Table of Contents
- The Impact of Remote Work on Cybersecurity: How to Protect Your Distributed Workforce
- Where Remote Work Creates Exposure
- Controls That Address the Actual Risks
- Compliance Considerations for Remote Environments
- Frequently Asked Questions
- 1. How do you enforce MFA consistently across an organization when some accounts keep slipping through?
- 2. What's the actual risk of split-tunnel VPN, and is it worth fixing?
- 3. Can you realistically stop employees from using personal devices for work?
- 4. How long does lateral movement typically go undetected in a remote work environment, and what shortens that window?
- 5. What should a company do immediately after discovering an employee's home network was the entry point for a breach?
- 6. Is a VPN still necessary if your organization has fully moved to cloud-based tools?
The Impact of Remote Work on Cybersecurity: How to Protect Your Distributed Workforce
A financial services firm discovered its breach six weeks after it happened. An employee working from a home network had clicked a credential-harvesting link in what appeared to be a Microsoft 365 password expiration notice. The attacker used the captured credentials to log in, move laterally through shared drives, and exfiltrate client records — all without triggering any alerts because the login came from a recognized account. The firm had MFA configured on some accounts. Not this one.
That scenario is not unusual. Remote work distributes your attack surface across every home office, coffee shop, and hotel network your employees connect from. The controls that protect a corporate environment — network segmentation, DNS filtering, monitored endpoints — don't follow users home by default. They have to be built in deliberately.
Where Remote Work Creates Exposure
Unsecured Networks
Home and public Wi-Fi networks are outside your control. Without a VPN enforcing encrypted tunnels, traffic between an employee's device and company systems can be intercepted. A subtler risk: many organizations deploy split-tunnel VPN configurations to reduce bandwidth load, which means only traffic explicitly routed through the tunnel is protected — direct internet traffic (including access to cloud apps) travels unencrypted over whatever network the employee is on.
Unmanaged Devices
Personal devices used for work typically lack the security baseline applied to corporate endpoints: no EDR agent, no disk encryption policy, no enforced OS patch schedule, no visibility into what else is installed. When an employee's personal laptop is compromised — through an unrelated download, a family member's click, or an outdated browser — that compromise can pivot directly into company accounts and data.
Phishing and MFA Fatigue
Remote workers receive a higher volume of digital communications and have less ambient awareness of what's normal. Attackers exploit this with credential phishing, BEC, and pretexting campaigns. A specific pattern worth calling out: MFA fatigue attacks, where attackers who already have stolen credentials bombard an employee with push notification approval requests until the employee approves one to make the notifications stop. This bypasses MFA entirely without any technical exploit.
Shadow IT and Data Exposure
Remote employees working around friction will find workarounds: personal Google Drive, Dropbox, or WeTransfer for large files; personal email for sending documents home; unapproved collaboration apps. Each of these moves company data outside governed systems with no visibility, retention enforcement, or access controls. HIPAA-covered entities and defense contractors subject to DFARS face direct compliance exposure from this pattern.
Controls That Address the Actual Risks
Endpoint Detection and Response (EDR)
Deploy an EDR agent — CrowdStrike Falcon, SentinelOne, or Microsoft Defender for Endpoint — on every device that accesses company systems, including personal devices enrolled through your MDM. EDR provides behavioral monitoring that catches lateral movement, credential dumping, and ransomware execution that signature-based antivirus misses. Pair this with Microsoft Intune or a comparable MDM to enforce disk encryption, OS patch compliance, and screen lock policies as conditions of network access.
VPN with DNS Filtering
Require VPN for access to internal systems, and audit your split-tunnel configuration to make sure cloud application traffic routes through the tunnel or is otherwise protected. Add DNS filtering — tools like Cisco Umbrella or DNSFilter — to block malicious domains at the resolver level before a connection is ever established. DNS filtering catches malware callbacks and phishing domains that users haven't clicked yet.
MFA — and the Right Kind
Deploy MFA across all accounts, with no exceptions for "low-risk" users or legacy applications. For high-value accounts, move away from push-based approval toward phishing-resistant methods: FIDO2 hardware keys (YubiKey) or passkeys. These cannot be defeated by MFA fatigue attacks because they require physical interaction with a registered device. Configure Conditional Access policies in Microsoft Entra ID to block authentication attempts from non-compliant devices or unexpected geographies.
