Remote and hybrid work security - a guide for organizations
Remote work security - VPN, MFA, zero trust, BYOD and M365. Practical guidelines for companies operating in a hybrid model according to NIST 800-207.
Łukasz Dudkowski When millions of employees shifted to home offices overnight in March 2020, most organizations treated remote work as a temporary solution. Six years later, hybrid work is the standard - according to Eurostat data, over 22% of EU workers regularly or occasionally work from home, and the hybrid model now accounts for 44% of flexible work arrangements. However, it is not only habits that have changed, but also the scale of threats. The Verizon DBIR 2025 report shows that attacks on edge devices and VPNs increased eightfold year over year, and stolen credentials remain the initial vector in 22% of breaches.
This article describes how to build lasting security measures for corporate remote and hybrid work - from zero trust architecture, through VPN and MFA configuration, to Microsoft 365 security and BYOD device management. If you are looking for guidelines on remote access to industrial control systems (ICS/OT), read our separate guide: Secure remote access to ICS systems - security principles.
increase in attacks on VPNs and edge devices in 2025
of breaches start with stolen credentials
of account attacks blocked by multi-factor authentication (MFA)
average global cost of a data breach in 2025
Source: Verizon DBIR 2025, Microsoft Research, IBM Cost of a Data Breach 2025
Why remote work security requires a new approach
The perimeter-based security model that most organizations relied on before the pandemic assumes that everything inside the corporate network is trusted. In a hybrid world, this assumption is dangerous - employees connect from home, coffee shops, hotels, and from various devices. The network perimeter effectively no longer exists.
Three key changes that require a new security model:
- Distributed attack surface - every home WiFi network, personal laptop, or public connection is a potential entry point into the company’s infrastructure
- Shadow IT and shadow AI - employees use unapproved tools; according to IBM Cost of a Data Breach 2025, incidents related to shadow AI account for 20% of breaches and add an average of $670,000 to breach costs
- Management complexity - different operating systems, VPNs, communication tools, cloud services - each element requires a consistent security policy
Zero trust - the foundation of hybrid security
Zero trust architecture, described in NIST SP 800-207, is based on one principle: never trust, always verify. Every user, device, and connection must be authenticated and authorized - regardless of location.
Three pillars of zero trust in the context of remote work
| Pillar | Description | Implementation example |
|---|---|---|
| Identity verification | Every login confirmed by multiple factors | Phishing-resistant MFA (FIDO2, passkeys) |
| Least privilege principle | Access only to resources necessary for work | Role-based access control + just-in-time access |
| Continuous validation | Device state and context verified with every request | Conditional access policies, device compliance |
TIP
Implementing zero trust does not require replacing the entire infrastructure at once. Start with three steps: (1) enforce MFA on all accounts with remote access, (2) deploy Conditional Access policies (e.g., in Microsoft Entra ID), (3) introduce device compliance checks before granting access to corporate data.
VPN - a necessity, not a sufficiency
A VPN encrypts network traffic between the employee and the corporate network and remains an important element of protection. But a VPN alone is not enough - the Verizon DBIR 2025 report shows that attacks on VPN vulnerabilities and edge devices increased eightfold, and the median time from publication of a critical vulnerability to mass exploitation is zero days.
How to secure your VPN
- Patch immediately - patches for VPNs (Fortinet, Palo Alto, Ivanti, Cisco) should be deployed within hours, not weeks
- Disable split tunneling if possible - prevents direct internet access from a machine connected to the corporate network
- Limit the attack surface - a VPN should expose only the resources that are needed, not the entire network
- Monitor sessions - unusual hours, locations, and data volumes are early warning signals
- Consider ZTNA (Zero Trust Network Access) as a complement or replacement for traditional VPN - ZTNA verifies the user and device before each connection, without exposing the entire network
WARNING
A VPN without MFA is an open door. The Colonial Pipeline attack in 2021 ($4.4 million ransom) started with a single compromised VPN account without multi-factor authentication (MFA). Deploying MFA on every remote access point is a minimum requirement.
Multi-factor authentication (MFA) - a non-negotiable requirement
MFA is the single most effective security control for remote work. According to Microsoft research, MFA blocks over 99% of account attacks - including attacks using stolen login credentials. But not all MFA is equally effective.
MFA levels - from weakest to strongest
| Level | Method | Phishing resistance | Recommendation |
|---|---|---|---|
| Basic | SMS / app-generated code | Low - vulnerable to SIM swapping and AiTM | Minimum for non-critical systems |
| Intermediate | Push notification with number matching | Medium - mitigates MFA fatigue attacks | Good balance of security and convenience |
| High | FIDO2 / passkeys / hardware keys | High - phishing-resistant | Standard for privileged accounts and access to sensitive data |
Since 2025, Microsoft requires MFA for all administrator accounts in Entra ID. NIST in its updated guidelines (SP 800-63B) advises against SMS-based MFA for systems with elevated trust levels.
Microsoft 365 security in the hybrid model
Microsoft 365 is the primary work tool for most organizations - email, documents, communication, task management. Each of these elements requires appropriate security configuration.
