A work laptop doesn’t become less secure the moment it leaves the office. But the environment around it does change — and the controls that the office environment provided automatically (managed network, physical access controls, IT staff nearby) don’t follow it home.
This is the gap. Home networks have weaker default security. Household members provide uncontrolled physical access. Personal and work use blur. And the laptop is often the only managed device in a sea of consumer equipment.
Here’s what needs to be in place.
Device configuration
Automatic screen lock. Set it to two to three minutes. Train staff to lock manually every time they step away — it takes a second and closes a significant physical access risk.
Full disk encryption. BitLocker (Windows) or FileVault (Mac) should be enabled. If the device is lost or stolen, encryption is the difference between a lost asset and a data breach.
Automatic updates — and restart when prompted. Missed updates are one of the most exploited vulnerabilities. If a device is prompting for a restart to apply patches and the user keeps deferring it, that’s a security gap accumulating in real time.
Endpoint protection active and reporting. Microsoft Defender (or your managed endpoint protection) should be active and enrolled in your monitoring platform. A laptop that’s been offline for weeks or hasn’t reported into the management console is a blind spot.
Account and access
Strong passphrase, not a short password. Length matters more than complexity. A 16-character passphrase is significantly harder to crack than an 8-character password with special characters.
MFA on everything that supports it. Microsoft 365, business applications, VPN. No exceptions, including for senior staff.
No shared accounts. Each person who uses a work system should have their own credentials. Shared accounts make audit trails useless and access revocation impossible.
Home network
Change the router admin password from the default. Default credentials for home routers are publicly documented and trivially exploited.
Use WPA3 or WPA2-AES encryption. Not WEP, not WPA. Check the router settings and update if necessary.
Keep router firmware updated. Router manufacturers release security patches. Most home routers never receive them because firmware updates are manual and most people don’t know they exist.
Separate work from personal. A guest network or VLAN for work devices reduces the blast radius if a personal device (a child’s tablet, a smart TV, an IoT device) is compromised.
Physical access
Work laptops are for work use only. Household members — partners, children, relatives — should not use the device. The risk isn’t malicious; it’s accidental access to business systems, inadvertent software installation, or credential exposure.
Store the device securely when not in use. Not left on a kitchen bench or in a car overnight.
What not to do
- Don’t use personal cloud storage (Dropbox, personal OneDrive) for work files.
- Don’t connect to public Wi-Fi without a VPN.
- Don’t install personal software on work devices without IT approval.
- Don’t defer security updates indefinitely.
None of these are complicated. Most can be configured once and maintained with minimal effort. The businesses that get caught out on remote work security aren’t usually those with weak policies — they’re those with policies that were written but never enforced.
If you’d like to audit your team’s remote work security configuration, get in touch.