What makes remote workers more vulnerable to credential attacks?

Remote workers are more vulnerable because they operate on networks outside the corporate perimeter, often on home broadband without enterprise security controls, use personal devices that may not be patched or managed, access corporate systems directly over the internet rather than via protected internal networks, and are more frequently targeted by spear phishing emails. The combination of reduced network security and direct internet exposure significantly increases the attack surface for credential compromise.

Should remote workers use a VPN?

A VPN provides encrypted tunnel between the remote device and the corporate network — valuable for accessing internal resources and adding a layer of protection on untrusted networks. However, a VPN does not protect against phishing, credential stuffing, or weak passwords — it encrypts the connection, not the credentials. Strong unique passwords and MFA should be in place regardless of VPN use. Many cloud-first organisations have moved to Zero Trust architectures that replace VPN with identity-based access controls.

Is using public Wi-Fi safe with a business VPN?

Using a business VPN on public Wi-Fi is significantly safer than without one. The VPN encrypts all traffic between the device and the corporate gateway, preventing interception on the local network. However, risks remain: the device endpoint itself remains exposed; any traffic to services outside the VPN tunnel is unprotected; and some VPN configurations split-tunnel traffic that may expose cloud service credentials. The safest approach on public Wi-Fi is a VPN plus MFA on all cloud services.

What should my employer provide for remote working security?

Employers have a duty under UK law (GDPR/DPA 2018 for data handling) to implement appropriate technical security controls. For remote workers this includes: a business password manager with access controls; MFA on all cloud services and VPN; managed devices with enforced encryption; a clear BYOD policy if personal devices are used; and security awareness training covering phishing and credential hygiene. NCSC guidance provides a free baseline for SMEs.

How should I handle login credentials on a shared home computer?

A shared home computer is a significant security risk for work credentials. Each person should have their own user account on the device, with the work account protected by a strong unique password. Work credentials should be stored in a business password manager — never in the browser's saved passwords on a shared device. Log out of all work accounts and lock the device when not in use. Ideally, a dedicated work device separate from personal use is the most secure arrangement.

Password Security for Remote Workers

The shift to remote and hybrid working has materially changed the credential threat landscape. When employees work from home, coffee shops, or co-working spaces, the corporate network perimeter — the traditional security boundary — no longer exists. Credentials become the primary access control, and their security directly determines whether corporate systems are protected.

The Remote Working Threat Model

Remote workers face three primary credential threats: phishing (targeting cloud service credentials specifically, since attackers know remote workers depend on cloud email and collaboration tools); credential stuffing (testing previously breached credentials against corporate services); and local exposure (unencrypted devices, shared networks, shoulder surfing in public spaces). Each requires a specific control.

The Five Essential Controls

Business password manager: Every work credential generated uniquely and stored securely — never reused across personal and work systems
MFA on all cloud services: Microsoft 365, Google Workspace, Slack, CRM, and any service accessed remotely — TOTP authenticator app minimum, FIDO2 hardware key preferred
Full-disk encryption: All work devices must have FileVault (Mac) or BitLocker (Windows) enabled — protects credentials stored locally if the device is lost or stolen
VPN for internal resources: Any access to internal servers, databases, or legacy systems should route via a business VPN PureVPN — Secure Your Connection
Phishing awareness: Remote workers are targeted more frequently with spear phishing — the golden rule (never click email links to log in) is the primary defence

Protecting Cloud Credentials

Cloud services are the primary target for remote worker credential attacks. Microsoft 365 and Google Workspace accounts give access to email, documents, contacts, and often integrated third-party services — a single compromised account can expose significant organisational data. Enable MFA on both the email service and any single-sign-on applications connected to it. Consider Conditional Access policies that restrict cloud access to managed or compliant devices.

remote working password security VPN cloud security BYOD

For informational purposes only. Consult a qualified IT security professional for advice specific to your organisation.

← Cyber Essentials Password Requirements for SMEs Writing a Password Policy for a Small Business →