Key protection mechanisms
Conditional Access (Entra ID) - a central policy that determines who, from where, from which device, and in what context can access resources. Example rules:
- Require MFA when signing in from outside the corporate network
- Block access from non-compliant devices
- Require device compliance (Intune) before accessing SharePoint and OneDrive
- Enforce time-limited sessions when accessing from unmanaged devices
Microsoft Defender for Office 365 - email protection against phishing, malware, and BEC (Business Email Compromise) attacks. Safe Links and Safe Attachments scan links and attachments in real time.
Microsoft Intune - mobile device and application management (MDM/MAM). Enables enforcement of encryption, blocking the copying of corporate data to personal apps, and remote wiping of data in case of device loss.
Data Loss Prevention (DLP) - policies preventing accidental or intentional leakage of sensitive data through email, Teams, or SharePoint.
NOTE
M365 security configuration is not a one-time setup but a continuous process. Microsoft introduces new features every month - for example, in April 2026 Entra ID received an enhanced Conditional Access Agent that analyzes policies and recommends changes tailored to the organization’s environment.
BYOD - when employees use their own devices
Bring Your Own Device (BYOD) reduces hardware costs but increases risk. The key question is: how do you protect corporate data on a device over which the organization does not have full control?
BYOD approaches - comparison
| Approach | How it works | Advantages | Limitations |
|---|---|---|---|
| MAM (Mobile Application Management) | Management at the application level - corporate data is encrypted in a container | User privacy preserved, quick deployment | Limited control over the device |
| MDM (Mobile Device Management) | Full device management - encryption, password policies, remote wipe | Maximum control, regulatory compliance | Employees may be reluctant to enroll personal devices |
| Virtual Desktop (VDI/AVD) | Employee connects to a virtual environment - data never leaves the cloud | Data is not stored locally | Requires a stable connection, higher infrastructure costs |
TIP
For organizations starting a BYOD program, we recommend the MAM approach (e.g., Microsoft Intune App Protection Policies) as a starting point. It allows you to protect corporate data in Outlook, Teams, and OneDrive apps without interfering with the employee’s personal portion of the device.
Home network security
Home WiFi is often the weakest link in the security chain. A router with a default password, outdated firmware, and disabled WPA3 is an open invitation for attackers. The following steps help mitigate this risk.
Home network security checklist
- Change the default router administrator password
- Enable WPA3 encryption (or WPA2-AES at minimum)
- Set up a separate network (VLAN/SSID) for work devices
- Update the router firmware to the latest version
- Disable WPS (WiFi Protected Setup) - vulnerable to brute force attacks
- Disable remote router management (administration from WAN)
- Set a strong, unique WiFi password (minimum 16 characters)
- Consider a router-level VPN for all work-related traffic
Training and security culture
Technology is half the equation. Even the best technical safeguards will not work if employees do not understand the threats. Phishing remains one of the primary attack vectors targeting remote workers - according to Verizon DBIR 2025, it accounts for 15% of initial breaches, second only to vulnerability exploitation (20%) and credential theft (22%).
An effective security awareness program includes:
- Onboarding training - remote work policies, phishing recognition, incident response procedures
- Regular phishing simulations - not as a punishment tool but as a learning opportunity; results help identify areas that need support
- Clear reporting procedures - employees must know who to contact and how to report a suspicious email or incident
- Short, regular communications - microtraining sessions (5-10 minutes) are more effective than one-time multi-hour sessions
- Password management - using a password manager, unique passwords for each account, passphrases instead of short passwords
Hybrid work security implementation checklist
Below is a checklist for organizations planning or reviewing their remote and hybrid work security measures.
Infrastructure and access
- VPN/ZTNA with mandatory MFA on all remote access points
- Conditional Access policies configured and tested
- FIDO2/passkeys deployed for privileged accounts
- VPN session monitoring (anomalies in hours, locations, volume)
- Procedure for immediate patching of VPNs and edge devices
Devices and data
- BYOD policy defined and communicated to employees
- MAM or MDM deployed on devices with access to corporate data
- Disk encryption on all devices (BitLocker / FileVault)
- DLP policies configured for email, Teams, SharePoint
- Automatic backup of corporate data to the cloud
People and processes
- Regular security training (at least quarterly)
- Phishing simulations (at least every 2 months)
- Incident reporting procedure known to all employees
- Clean desk and screen lock policy
- Regular access permission reviews (at least every six months)
Where to start
Building hybrid work security is a process - you cannot implement everything at once. We recommend the following order:
- Immediately - deploy MFA on all accounts with remote access; this is the single change with the greatest impact
- Within a month - configure Conditional Access and device compliance checks
- Within a quarter - deploy BYOD/MAM, DLP, training program
- Continuously - monitoring, patching, permission reviews, policy updates
If you need support in assessing the security of your remote access infrastructure, SEQRED provides penetration testing covering verification of VPN configuration, MFA, Conditional Access policies, and employee resistance to phishing. We also help design zero trust architecture tailored to the specifics of your organization.
For industrial environments (ICS/OT), the rules are different - we refer you to our guide Secure remote access to ICS systems, which describes in detail 17 principles of secure remote access to operational infrastructure. It is also worth reading the ransomware guide, as compromised remote access is one of the primary vectors for ransomware attacks.