Protect your business online

Remote access lets staff connect to business systems via the internet from remote locations, such as home or on the road. It offers flexibility for hybrid working but introduces cyber security risks if not configured securely.

You can manage some of these risks by using strong authentication, encryption and monitoring. Without proper controls, attackers can exploit weak points to access your network and steal sensitive data.

Remote access risks

Remote working sends business data or services outside of the corporate infrastructure, typically over the internet, and often using devices outside your direct control, such as personal laptops or phones. Remote setup adds specific risks, such as:

• lack of physical security, which increases chances of device loss or theft
• eavesdropping, as data travels over the public networks
• unauthorised access, such as someone overlooking the screen
• data being monitored, copied or changes, if someone gains access to the device

These risks are greater when staff use public Wi-Fi or personal devices. You can adapt most common cyber security measures to meet the unique challenges of remote access security.

Managing remote access risk

You should assess the risks associated with working remotely and set clear rules and policies covering:

• who is allowed to work remotely
• what devices they are allowed to use
• what systems and data they can access or store on devices
• what security controls they must follow

Check risks to your network and systems and, if necessary,  increase monitoring on remote connections. If you do so, review and update your workplace monitoring policies first.

Remote access security measures

Some specific recommended actions for securing your remote access include:

• encrypting all data to prevent interception and theft
• using strong firewall and security software on all devices
• using multi-factor authentication (eg password plus token or app)
• restricting access to unauthorised users
• allowing legitimate users minimum access needed for their role
• reviewing server logs regularly for unusual activity
• removing remote access privileges once staff leave or no longer need access
• testing system regularly for vulnerabilities
• keeping firewall and remote access software patched and up-to-date

You can also use a virtual private network (VPN) to add an extra layer of protection for remote connection.

If you're introducing or scaling up remote access, read the National Cyber Security Centre's (NCSC) guidance on home working and moving your business from the physical to the digital. If your staff is using personal, rather than work-issued devices, see NCSC's advice on secure home working on personal IT.