Role-Based Access Controls
Apply least-privilege access through role-based access control (RBAC). Employees should have access only to the systems and data their role requires — not broad read/write access to shared drives because it's convenient. Review access grants quarterly and revoke access immediately on role change or offboarding. Many breaches that start with a compromised remote employee escalate precisely because that account had more access than it needed.
Security Monitoring and Incident Response
A SIEM — Microsoft Sentinel, Splunk, or a managed SOC — aggregates logs from endpoints, identity providers, and cloud applications to surface anomalies: impossible travel, off-hours logins, bulk file downloads. Without centralized logging, remote workforce activity is largely invisible until after a breach is discovered. Update your incident response plan to include remote-specific scenarios, and test it — a plan that hasn't been exercised will fail under pressure.
Security Awareness Training
Run phishing simulations through platforms like KnowBe4 or Proofpoint Security Awareness on a monthly or quarterly cadence. Track click rates by department and use the data to target training where it's actually needed. Cover MFA fatigue specifically — most employees don't know the attack exists, which means they have no frame of reference when it happens to them.
Compliance Considerations for Remote Environments
If your organization handles protected health information, HIPAA's Security Rule requires access controls, audit controls, and transmission security for ePHI — all of which apply to remote access scenarios. SOC 2 CC6.6 specifically addresses logical access controls for remote access. CMMC Level 1 requires basic identification and authentication controls (IA.L1-3.5.1, IA.L1-3.5.2) that apply to any user accessing covered systems, regardless of location. If your remote workforce includes employees handling CUI or ePHI, those requirements don't relax because the work happens at home.
Stratify IT works with organizations across the NYC metro area to design and manage security infrastructure for distributed workforces — EDR deployment, MDM enrollment, SIEM configuration, and compliance-aligned access controls. Contact us to talk through where your remote environment has gaps and what it would take to close them.
Learn more about our cybersecurity services to see the full range of what we offer.
Stratify IT — remote workforce security built around your business, not a template.
For more on cybersecurity for distributed teams, explore our cybersecurity services.
Frequently Asked Questions
The gap is almost always in the enrollment process, not the policy itself. Conditional access policies in Azure AD or Okta let you block authentication entirely for accounts without MFA registered, rather than just requiring it when it's convenient. A one-time audit to flag every account without MFA enrolled, followed by a hard cutoff date, closes most of the gap. Service accounts and shared mailboxes are usually where the stragglers hide.
The risk is that employees accessing SaaS tools like Salesforce, Dropbox, or personal email bypass your DNS filtering and traffic inspection entirely when split-tunneling is active. Whether to fix it depends on what you're protecting. For most SMBs, routing all traffic through the tunnel adds latency and cost without proportional benefit. A better middle ground is DNS-over-HTTPS enforcement on endpoints using a service like Cisco Umbrella or Cloudflare Gateway, which applies filtering regardless of VPN state.
You can reduce it, but rarely eliminate it. A more practical approach is requiring personal devices to enroll in a mobile device management platform like Microsoft Intune before accessing company resources. This lets you enforce minimum security baselines — screen lock, OS version, encryption — without taking control of the whole device. Conditional access policies can then block unmanaged devices from reaching email or internal apps, which changes the calculus for employees who prefer convenience.
Industry data from CrowdStrike and Mandiant consistently puts dwell time in the range of weeks to months when no behavioral detection is in place. The financial services example in this article — six weeks — is on the shorter end. What shortens the window is user and entity behavior analytics (UEBA) that flags anomalies like a single account accessing an unusual volume of shared folders at 2 a.m., not just known malware signatures. Microsoft Sentinel and Securonix both offer this capability at scale.
Contain first: revoke the compromised account's credentials and active sessions, isolate any endpoints it touched, and preserve logs before they roll over. Then scope the damage — which systems authenticated to, what data was accessed, and whether any persistence mechanisms were dropped. Notification timelines matter here; depending on your industry and data types involved, HIPAA or state breach notification laws may require disclosure within 60 days or less. Bring in a forensics team before reimaging anything, or you'll lose the evidence chain.
For most cloud-native environments, a traditional VPN protecting on-premises infrastructure is less relevant than it once was. But that doesn't mean you need nothing. Zero Trust Network Access (ZTNA) tools like Zscaler Private Access or Cloudflare Access replace the VPN tunnel with identity-aware, application-specific access controls — users reach only the specific apps they're authorized for, not the broader network. If you've already moved off on-prem servers and don't have legacy systems, ZTNA is the more sensible direction than maintaining a VPN infrastructure.