The shift to hybrid working happened fast. Most businesses adopted flexible working arrangements in response to circumstance rather than plan, and the security controls to support that shift never quite caught up. The result, for many UK SMEs, is a workforce that operates across multiple locations and devices — with security measures designed for a world where everyone was in the same office, on the same network, using the same equipment.
That gap between how people work and how the business is protected is where most breaches and incidents originate. The good news is that closing it doesn’t require expensive technology or complex infrastructure. It requires a clear policy, a handful of technical controls, and consistent enforcement.
This guide covers everything a UK business needs to put in place.
Why a written policy matters
A remote working security policy isn’t a legal requirement in itself — but it is the clearest way to meet obligations that are legal requirements. Under UK GDPR, your organisation is responsible for ensuring personal data is processed securely regardless of where your employees work. If a home-based employee’s laptop is compromised and client data is exposed, the absence of a written policy and documented controls will make a regulator’s investigation significantly more uncomfortable.
Beyond compliance, a written policy sets clear expectations for your team. It removes ambiguity about what is and isn’t acceptable — which device can be used for what, how systems should be accessed, what to do if something goes wrong. Staff cannot be expected to make good security decisions if nobody has told them what good looks like.
“Most remote working security incidents don’t happen because of sophisticated attacks. They happen because nobody told the employee what they weren’t allowed to do.”
The six areas your policy must cover
1. Approved devices
The most fundamental remote working security decision is which devices are allowed to access your business systems. The options are:
- Business-owned devices only. The most secure approach. You control the configuration, the software, the security settings and the encryption. This is the recommended approach for roles handling sensitive client data or financial information.
- Personal devices with management software (BYOD). Acceptable for lower-risk roles if devices are enrolled in mobile device management (MDM) and meet minimum security requirements — updated OS, screen lock, encryption enabled.
- Personal devices with no controls. This is the situation many businesses are currently in without realising it. It is not acceptable for any role that accesses business systems or data.
Your policy must state clearly which categories of device are permitted for which types of access, and what the minimum requirements are for any personal device that is allowed.
2. Multi-factor authentication
Multi-factor authentication (MFA) is the single most impactful security control available for remote working. It means that even if a password is compromised, an attacker cannot access your systems without also having the second factor — typically a code sent to a mobile device or generated by an authenticator app.
MFA must be required for:
- All cloud services — Microsoft 365, Google Workspace, any SaaS tools
- Remote access to your network (VPN)
- Any administrative accounts
- Email — always, without exception
MFA is also a core requirement for Cyber Essentials certification. If you are pursuing or maintaining Cyber Essentials, MFA on cloud services and remote access is not optional.
3. Network security
Home networks are, in most cases, significantly less secure than a business network. Routers are often running default or weak passwords, firmware updates are rarely applied, and the network may be shared with a range of personal devices.
Your policy should address this in two ways. First, require employees to change the default password on their home router — a simple instruction that eliminates a significant vulnerability. Second, consider whether a VPN is appropriate for your business. A VPN encrypts the connection between a remote device and your business systems, protecting data in transit even on an insecure network.
Public WiFi — in coffee shops, hotels and public spaces — should be treated as untrusted. Your policy should either prohibit the use of public WiFi for business activity entirely, or require that a VPN is always active when using it.
4. Data handling
Working from home introduces data handling risks that don’t exist in an office — screens visible to household members, printed documents left in accessible areas, data stored locally on personal devices. Your policy should cover:
- Business data must be stored on company-approved systems (OneDrive, SharePoint) — not downloaded to personal devices
- Printing of sensitive documents at home should require justification and those documents must be shredded rather than binned
- Video calls involving sensitive information should be conducted in a private space
- Screens should be locked when stepping away from the device
5. Software and updates
Remote devices must run up-to-date software. End-of-life operating systems — including Windows 10, which lost Microsoft support in October 2025 — must not be used to access business systems. All security updates must be applied promptly; your policy should set a maximum timeframe, and 14 days is the standard for Cyber Essentials compliance.
Employees should not install software on business devices without IT approval. This is particularly important for remote workers who are further from IT oversight.
6. Incident reporting
Your policy must include a clear, simple process for reporting security incidents. Employees working remotely are less likely to flag issues if the reporting process feels complicated or if they fear being blamed. Make it easy — a single email address or phone number, with an explicit assurance that reporting is welcomed.
The incidents that become serious breaches are almost always the ones that went unreported for too long because someone wasn’t sure what to do or was worried about the consequences of saying something.
What your policy document should include
Remote Working Policy — recommended structure
- Purpose and scope — who the policy applies to and why it exists
- Approved devices — what is permitted and the minimum requirements
- Network requirements — home router, VPN requirements, public WiFi rules
- Authentication requirements — MFA mandatory services listed explicitly
- Data handling rules — storage, printing, screen visibility
- Software and updates — update requirements, software approval process
- Physical security — device storage, screen locking, working in public
- Incident reporting — how and where to report, what counts as an incident
- Consequences of non-compliance — brief and proportionate
- Review date — policy should be reviewed annually at minimum
Remote working and Cyber Essentials
If your business is pursuing Cyber Essentials certification — or maintaining an existing certificate — your remote working setup is directly in scope. Any device that can access your business systems or internet resources from outside the office must meet the five Cyber Essentials controls: firewall, secure configuration, access control, malware protection and patch management.
This includes employee laptops used at home. The most common gap we find when auditing businesses for Cyber Essentials is remote devices that don’t meet the patching or configuration requirements because nobody has been actively managing them. A clear remote working policy, combined with mobile device management, closes this gap.
Common questions
Do UK businesses legally need a remote working policy?
There is no specific UK law requiring a remote working policy, but employers have obligations under UK GDPR to ensure personal data is processed securely regardless of where employees work. A written remote working policy is the clearest way to meet those obligations and demonstrate compliance if questioned.
What is the biggest security risk with remote working?
The most common risks are weak or reused passwords without MFA, use of personal unmanaged devices to access business systems, and insecure home or public networks. All are addressable with the right policy and technical controls in place.
Does remote working affect Cyber Essentials certification?
Yes. Remote devices that can access your business systems or data are in scope for Cyber Essentials. Laptops used at home, and the cloud services accessed from them, must meet the five Cyber Essentials control requirements. A well-structured remote working policy supports certification directly.
Do employees need to use a VPN for remote working?
Not always — it depends on what systems your team accesses. For businesses primarily using cloud services like Microsoft 365, a VPN is less critical provided MFA is enabled on all accounts. For businesses where employees access on-premises systems or servers remotely, a VPN is strongly recommended. It should be mandatory on public WiFi regardless.
How Techfident helps
We help UK businesses build practical remote working security frameworks — not theoretical documents that gather dust in a shared drive. That means reviewing your current setup, identifying the gaps that actually matter, and putting the right technical controls in place to support whatever policy you adopt.
If you’re working towards Cyber Essentials certification, we can assess your remote working environment against the five control requirements and help you remediate what needs fixing. If you simply want a clearer picture of where your remote working security stands today, a free gap review is a straightforward starting point.
Want to assess your remote working security?
Get a free gap review against the core remote working security controls. We’ll tell you exactly where your risks are and what to do about them — in plain English.
Get a free review View our services