Remote and hybrid working IT: what you need to get right

The infrastructure remote working actually depends on

Most conversations about remote working IT focus on the visible layer: laptops, video calls, a VPN. The underlying dependency chain is more involved than that, and understanding it is what separates a setup that works from one that works until it doesn't.

The four pillars are identity, devices, connectivity and applications – with security controls layered across all of them.

Identity determines who can access what. It's the foundation everything else rests on. Without strong identity controls, every other layer is weakened. That means enforced multi-factor authentication, centralised user management and a clear process for provisioning and deprovisioning access when people join or leave.

Devices are the endpoints from which your people work. Whether those devices are company-owned and managed, or personal and unmanaged, changes the security posture of your entire remote working setup. Unmanaged devices are the most common gap we see – and the one most likely to create a compliance problem.

Connectivity is the pipe. Consumer broadband is adequate for most tasks but carries no service guarantees, limited upload capacity and no business-grade SLA. For most remote workers it's sufficient; for a handful of roles it isn't, and knowing which is which matters.

Applications sit on top of all three. Cloud-hosted applications like Microsoft 365 behave differently to on-premise systems accessed over VPN – and the security model is different too. How your applications are accessed, and what controls exist at the point of access, determines how much the other three pillars actually protect you.

Device management: company-owned vs BYOD

The shift to remote working accelerated bring-your-own-device (BYOD) adoption at many businesses – sometimes as a deliberate policy, often as an expedient that never got revisited. The security and compliance implications are significant.

A managed device – enrolled in Microsoft Intune or another mobile device management (MDM) platform – gives your IT team or MSP visibility and control. You can enforce disk encryption, require OS updates, deploy endpoint protection, and revoke access remotely if a device is lost or an employee leaves. You can also use device compliance status as a condition of access: a device that isn't enrolled, patched or correctly configured gets blocked before it reaches your systems.

A personal device gives you none of that. You don't know whether it's running antivirus. You don't know whether it's patched. You can't wipe it. You can't enforce configuration. And if an employee leaves – or takes data they shouldn't – your options are limited.

BYOD also creates problems for Cyber Essentials certification and cyber insurance. Insurers increasingly ask whether personal devices can access corporate systems – and the answer "yes, but we have a policy" rarely satisfies underwriters who want to see technical controls, not documentation.

The practical middle ground, for businesses that can't or won't provide company hardware to every remote worker, is a minimum-security-standard policy for personal devices – with technical enforcement. That means conditional access policies that check device compliance before granting access, even for personal devices. It's achievable within Microsoft 365; it requires some architecture work to set up correctly.

Secure remote access: VPN vs zero trust

Traditional VPN works by placing the remote user inside the network perimeter. Once connected, they can typically access everything on that network, just as if they were sitting in the office. That made sense when most applications lived on-premise. It makes less sense now.

The problems with VPN for distributed workforces are well-documented. Performance degrades as more users connect simultaneously. The network perimeter being extended to users' homes means that a compromised home machine can become a vector into the corporate network. And flat-network access – where a VPN user can reach most internal systems – means a single compromised account can move laterally with relatively little friction.

Zero trust access takes a different approach: rather than placing the user inside the network, it grants access to specific applications only, based on verified identity and device health at the point of each request. The user never touches the broader network – they only reach the application they're authorised to use.

A full zero trust network access (ZTNA) deployment is a significant project. But for most SMEs running Microsoft 365, the entry point is Conditional Access in Entra ID – and it doesn't require replacing your VPN overnight. Conditional Access lets you define the conditions under which access to cloud applications is granted: MFA required, device must be compliant, sign-in must come from an expected location. That's meaningful zero trust behaviour, implemented incrementally, using tooling you may already be licensed for.

Microsoft 365 and Teams configuration

"We use Teams" and "Teams is configured correctly" are different statements. Most Microsoft 365 deployments are partially configured – enough for the tools to work, but not enough to be secure or compliant. The gap between the two is where data leaks and compliance issues originate.

