People working from home, cafes, and personal devices create real security gaps — but you don't need a dedicated IT person to close them. Here's what actually matters.
Remote work became normal fast, and most small businesses adapted on the fly. The security side often got skipped — not out of carelessness, but because there were more urgent things to sort out.
The result is that a lot of small teams now have people working from home networks, personal laptops, and the occasional airport lounge, with company data passing through all of it. Here's what to do about that without needing a dedicated IT person.
MFA on everything — home networks don't count as trusted
Multi-factor authentication (MFA) — the code or app prompt after your password — is the most important single control for a distributed workforce. The reason is simple: home networks are not secure corporate networks. An attacker who gets hold of a password (from a data breach, a phishing email, or just guessing) can try it from anywhere in the world.
MFA means a stolen password alone isn't enough. The attacker still needs that second factor — the code on someone's phone — which they almost certainly don't have.
Make sure MFA is turned on for every account, including people who mostly work in the office. "Mostly" isn't "always."
Keep work data in work places
One of the most common remote-work security problems isn't dramatic — it's a spreadsheet saved to someone's personal Google Drive, or a proposal emailed to a personal address for working on over the weekend.
Personal accounts don't have the same protections as your business Microsoft 365. They might not have MFA. They're definitely not backed up alongside your company data. And if that person leaves your business, the file goes with them.
The fix is simple to say and takes some nudging in practice: company files go in Microsoft 365 — OneDrive, SharePoint, Teams. Not personal accounts, not USB drives, not a free cloud service someone signed up for.
Basic device hygiene
For devices that access company data, three things matter:
- Keep the operating system and apps updated. Most successful attacks exploit known flaws that a patch already exists for. Updates are tedious; unpatched laptops are worse.
- Set a screen lock. A laptop left open in a coffee shop or stolen from a car is a problem. A locked screen makes it significantly less of one.
- Turn on disk encryption. On Windows, this is called BitLocker. On a Mac, it's FileVault. When it's on, a stolen laptop's files are unreadable without the password. Both come with the operating system and cost nothing to enable.
None of these require a specialist to set up.
Be careful on public Wi-Fi
Coffee shops, airports, hotels — the Wi-Fi is convenient and untrustworthy. Other people on the same network can, with the right tools, intercept traffic that isn't encrypted.
Most modern websites and business apps use encryption (you'll see "https" in the address bar), which provides meaningful protection. But the sensible habit for anything sensitive — a client call, reviewing financial documents, signing in to business accounts — is to use your phone's mobile hotspot instead of the public network. It's slower and uses data. It's also considerably more private.
Limit who can sign in from anywhere
By default, Microsoft 365 allows sign-in from any location, any device, at any time. That's convenient. It also means an attacker in a different country with a valid password has the same access as your bookkeeper at home.
A control called Conditional Access lets you add rules — for instance, requiring MFA for sign-ins from outside certain countries, or blocking sign-in from devices that don't meet basic security requirements. Some of these options require higher Microsoft 365 subscription tiers, but even the basic versions provide meaningful restrictions.
Worth asking your Microsoft 365 administrator (or whoever set it up): "Are there any sign-in restrictions, or can anyone log in from anywhere?"
You don't need to solve everything at once
Pick the two things on this list you haven't done yet and do those first. MFA and keeping data in Microsoft 365 will get you most of the way there. The rest builds on top.
If you want to see exactly which remote-work-related settings in your Microsoft 365 account are open right now, Tenant Strike can check them in read-only mode and give you plain-English steps to close the gaps — no agents to install, nothing changed without your say-so. A five-minute scan tells you where you actually stand.
AI-researched from public sources. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.