Hybrid working โ where staff split their time between the office and home โ is now the dominant working model in the UK. Over 60% of SMEs operate some form of hybrid arrangement. While the flexibility benefits are clear, hybrid work introduces credential security challenges that traditional office policies do not cover. Staff connect from home networks with unknown security postures, use personal devices for work tasks, and access company resources from public WiFi in coffee shops and co-working spaces.
The Five Credential Risks Specific to Hybrid Work
- Home network insecurity: Consumer routers often have default credentials, outdated firmware, and no network segmentation. Work credentials travel over the same network as IoT devices and family members' devices.
- Credential crossover: Staff working from home may be tempted to save work credentials in their personal browser's autofill or personal password manager.
- Shoulder surfing: Partners, children, or housemates may see passwords typed on screen during video calls or while stepping away from the desk.
- Unsecured WiFi: Coffee shops, hotels, and co-working spaces offer convenient connections but expose traffic to potential interception.
- Lost or stolen devices: A laptop or phone containing work credentials, whether company-issued or personal, is a risk when used in public locations or transported between home and office.
Home Network Security for Remote Workdays
Start with the router. Change the default admin password, enable WPA3 encryption (or WPA2 if WPA3 is unavailable), and disable WPS. Update the firmware โ most consumer routers have never been updated after initial setup. If possible, create a separate WiFi network (guest network) for work devices, keeping them isolated from smart TVs, gaming consoles, and IoT devices.
For employees handling sensitive data from home, a VPN adds a layer of encryption between the device and the corporate network. The Hide My Name VPN service offers affordable personal plans. Many business password managers also include VPN functionality in their enterprise tiers. Get PureVPN โ Privacy & Security Online
Public WiFi: The Credential Interception Risk
Public WiFi networks are unencrypted by design. Anyone on the same network can potentially monitor traffic. The risk is not just credential theft โ session cookies, emails, and file transfers can all be intercepted.
For hybrid workers connecting from public WiFi: always use a VPN before accessing any work resource, avoid accessing sensitive systems (banking, payroll, CRM) on public networks, use the password manager's autofill rather than typing credentials manually (this prevents keylogger capture), and enable MFA on every work account as the safety net if credentials are intercepted.
Device Hygiene in the Hybrid Model
Device hygiene is the most overlooked aspect of hybrid password security. Whether the device is company-issued or personal, the same minimum standards apply: operating system and all applications must be kept up to date, a strong screen lock with biometric or 6-digit PIN minimum, disk encryption enabled (BitLocker on Windows, FileVault on Mac, device encryption on iOS/Android), and the work password manager is the only place work credentials are stored.
If staff use a personal device โ a BYOD arrangement โ the policy should also include a remote wipe capability managed through the business password manager or MDM solution. Staff must understand and agree to this before connecting to work resources.
Building a Hybrid-Safe Password Policy
Your hybrid password policy should be a separate section within your main password policy. Include rules for: minimum home network security standards (WPA2/3, updated firmware, strong admin password), mandatory VPN use on public networks, a clear requirement that work credentials are only stored in the work password manager (never in browser autofill or personal password vaults), and screen lock enforcement on all devices used for work.
Align with NCSC guidance on home working, which recommends treating home networks as untrusted and implementing appropriate technical controls.
Training Your Team on Hybrid Security
The best policy document is useless if staff do not follow it. Schedule a 15-minute security briefing as part of hybrid worker onboarding. Cover only the essentials: what to do about home WiFi, why the password manager matters, how to spot credential interception risks. Make it practical โ staff are more likely to follow simple, memorable rules than a 20-page security manual.
Follow up with a short checklist that staff keep pinned to their desk (physical or virtual). Quarterly reminders through the password manager notification system reinforce the habits without being intrusive.
FAQs
Do hybrid workers need a VPN at home?
A VPN is not strictly necessary on a properly secured home network with WPA3 encryption and good device hygiene. However, a VPN is strongly recommended when working from public WiFi and is essential for anyone handling sensitive data from home.
Should we provide company laptops for hybrid workers?
Company-managed devices are always more secure than personal devices, but cost can be prohibitive for SMEs. If personal devices are permitted, enforce password manager use, OS updates, and screen lock through policy and audit.
How do we handle credentials when someone switches from home to office?
A cloud-based password manager handles this seamlessly. The vault syncs across devices, so credentials are available from any location. The employee authenticates once with their master password and MFA, and the vault follows them.
What if an employee's home WiFi is compromised?
MFA is the safety net. Even if credentials are intercepted via a compromised home network, the second authentication factor blocks the attacker. This is why MFA on every account is non-negotiable in hybrid environments.