A properly configured Microsoft 365 environment means:

• MFA enforced for all users – not just admins, not just cloud apps, but universally
• Conditional Access policies that reflect your actual access requirements
• Guest access controls that limit what external collaborators can see and do
• External sharing settings reviewed and locked down to what's actually needed
• Teams channel governance that prevents ungoverned sprawl of teams and channels
• Mailbox and Teams retention policies that align with your legal and regulatory obligations
• Admin roles assigned on a least-privilege basis – global admin should be rare

Default Microsoft 365 settings are generous. External sharing is often enabled broadly. Guest access defaults allow more than most businesses realise. Admin roles are sometimes assigned because it was easier than working out the right scoped role. None of this is a Microsoft failing – defaults have to work for everyone – but they're not appropriate for a business with real data protection obligations.

Configuration review isn't a one-time task either. Settings drift as new features are released, as tenants grow and as staff change. A periodic review – annually at minimum – catches the accumulation of permissive settings before they become a problem.

Home broadband and business connectivity

Consumer broadband is a shared, contended service. Your remote worker's upload speed – the direction that matters most for video calls and cloud application use – is typically far lower than the advertised download figure. There's no SLA. If the line goes down, it goes down.

For most roles, this is an acceptable trade-off. Video calls work adequately on most consumer connections. Cloud applications are accessible. The occasional outage is an inconvenience, not a crisis.

For some roles it isn't adequate. If someone is hosting frequent video calls, working with large files, or needs genuinely reliable connectivity for client-facing work, a business broadband connection is worth specifying. Business broadband typically offers better upload speeds, a committed information rate and a fault resolution SLA that consumer ISPs don't provide. A 4G or 5G backup connection – either a separate SIM or a router with built-in failover – provides resilience for the most critical roles at modest cost.

It's also worth being realistic about what IT can manage on consumer ISP infrastructure. Your IT team or MSP cannot manage someone's home router, cannot enforce the network configuration, and cannot troubleshoot ISP faults. The boundary of managed IT stops at the device. Clarity about that boundary – in your remote working policy and in user expectations – avoids a lot of frustration when home broadband misbehaves.

Cyber Essentials and BYOD: the scope challenge

Cyber Essentials is a UK government-backed cybersecurity certification built around five technical controls. One of those controls – user access control – requires that all devices that can access in-scope systems meet defined security requirements. That's where BYOD creates a genuine compliance challenge.

If a personal device can access corporate email, SharePoint or any business application, it's in scope for Cyber Essentials. Being in scope means you're required to demonstrate that the device meets the scheme's requirements: operating system patched, software up to date, endpoint protection active. On a device you don't own or manage, that's hard to demonstrate and harder to enforce.

There are three realistic options:

Enrol personal devices in MDM. This gives you the visibility and control to demonstrate compliance. It's technically straightforward but often politically difficult – employees are understandably reluctant to give an employer management access to a personal device. A clear written policy about exactly what is and isn't managed on the personal device is essential if this route is chosen.

Restrict access so personal devices can't reach in-scope systems. If personal devices can only access systems that are out of Cyber Essentials scope, the problem goes away. This requires architecture work – typically using Conditional Access to enforce that only compliant, enrolled devices can reach corporate applications – and it means your people need either a company device or a way to access what they need from a managed machine.

Accept the scope complexity and document the controls. Some businesses work through Cyber Essentials certification with BYOD in scope, using combination of policy documentation, user training and technical controls they can demonstrate on personal devices (such as screen lock enforcement or app-level MDM rather than full device management). This is achievable but requires a thorough understanding of what the scheme actually requires and honest assessment of what can be evidenced.

Which route is right depends on the size of your team, the nature of the work and the appetite for change. There isn't a universal answer – but there is a right answer for your specific situation, and arriving at it requires understanding the scope question clearly before the certification assessment begins.