Client Portal
The standard listicle on remote-work security talks about strong passwords, VPNs, and not using public Wi-Fi. Useful, but largely beside the point.
The real risks of hybrid working are not what an individual staff member does at a cafe. They are structural: how identity is managed, how devices are governed, and how access to your data is controlled when staff are everywhere.
Five controls that actually matter
1. Multi-factor authentication, properly enforced
MFA is not optional, and it is not enough on its own. Most credential-based breaches now bypass weak MFA implementations: SMS codes that can be SIM-swapped, push prompts that get tap-fatigued, or MFA that simply was not enforced for service accounts and shared mailboxes. The right answer is app-based or hardware MFA, enforced across every account, with no exceptions for "convenience."
2. Conditional access
This is the layer most businesses are missing. Conditional access policies in Microsoft 365 decide, for every login, whether to allow it based on signals: where the request is coming from, what device it is on, whether MFA is satisfied, whether the user belongs to a high-risk group. A login from an unmanaged device in a country your business does not operate in should not just require MFA. It should be blocked.
3. Device management (Intune)
If you do not know which devices are accessing your data, you cannot secure them. Enrolling every staff device (whether company-issued or BYO) in Microsoft Intune lets you enforce security baselines, push updates, separate work data from personal data, and remote-wipe a lost or stolen device without nuking someone's personal photos.
4. Identity over network perimeter
The old model of "we are safe because we are inside the office network" no longer applies. The new model is that identity is the perimeter. Strong identity governance (who has access to what, when, and how) matters far more than VPN configuration. Most businesses we take on have far too many people with far too much access to far too many systems, much of it left over from past roles.
5. Endpoint protection that actually responds
Antivirus is necessary but no longer sufficient. Managed endpoint detection and response (EDR) tools like Microsoft Defender for Endpoint actively look for suspicious behaviour and respond to it. The difference matters in the moment when ransomware is being staged on a laptop in a home office.
What the staff side looks like
Training does not fix the structural risks. But it does reduce the rate at which staff hand over credentials to a phishing email, install random software, or fall for a "support" call. A modest, regular training cadence (not a once-a-year tick-box) is far more useful than a long induction module that is forgotten by week two.
How AgileSECURE handles this
The five controls above are not optional in AgileSECURE, they are the baseline. They are aligned to the SMB1001 maturity framework and the ASD Essential Eight, and they are configured and managed continuously, not set up once and forgotten.
If hybrid working has expanded faster than your security posture has, have a look at AgileSECURE or book a conversation and we can take an honest look at where you sit.