Endpoint Security for Remote and Hybrid Workers

How Remote Working Changed the Security Model

Traditional IT security was designed around a clearly defined corporate perimeter — a managed network, a firewall at the boundary, and the assumption that devices inside the network were trusted. Remote and hybrid working has dismantled this model entirely. According to the ONS (Office for National Statistics, 2025), 28% of UK employees now work in a hybrid pattern, splitting time between home and the office. When employees work from home, coffee shops, or client sites, their devices connect from networks the business does not control and cannot manage. The old perimeter-based approach simply does not apply to a workforce that is rarely inside the perimeter.

As part of a broader cybersecurity strategy, securing remote and hybrid workers requires a fundamental shift in approach. Rather than trying to recreate the corporate perimeter for remote workers through VPN tunnels and extended network access, the more resilient approach — aligned with the zero trust security framework — is to apply security controls directly to the device and to every access request, regardless of network origin. This means the device carries its security posture wherever it connects, whether that is the office, a home broadband connection, or a hotel Wi-Fi network.

The scale of risk is significant. According to the DSIT Cyber Security Breaches Survey 2025, 43% of UK businesses experienced a cybersecurity breach or attack in the past twelve months. Remote and hybrid working patterns have expanded the attack surface for many of these businesses — more endpoints connecting from more networks, greater reliance on cloud services accessible from anywhere, and reduced visibility of employee behaviour outside the office environment.

The Remote Working Risk Landscape

Remote workers face a distinct set of security risks that office-based workers do not encounter to the same degree. Home broadband routers are rarely configured with security in mind — default administrator passwords are often unchanged, firmware updates are not applied, and the network is shared with personal devices, smart home equipment, and other family members' devices that may be compromised. Public Wi-Fi networks in coffee shops, hotels, and co-working spaces present additional risks, including the possibility of man-in-the-middle attacks and rogue access points designed to intercept traffic.

Phishing risk is also elevated for remote workers. In an office environment, employees benefit from informal security culture — they can turn to a colleague and ask whether an email looks suspicious. Remote workers lack this immediate social verification, making them more reliant on their own judgement and on technical controls to catch malicious emails. The isolation of remote working, combined with the blurring of personal and professional device use, creates an environment where phishing campaigns are more likely to succeed.

Data loss is another concern. Laptops used at home are more likely to be lost or stolen from a car, a coffee shop, or during travel. Without full disc encryption and remote wipe capability, a lost laptop can expose sensitive business data. The average cost of a data breach for UK organisations was £3.4 million (IBM Cost of a Data Breach Report, 2024), making device-level data protection essential rather than optional.

VPN vs Zero Trust Network Access (ZTNA)

Traditional VPNs create an encrypted tunnel between the remote device and the corporate network, effectively placing the remote worker inside the perimeter. While this approach works, it has significant limitations. A VPN grants broad network access — once connected, the remote user can typically reach most resources on the corporate network, which violates the principle of least privilege. VPNs also create a performance bottleneck, routing all traffic through the corporate network even when the user is accessing cloud services that do not require it.

Zero Trust Network Access (ZTNA) takes a different approach. Rather than placing the user on the network, ZTNA grants access to specific applications based on identity verification, device compliance, and contextual risk signals. Each access request is individually evaluated — there is no implicit trust based on network location. For businesses using Microsoft 365, Conditional Access policies provide ZTNA-like capability without requiring a separate ZTNA product, verifying identity, device compliance, and risk signals before granting access to each application.

For most UK SMEs using cloud-based applications, a full VPN is unnecessary for day-to-day remote work. Microsoft 365, Teams, SharePoint, and OneDrive are all cloud services accessible directly over the internet with proper authentication and Conditional Access. A VPN may still be needed for specific on-premises resources — internal databases, legacy applications, or file servers that have not been migrated to the cloud — but it should not be the primary remote access mechanism.

Device Management for Remote Workers

The foundation of remote worker endpoint security is device management. Microsoft Intune (included in M365 Business Premium) manages devices remotely — applying security configurations, deploying software and patches, enforcing compliance policies, and providing remote wipe capability — without requiring the device to be physically in the office or connected to the corporate network. Intune communicates with managed devices over the internet, so management capability is always available regardless of location.

Intune device compliance policies define minimum security requirements that every managed device must meet: a screen lock PIN or biometric, BitLocker full disc encryption, a minimum operating system version, active endpoint protection with current definitions, and no jailbroken or rooted status. Devices that do not meet these requirements are flagged as non-compliant and can be automatically blocked from accessing Microsoft 365 through Conditional Access policies until they are remediated. This ensures that only properly secured devices can access business data, regardless of where the user is working.

For businesses with mobile devices in the field, mobile device management extends these same controls to smartphones and tablets — enforcing encryption, managing application deployment, and enabling remote wipe if a device is lost or stolen.

