Remote Work Security Checklist: Protecting Your Business Beyond the Office

# Remote Work Security Checklist: Protecting Your Business Beyond the Office

Remote and hybrid work is permanent. But every remote worker is a potential entry point for attackers — working from home networks, coffee shop Wi-Fi, and personal devices. This checklist covers the IT security fundamentals every business with remote workers must implement.

## Network Security

### VPN or Zero Trust Access

Every remote worker accessing internal resources needs an encrypted connection:

• [ ] **VPN deployed** to all remote workers accessing internal network resources
• [ ] **Split tunneling disabled** (or carefully controlled) — all business traffic routes through VPN
• [ ] **Always-on VPN** configured for company-owned devices
• [ ] **VPN client auto-updates** enabled to patch vulnerabilities
• [ ] **Consider ZTNA** (Zero Trust Network Access) as a VPN alternative — grants access per-application rather than per-network

### Home Network Guidance

You cannot control home networks, but you can mitigate risks:

• [ ] **Provide guidance** on updating home router firmware
• [ ] **Recommend WPA3** (or at minimum WPA2) on home Wi-Fi
• [ ] **Discourage shared home networks** for sensitive work (separate SSID if possible)
• [ ] **Block public Wi-Fi** for company-owned devices via MDM policy (or require VPN for all connections)

## Endpoint Security

### Device Management

• [ ] **MDM (Mobile Device Management)** enrolled on all devices accessing company data
• [ ] **Full disk encryption** (BitLocker on Windows, FileVault on macOS) enabled and enforced
• [ ] **EDR/antivirus** deployed and actively monitored on all endpoints
• [ ] **Automatic OS updates** enabled — no user ability to defer critical patches
• [ ] **Screen lock** configured for 5-minute timeout
• [ ] **USB port restrictions** via group policy or MDM (block unauthorized storage devices)

### BYOD (Bring Your Own Device)

If employees use personal devices:

• [ ] **BYOD policy signed** by all employees using personal devices
• [ ] **Container/workspace separation** — company data in managed container (Intune, Workspace ONE)
• [ ] **Remote wipe capability** for company data only (not personal data)
• [ ] **Minimum security requirements** defined (OS version, encryption, passcode)

## Identity and Access Management

### Multi-Factor Authentication

MFA is the single most effective security control for remote workers:

• [ ] **MFA enabled on ALL cloud applications** (Microsoft 365, Google Workspace, CRM, etc.)
• [ ] **MFA on VPN access** — no exceptions
• [ ] **Phishing-resistant MFA preferred** (hardware keys, authenticator apps — not SMS)
• [ ] **Conditional access policies** — require MFA from unfamiliar locations or devices
• [ ] **Admin accounts** require hardware security keys (YubiKey or equivalent)

### Password Policy

• [ ] **Minimum 14-character passwords** (or passphrases)
• [ ] **Password manager deployed** to all employees (Bitwarden, 1Password, or Keeper)
• [ ] **No password reuse** across business applications
• [ ] **Breached password monitoring** (Azure AD Password Protection or equivalent)

## Cloud Application Security

• [ ] **SSO (Single Sign-On)** configured for all SaaS applications
• [ ] **Session timeout** configured for cloud applications (8-12 hours maximum)
• [ ] **Data loss prevention (DLP)** rules on email and file sharing (prevent PHI/PII from leaving org)
• [ ] **External sharing controls** — restrict OneDrive/SharePoint/Google Drive sharing to approved domains
• [ ] **Cloud backup** — Microsoft 365 / Google Workspace data backed up by third-party solution
• [ ] **Shadow IT monitoring** — identify unsanctioned cloud applications via CASB or firewall logs

## Employee Security Training

• [ ] **Annual security awareness training** for all employees
• [ ] **Monthly phishing simulations** with reportable metrics
• [ ] **Incident reporting process** clearly documented and easily accessible
• [ ] **Physical security reminders** — lock screens, secure documents, avoid shoulder surfing
• [ ] **Social engineering awareness** — phone pretexting, deepfake audio/video awareness

## Incident Response for Remote Workers

• [ ] **Clear escalation path** documented — who to call when something suspicious happens
• [ ] **Remote isolation capability** — IT can quarantine a compromised endpoint remotely
• [ ] **Communication backup plan** — how to reach employees if email is compromised (phone tree, out-of-band messaging)
• [ ] **Forensic readiness** — EDR logging sufficient to investigate incidents on remote devices

## Physical Security

Even at home, physical security matters:

• [ ] **Privacy screens** on laptops used in public or shared spaces
• [ ] **Secure storage** for company devices when not in use
• [ ] **Clean desk policy** — no sensitive documents left visible
• [ ] **Device theft reporting** process documented with timeline requirements

## Quick Wins

If you are just starting to secure your remote workforce:

Summit DNC secures remote and hybrid workforces for businesses across Southern California. From VPN and endpoint management to MFA deployment and security training, we implement comprehensive remote work security programs.