Securing Remote Workers Without Making Them Hate You

Remote work is here to stay. Your security approach needs to accommodate that without becoming so restrictive that people find workarounds - or quit.

Here’s how to protect remote workers and the business while keeping everyone reasonably happy.

The Core Tension

Security teams want control. Remote workers want flexibility. Push too hard on security, and people will use personal devices, work around VPNs, and store documents in personal cloud accounts. You’ll have less security, not more.

The goal is finding controls that are effective and tolerable. People will accept reasonable friction for security they understand. They’ll resist anything that feels arbitrary or excessive.

The Non-Negotiables

Some things aren’t up for debate. These need to be requirements, clearly explained:

Multi-factor authentication on everything. No exceptions. Every remote access point - email, VPN, cloud apps, everything - requires MFA. Authenticator apps, not SMS (explain why if people ask - SIM swapping is real).

Managed devices for work. Work happens on company-managed devices, not personal laptops. This lets you enforce security policies, deploy updates, and ensure devices are encrypted. If you can’t afford to provide devices, at minimum require management enrollment on any device accessing company data.

Endpoint protection. Microsoft Defender for Business, CrowdStrike, SentinelOne - pick one and deploy it. Remote devices face threats that office firewalls used to block.

Encrypted storage. BitLocker on Windows, FileVault on Mac. If a device is lost or stolen, the data is protected. This should be on by default with no user override.

The Flexible Controls

These can be adjusted based on your risk tolerance and business needs:

VPN usage. Traditional thinking says all traffic should go through the VPN. Modern reality is that most business apps are cloud-based and don’t need VPN routing. Consider:

  • VPN required for accessing on-premises resources
  • VPN optional for cloud apps (they have their own security)
  • Split tunneling to improve performance

If everything is in Microsoft 365 and SaaS apps, forcing all traffic through VPN adds latency without adding much security.

Network requirements. Do you care if someone works from a coffee shop? The security risk isn’t zero (shoulder surfing, network attacks) but it’s manageable with proper encryption and MFA. Banning public wifi entirely is often unenforceable anyway.

Working hours monitoring. Some businesses monitor when remote workers are active. This is more about management than security, and it’s a quick way to destroy trust. I’d avoid it unless you have specific concerns about particular individuals.

Screen recording and keystroke logging. Just don’t. The surveillance-to-security ratio is way off. If you can’t trust someone enough to skip keystroke logging, you probably shouldn’t employ them.

Practical Implementation

Device setup: Create a standard image or configuration for remote devices that includes:

  • Endpoint protection
  • Encryption
  • MFA enrollment
  • Automatic updates enabled
  • Company branding (so it’s clearly a work device)

New employees should receive configured devices, not be asked to set things up themselves.

Network considerations: For sensitive roles, consider providing:

  • A basic router with security features
  • Instructions for securing home wifi (change default passwords, use WPA3, separate guest network)
  • A mobile hotspot as backup

This isn’t about controlling home networks - you can’t - but about providing options that improve security.

Secure access service edge (SASE): If budget allows, solutions like Zscaler, Cloudflare Zero Trust, or Microsoft Entra combine several remote access controls into one platform:

  • Zero trust network access (better than traditional VPN)
  • Cloud-based web filtering
  • Data loss prevention
  • Consistent policies regardless of location

These are overkill for very small businesses but increasingly standard for 50+ employee organisations.

Communication Matters

The difference between security controls that work and ones that get circumvented is often how they’re communicated.

Explain the “why.” “We require MFA because passwords get stolen” is better than “MFA is required per policy.” People accept inconvenience when they understand the reason.

Be honest about trade-offs. “This will add 30 seconds to your login. We think that’s worth it because…” builds more trust than pretending there’s no downside.

Listen to feedback. If a control is causing major problems, hear about it. Sometimes the security benefit isn’t worth the productivity cost. Sometimes there’s a better way to achieve the same goal.

Make it easy to do the right thing. If the secure option is harder than the insecure option, people will choose insecure. Make password managers easy. Make VPN connections automatic. Reduce friction wherever possible.

Handling Specific Scenarios

The coffee shop worker: If someone wants to work from cafes occasionally, fine. Require:

  • MFA on all access
  • VPN for any sensitive resources
  • Privacy screen on laptop
  • No sensitive conversations in public

The international traveler: Business travel to some countries carries additional risks. Consider:

  • Temporary device with minimal data
  • Different credentials that can be revoked
  • Brief on local risks and surveillance
  • Check-in protocols

The shared living space: Someone working from a shared house or apartment with non-employees. Advise:

  • Screen lock when stepping away (short timeout)
  • No work conversations in common areas
  • Encrypted storage (standard requirement anyway)
  • Awareness of shoulder surfing

The permanent remote worker: For fully remote employees, you might invest in:

  • Better equipment (monitors, ergonomic setup)
  • Occasional security assessments of their setup
  • Secure disposal services for old equipment/documents

Monitoring Without Surveillance

You can maintain visibility without invasive monitoring:

Device compliance reporting: Is the device encrypted? Is endpoint protection running? Are updates installed? You can check these without seeing what people are doing.

Authentication logs: Where are people logging in from? Any impossible travel? Any failed attempts? This detects compromise without monitoring activity.

Cloud app usage: Microsoft 365 and Google Workspace show which apps are being used and data being accessed. This helps detect anomalies without reading emails.

DLP alerts: Data loss prevention can alert when sensitive data leaves the organisation without preventing all data movement or monitoring content.

The Bottom Line

Remote security isn’t about recreating the office perimeter at everyone’s home. That ship has sailed. It’s about:

  • Strong identity verification (MFA everywhere)
  • Protected devices (managed, encrypted, monitored for compliance)
  • Secure access to resources (zero trust principles)
  • Detection of anomalies (without invasive surveillance)
  • Education and trust (people who understand security are better at it)

Do those things well, and your remote workforce can be as secure as - honestly, probably more secure than - people sitting in an office with a perimeter firewall and too many trusted network connections.

The businesses that figure out how to secure remote work without making it miserable will have a real advantage. The ones that either ignore security or crush flexibility will struggle.

Find the balance. It’s possible.