BYOD: Managing Personal Devices

Bring Your Own Device (BYOD) policies allow employees to use personal devices for work, which is common in smaller businesses and hybrid working environments. BYOD introduces specific security challenges: the business does not own the device, cannot enforce full device management, and must balance security controls against employee privacy on a personal device.

Microsoft Intune supports two approaches to BYOD. Full device enrolment applies the same management policies as a corporate device — appropriate when the employee consents to full management. Mobile Application Management (MAM) takes a lighter approach, managing only the business applications and data on the device without enrolling the device itself. MAM policies can enforce encryption on business data, prevent copy-paste from business applications to personal ones, and enable selective wipe of business data without affecting personal content.

For most SMEs, a clear BYOD policy should define which approach is used, what data employees can access from personal devices, and what happens to business data when an employee leaves. Without a defined policy, employees will use personal devices for work regardless — it is better to manage this proactively than to discover unmanaged personal devices accessing business data after an incident.

Endpoint Protection That Travels with the Device

Microsoft Defender for Business provides endpoint detection and response (EDR) capability that operates regardless of which network the device is connected to. Defender for Business communicates with Microsoft's cloud security platform over the internet — so whether the device is in the office on the corporate network or at home on a broadband connection, protection and monitoring remain active and current.

This is fundamentally different from network-based security controls. A firewall at the office boundary provides no protection to a remote worker connecting directly to cloud services from their home network. Defender for Business running on the device provides continuous behavioural monitoring, threat detection, and automated containment regardless of location. Network protection features within Defender for Business also block connections to known malicious domains, providing a layer of web filtering that travels with the device rather than depending on a corporate DNS server.

Home Network Security Considerations

While the device-centric security approach means the home network itself is not the primary security concern, basic home network hygiene reduces risk. AMVIA recommends that remote workers take the following steps with their home networks:

• Change default router credentials — Default administrator passwords on home routers are publicly known and frequently exploited by attackers scanning for vulnerable devices
• Enable WPA3 or WPA2 encryption — Older encryption standards (WEP, WPA) are trivially breakable and should not be used
• Update router firmware — Home routers receive security updates that address known vulnerabilities, but these updates are rarely applied automatically
• Separate work and personal networks — Many modern routers support guest networks; using a separate network segment for work devices reduces exposure to compromised personal or IoT devices on the home network

These steps are not a substitute for device-level security controls, but they reduce the likelihood of the home network itself being used as an attack vector against business devices.

Conditional Access and Identity Security

For remote workers, identity is the new perimeter. If an attacker compromises a remote worker's credentials — through phishing, credential stuffing, or account takeover — those credentials may provide direct access to cloud applications from anywhere in the world. Multi-factor authentication (MFA) addresses this for direct account compromise, but Conditional Access adds additional context: verifying device compliance, checking for risky sign-in signals (such as impossible travel or sign-ins from known malicious IP addresses), and blocking legacy authentication protocols that do not support MFA.

AMVIA configures Conditional Access policies that require MFA for all access, require device compliance before granting access to sensitive applications, block access from legacy authentication protocols, and apply location-based restrictions where appropriate. These policies apply equally to office and remote workers, ensuring that security posture does not depend on which network the user happens to be connected to. Only 14% of UK businesses have a formal incident response plan (DSIT Cyber Security Breaches Survey 2025), which underscores the importance of preventive controls like Conditional Access that reduce the likelihood of incidents occurring in the first place.

Key Considerations for UK SMEs

• Ensure all remote worker devices are enrolled in Intune — unmanaged devices are the most common source of security incidents in hybrid environments
• Enforce MFA for all accounts — especially critical when users are connecting from home networks you do not control
• Enable BitLocker encryption on all laptops — a lost or stolen laptop from a home office or during travel must have its data protected
• Define a clear BYOD policy — if employees use personal devices, manage at minimum the business applications and data on those devices through MAM
• Evaluate whether a VPN is genuinely needed — for M365-based businesses, Conditional Access provides ZTNA-like protection without VPN complexity
• Configure network protection in Defender for Business — blocks connections to known malicious domains regardless of which DNS server the device uses
• Consider phishing simulation training — remote workers are more isolated and may be more susceptible to targeted phishing campaigns

How AMVIA Can Help

AMVIA secures remote and hybrid worker devices as part of its managed IT and cybersecurity services. We enrol all managed endpoints in Intune, configure Defender for Business with EDR capability, deploy Conditional Access policies, establish BYOD management policies, and manage endpoint security centrally — providing consistent protection regardless of where your team works. For businesses transitioning to hybrid working or expanding their remote workforce, AMVIA assesses your current endpoint security posture and implements the controls needed for secure remote working. Contact AMVIA on 0333 733 8050 to discuss your requirements.