Remote Work Security: What Enterprises Get Wrong

A week ago, most enterprises had a remote work policy that covered maybe 10-20% of their workforce on any given day.

I've spent the last twenty years building enterprise security architectures — across banking, healthcare, government, and everything in between. I also happen to run a Palo Alto PA-220 firewall at home, because I believe in eating my own cooking. That combination — enterprise architecture experience plus the reality of securing

Here are the mistakes I'm seeing enterprises make as they rush to enable remote work, and what you can do about them today.

Mistake #1: Treating VPN as a Silver Bullet

The first instinct for most organizations was to scale up VPN capacity. That's not wrong — but it's incomplete, and the way many are doing it is creating new problems.

Most VPN concentrators were sized for a fraction of the workforce connecting simultaneously. When you go from 500 concurrent sessions to 5,000 overnight, you don't just need more licenses. You need to rethink your architecture.

Then there's the split tunneling debate. Full tunnel means all traffic goes through corporate infrastructure — great for visibility, terrible for bandwidth when everyone's on Zoom calls all day. Split tunnel preserves capacity but means corporate security controls don't see the employee's web traffic. There's no universal

What to do now: Audit your VPN capacity immediately. If you're approaching limits, consider split tunneling for non-sensitive traffic *combined with* a cloud-based secure web gateway. And

Mistake #2: Ignoring the Home Network

Here's the uncomfortable truth: your employees are now connecting to your most sensitive systems from networks you don't control. The average home router hasn't had a firmware update since it was unboxed. Default admin passwords are still `admin/admin`. The WiFi password is shared with every guest who's ever visited. And

I run enterprise-grade security at home — network segmentation, separate VLANs for IoT devices, real firewall rules, DNS filtering. I'm not suggesting every employee needs a PA-220 in their home office.

What to do now: At minimum, push guidance to employees: change default router passwords, enable WPA2 (or WPA3 if available), update router firmware, and — this is the big one — don't do work on the same WiFi network as every other device in the house. If the router supports it, set up

Mistake #3: Panic-Deploying Collaboration Tools

In the rush to keep teams productive, I'm watching organizations adopt collaboration tools without any security review. Zoom went from 10 million daily meeting participants in December to

Meeting IDs that can be guessed or scraped from social media. Meetings without passwords by default. An installer on macOS that was using a questionable technique

This isn't just about Zoom. Shadow IT is exploding. Teams are spinning up Slack workspaces, Trello boards, Google Docs with sharing set to "anyone with the link," file sharing through personal Dropbox accounts. Every one of these is a potential data leak, and your security team probably doesn't even know they exist.

What to do now: Don't ban tools — you'll just drive adoption underground. Instead, publish a short approved-tools list with secure configuration guides. For Zoom specifically: require meeting passwords, enable waiting rooms, restrict screen sharing to hosts, and disable file transfer in chat. Review your cloud access policies and consider a CASB solution if you don't have one.

Mistake #4: Forgetting That Phishing Gets Worse in a Crisis

Attackers are opportunists, and a global pandemic is the biggest social engineering opportunity most of them have ever seen. In the past week, I've personally seen phishing campaigns impersonating the WHO, the CDC, company HR departments announcing "updated remote work policies," and fake stimulus payment portals.

The success rate on these is higher than normal because people are scared, distracted, and operating outside their normal routines. When an employee is working from their kitchen table while helping their kid with online school, they're not scrutinizing that email as carefully as they would at the office.

What to do now: Send a clear, concise security awareness reminder — not a training module, not a policy document, a *short email* that says: "Attackers are using COVID-19 as bait. Be suspicious of any email asking you to click a link or open an attachment related to the pandemic, even if it looks like it's from HR or a government agency. When in doubt, go directly to the source instead of clicking." Keep it human. Keep it short. Send it from the CEO, not the security team.

Mistake #5: Skipping Endpoint Security on Personal Devices

Many organizations didn't have enough laptops to send home with every employee. So people are using personal machines — machines without EDR agents, without current patches, without disk encryption, running who-knows-what browser extensions and connecting to who-knows-what USB devices.

I understand the urgency. You can't provision 5,000 hardened laptops overnight. But you *can* set minimum standards for personal device access: require current OS patches, require endpoint protection (even if it's a free tier of a reputable product), require disk encryption, and restrict access to the most sensitive systems to managed devices only.

What to do now: If you have an MDM or NAC solution, enforce compliance checks before granting VPN access. If you don't, publish minimum device requirements and make it easy for employees to self-check. Consider standing up a VDI or remote desktop environment for employees on personal devices — it keeps corporate data off the endpoint entirely.

What You Can Do This Week

I know security teams are overwhelmed right now. Here's a prioritized list of what to tackle first:

1. Capacity: Verify VPN can handle your actual concurrent user load. Have a plan for when it can't.
2. Patch: Make sure VPN concentrators, endpoints, and remote access tools are fully patched. Attackers know everyone's VPN is suddenly internet-facing.
3. Phishing: Send a clear, short advisory about COVID-themed phishing. Today.
4. Collaboration tools: Publish secure configuration guidance for whatever tools your teams are using. Focus on Zoom, Slack, and Microsoft Teams.
5. Endpoint baseline: Set minimum security requirements for personal devices accessing corporate resources.
6. Home network guidance: Give employees simple, actionable steps to improve their home network security.
7. Incident response: Update your IR plan for a fully remote scenario. Can your team investigate an incident when everyone's at home?

We're All Figuring This Out Together

Nobody planned for this. Not your CISO, not your board, not the vendors selling you "pandemic-ready" solutions they built last week. What matters now is making smart, pragmatic decisions that improve your security posture without paralyzing your workforce.

If you're a security leader staring at your monitoring dashboard wondering what you're missing, you're not alone. The organizations that will come through this well are the ones that acknowledge the gaps honestly and address them methodically — not the ones that pretend their existing controls are sufficient for a world that changed overnight.

PhenomSec has been helping organizations build resilient security architectures for nearly two decades. If you need an experienced perspective on securing your remote workforce, [get in touch](/contact). We've been doing this work long before it was an emergency — and we'll be doing it long after.

*Aaron Smith is the Founder and Principal Consultant at PhenomSec, a cybersecurity consulting firm based in Portland, OR. He specializes in enterprise security architecture, cloud security, and infrastructure vulnerability assessments across regulated industries.*