesses | AMVIA Guide
Technical and training controls to protect remote workers from phishing attacks and business email compromise.
Zero Trust Architecture for UK SMEs | Complete Guide
How Zero Trust security principles improve remote access security beyond traditional VPN-based approaches.