Table of contents
The expanding remote access attack surface
Over the last decade, remote work has shown a significant increase. The US Bureau of Labor Statistics stated in 2025 that 34 million American workers work from home. While remote work offers flexibility for employees, it also broadens the attack surface.
Varying methods of remote access to company resources pose new security risks, allowing attackers to choose from several targets on a widened attack surface. Home networks, personal devices, cloud portals, and remote access services are all trust boundaries for adversaries to target.
Securing a remote workforce requires a layered strategy rather than simply perimeter-based defenses.
Methods of remote access
Organizations enable remote work through several access mechanisms, each introducing distinct risk considerations.
Many companies implement Bring Your Own Device (BYOD) policies, allowing employees to access corporate resources from personal laptops, tablets, or smartphones. While convenient, this approach shifts part of the security responsibility to devices and networks that are rarely hardened to enterprise standards.
Virtual Private Network (VPN) tunneling provides direct access to internal corporate networks and hosted resources, effectively extending the perimeter to remote users. Similarly, company web portals offer browser-based access to internal applications and data.
Cloud-based file-sharing services facilitate collaboration but may expose sensitive data if access controls are misconfigured. Additionally, Remote Desktop Protocol (RDP) enables direct connections to internal machines, which attackers frequently exploit when improperly secured.
Each of these access methods represent a potential entry point for adversaries seeking to compromise credentials, intercept sessions, or exploit remote services.
Threat actors' common tactics, techniques, and procedures
Threat actors targeting remote work environments frequently abuse trusted relationships between users and enterprise systems. Phishing campaigns remain a primary initial access vector, harvesting credentials or session tokens that provide direct access to SaaS applications and VPN gateways.
Attackers also exploit exposed remote services such as VPN appliances and RDP endpoints, particularly when vulnerabilities remain unpatched. Multi-factor authentication (MFA) interception techniques, including adversary-in-the-middle (AitM) phishing and MFA fatigue attacks, allow adversaries to bypass traditional authentication controls.
Once inside, threat actors often pursue data exfiltration, ransomware deployment, or destructive actions to maximize operational and financial impact.
Risks of remote work and their business impact
While remote work may have increased productivity for employees, it also increased risk for organizations.
BYOD policies depend on both the physical and network-based security of personal devices connected to personal networks. If these systems are compromised, sensitive company resources may be accessed and/or copied to insecure devices and environments.
Remote employees are also more susceptible to phishing and social engineering campaigns.
Although insider threats can be intentionally malicious, they often consist of well-meaning employees who are insecure in practice and open significant vectors of attack by accident.
Compromised endpoints or users can effectively provide attackers with a direct bridge into internal systems, increasing the likelihood of large-scale data exposure.
Zero Trust mitigations for remote work risks
Zero Trust-based workflows for remote work assume that external networks and devices are compromised and use a combination of access control, data encryption, and continuous monitoring to prevent and detect unauthorized access to company resources.
BYOD policies
Companies that practice BYOD may choose to enforce security policies to prevent compromise through these devices and only allow access to corporate resources from personal devices that meet these requirements.
Outdated or vulnerable operating systems, native applications, and security patches would need to be updated before being permitted for use.
Antivirus and EDR solutions may be used to detect and prevent attacks, and secure enclaves can provide isolated, encrypted workspaces for accessing sensitive data and executing proprietary applications on personal devices.
Drawbacks: Despite these controls, personal devices and networks are rarely secured to corporate levels and will always pose a greater chance of being targeted by attackers, putting internal company networks at risk
Access control
Initial authentication to a remotely available network is the first line of defense for securing sensitive data, and it must combine multiple ways of verification to successfully authenticate a user.
MFA should always be required, and the intensity should depend on the sensitivity of the data being accessed as well as a company’s risk appetite.
Push notifications through third-party authenticators ensure that constantly rotating codes must be used to complete login. Physical keys such as FIDO2 add another layer of security, often requiring biometrics that are difficult to bypass.
SMS codes have been used in the past, but they can be intercepted and are no longer considered secure. PAM solutions can enforce just-in-time access and session recording to prevent privilege misuse.
Login metadata such as geolocation, local time, and anomalous behavior should be included and enforced when permitting remote devices. Lockout policies can also stop rudimentary volume-based attacks from forcing their way into a secure network.
Drawbacks: MFA requirements can be tedious to an end user and may still be attacked by methods such as MFA bombing or adversary-in-the-middle token theft.
Taking login metadata, such as geolocation and local time, into account may decrease availability to employees that access resources in widely different ways.
Applying layered security measures needs significant user training and may encourage some employees to seek workarounds to policies that put data at risk.
Continuous monitoring and least privilege
Activity by authenticated devices should still be viewed from a Zero Trust viewpoint and closely monitored for suspicious activity. Active sessions can be limited by least privilege principles to restrict access to only what is needed.
Secure Web Gateways can intercept, decrypt, and analyze web traffic from remote devices, helping to detect malicious communications, and reserving the ability to abruptly disconnect a remote session allows attacks to be quickly stopped, preventing data loss.
Drawbacks: Monitoring suspicious activity can be automated to some degree but always requires some level of human management in policy creation and fine tuning. Large scale networks often require dedicated teams and employees and will still affect data accessibility.
End-to-end encryption
Accessing company resources from untrusted networks may allow sensitive traffic to be intercepted and stolen by attackers, so communication and data should be robustly encrypted both in transit and at rest.
Drawbacks: Encryption does not prevent the capture of said data, and encryption methods are only effective if decryption is not plausible. With new standards and decryption abilities constantly being discovered, encryption methods are often left to outdated standards.
Securing remote workforces without sacrificing productivity
Several measures can be taken to secure remote access to an enterprise network but not on their own. Proper protection combines layered controls, and all solutions come with their own form of user friction.
Adding a sufficiently secure method of remote access to a network must be carefully planned and implemented to prevent data loss and theft.
A properly implemented Zero Trust framework acknowledges that remote devices, networks, and identities may already be compromised and builds controls accordingly. By shifting from perimeter-based trust to continuous verification, organizations can reduce risk while sustaining flexible work environments.
FAQs
Why is remote work more vulnerable to cyberattacks?
Remote work expands the attack surface by introducing personal devices, home networks, cloud portals, and remote access services that may not meet enterprise security standards.
Is MFA enough to secure remote access?
No. While MFA significantly improves security, advanced techniques such as MFA fatigue and adversary-in-the-middle phishing can bypass traditional MFA. Additional contextual and behavioral controls are necessary.
What is the biggest risk of BYOD policies?
Personal devices and home networks typically lack corporate-level protections, making them attractive targets for attackers seeking indirect access to enterprise environments.
How does Zero Trust improve remote workforce security?
Zero Trust assumes compromise and continuously verifies identity, device posture, and session behavior. It limits access through least privilege principles and monitors activity throughout the session lifecycle.
Should organizations eliminate VPNs for remote work?
Not necessarily, but VPN access should be tightly controlled, patched, monitored, and supplemented with strong identity and device-based security controls to reduce exposure.
