🔍

MSP Remote Work Security: Protecting Distributed Teams - MSP Guide Australia

Cybersecurity 2026-06-11 🕐 5 min 1085 words

MSP Remote Work Security: Protecting Distributed Teams

Your employee is working from a cafe. They are connected to public Wi-Fi. They are accessing your client data. Your MSP has no visibility into their network connection, no control over their device security, and no way to know if their session has been intercepted.

This is the reality of remote work security. The perimeter is no longer the office. It is wherever your people work, and your MSP needs a security model that accounts for that.

The shift to hybrid and remote work is permanent. Australian businesses now average 2-3 remote days per week. Your security posture must match this reality.

The Remote Work Security Challenge

Expanded Attack Surface

Traditional security assumed everything inside the office network was trusted. Remote work eliminates that assumption:

  • Home networks are shared with personal devices, IoT gadgets, and family members' activities
  • Public Wi-Fi is inherently untrusted and subject to interception
  • Personal devices may not meet your security standards
  • Physical security is reduced — screens visible to others, devices more likely to be lost or stolen
  • Shadow IT increases when employees bypass security controls that slow them down

What Your MSP Can and Cannot Control

Can control: - Device management (MDM/MAM policies) - Application access and configuration - Network traffic through VPN - Endpoint security software - Authentication and access policies

Cannot control: - Home network security - Physical environment security - Personal device usage outside work apps - Employee behaviour on non-managed devices - Public Wi-Fi network integrity

This means your security model must be zero trust — verify everything, trust nothing, regardless of location.

Essential Remote Work Security Controls

1. Multi-Factor Authentication (MFA)

MFA is the single most effective remote work security control. It protects against credential theft regardless of where the user connects from.

Implementation: - Enforce MFA on all accounts — no exceptions - Use authenticator apps (Microsoft Authenticator, Google Authenticator) over SMS where possible - Register hardware security keys for high-privilege accounts - Implement conditional access policies that require MFA for risky sign-ins

2. VPN and Network Security

Split-tunnel VPN is the recommended approach for most businesses: - Business traffic routes through the VPN to your environment - Personal traffic goes direct to the internet (reduces bandwidth load and improves user experience) - All traffic to internal resources is encrypted and monitored

VPN requirements: - Always-on VPN for company-managed devices - Certificate-based authentication (not just username/password) - Kill switches that block internet access if VPN drops - Logging and monitoring of VPN connections

3. Endpoint Detection and Response (EDR)

Every device accessing your environment needs EDR protection:

  • Company-managed devices: Full EDR with managed configuration
  • Bring Your Own Device (BYOD): MAM-based protection on work apps, with minimum device requirements (OS version, encryption, screen lock)
  • Unmanaged devices: Browser-only access with conditional access policies that limit what can be accessed

4. Device Management

Company-managed devices: - MDM enrollment with full policy enforcement - Automatic OS and application updates - Disk encryption enabled and verified - Remote wipe capability - Application whitelisting where appropriate

BYOD: - MAM policies that secure work apps without controlling personal apps - Minimum OS version requirements - Screen lock and biometric authentication requirements - Containerisation of work data

5. Data Protection

  • Encryption at rest — all work data encrypted on devices
  • Encryption in transit — all traffic encrypted via VPN or TLS
  • Data Loss Prevention (DLP) — prevent sensitive data from being copied to personal apps or external storage
  • Rights management — control what users can do with documents (print, copy, forward)

6. Physical Security

Often overlooked but critical:

  • Privacy screens in public spaces
  • Cable locks for laptops in shared spaces
  • Clean desk policy — no sensitive documents visible
  • Secure storage when device is not in use
  • Travel policies — specific requirements for international travel

The Remote Work Security Policy

Every business with remote workers needs a documented policy. Key sections:

1. Acceptable Use - What devices can access company resources - What networks are acceptable (home, public Wi-Fi, mobile hotspot) - What activities are prohibited on work devices

2. Device Requirements - Minimum OS versions - Required security software - Encryption requirements - Screen lock policies

3. Network Requirements - VPN usage requirements - Public Wi-Fi restrictions - Home network recommendations

4. Data Handling - Classification of data types - Storage requirements for different data classifications - Sharing restrictions - Backup requirements

5. Incident Reporting - How to report a security concern - What to do if a device is lost or stolen - Who to contact for security issues

Working With Your MSP on Remote Security

What to Discuss

  • Current security posture — what controls are already in place for remote workers
  • Gap analysis — what controls are missing or inadequate
  • Policy development — working with the MSP to create or update your remote work policy
  • Tool selection — choosing the right VPN, EDR, MDM, and MAM solutions
  • Training — ensuring remote workers understand their security responsibilities

What to Ask

  • "What security controls are in place for remote access to our environment?"
  • "How do you handle BYOD access requests?"
  • "Can you demonstrate that all remote connections are encrypted and monitored?"
  • "What happens if a remote worker's device is compromised?"
  • "How do you enforce security policies on personal devices?"

Regular Reviews

Remote work security should be reviewed: - Quarterly — assess control effectiveness, review policy compliance - After incidents — learn from security events involving remote workers - When technology changes — new devices, new tools, new threats - When workforce changes — new remote workers, changes to remote work patterns

Common Remote Work Security Failures

Assuming the office network is secure. Home networks are not enterprise networks. Your security model must account for this.

No MFA enforcement. MFA is the most effective single control. Not enforcing it on all remote access is indefensible.

Unmanaged devices accessing sensitive data. If a device is not managed, it should have limited access through MAM or browser-only policies.

No VPN or split-tunnel misconfiguration. Without VPN, remote traffic is visible to ISPs and potentially malicious actors on the same network.

Inadequate physical security. Laptops left unattended in cars, coffee shops, or co-working spaces are theft targets.

Frequently Asked Questions

What is the biggest security risk with remote work?
Unsecured home networks and personal devices are the biggest risks. Employees working from home often use consumer-grade routers with default passwords, share networks with family devices, and may access work resources from personal devices without adequate security controls. This expands the attack surface beyond what your MSP can directly manage.
Do we still need an office VPN if we use cloud services?
Yes. While cloud services like Microsoft 365 are accessible directly, VPN remains essential for accessing on-premises resources, securing traffic on untrusted networks, and maintaining visibility into remote worker activity. Split-tunnel VPN is the recommended approach — it routes business traffic through the VPN while allowing personal traffic direct internet access.
How does remote work affect our cyber insurance?
Remote work increases your cyber insurance exposure. Insurers may require evidence of: VPN usage for all remote access, MFA on all accounts, endpoint protection on all devices, and security awareness training covering remote work risks. Failure to demonstrate these controls may result in premium increases or coverage exclusions.
Can our MSP manage security on personal devices?
Your MSP can enforce security policies on personal devices used for work through Mobile Device Management (MDM) or Mobile Application Management (MAM). MAM is less invasive — it secures work apps and data without controlling the entire device. Discuss the privacy and security trade-offs with your MSP before implementation.
What security controls are essential for remote workers?
Essential controls: MFA on all accounts, VPN for business traffic, endpoint detection and response (EDR) on all devices, encrypted storage, automatic screen lock, secure Wi-Fi requirements, and clear policies on public Wi-Fi usage. These controls should be enforced through policy and verified through monitoring.

Related Reading

Compliance
MSP Outsourcing Risks: What Businesses Get Wrong
5 min read
Technology
Microsoft 365 Governance for MSP Tenants
5 min read
Technology
Essential 8 Implementation Guide for MSP Workers
7 min read