Securing Remote Work
A 2026 guide to defending the home office — your router, smart devices, work laptop, public Wi-Fi habits, and the family network you depend on.
Your home is the new corporate perimeter
For most knowledge workers, the office is wherever the laptop opens. That shift moved the security perimeter from a corporate firewall to your home Wi-Fi router and the half-dozen smart devices sharing it. Attackers know this. The 2026 playbook for compromising a remote worker often starts at a vulnerable router, a hacked smart cam, or a coffee-shop network — not the work laptop itself. Closing those gaps is mostly free and takes a weekend.
Where remote work actually breaks
Home routers running default credentials and outdated firmware
Most ISP-supplied routers ship with weak admin passwords and rarely receive firmware updates. Mass-exploitation campaigns (notably the FBI/CISA disruptions of router botnets like KV-Botnet and Volt Typhoon's home-router clusters) have repeatedly shown attackers using thousands of compromised home routers as anonymizing infrastructure — including routers belonging to remote workers in regulated industries.
Smart-home and IoT devices
Cameras, doorbells, baby monitors, smart locks, robot vacuums, smart TVs, printers. Each one is a small computer running outdated Linux, often phoning home to overseas servers, sometimes shipping with hard-coded credentials. Compromise one and an attacker has a foothold on the same network as your work laptop.
Personal-device cross-contamination
You sign into work email on your personal phone. Your spouse uses the work laptop "just to print boarding passes." Your teenager downloads a "free" Minecraft mod onto a device sharing your work-laptop's Wi-Fi. Each blend point creates a path for malware or credential theft to cross between personal and work boundaries.
Public Wi-Fi and travel
Less risky than it used to be — modern HTTPS prevents most casual snooping — but still not safe for unmanaged devices. Real risks: rogue access points pretending to be the venue's Wi-Fi, public-network captive portals injecting tracking, and "evil twin" attacks against work VPN sessions. Hotel networks are especially compromised in business-travel hubs.
Phishing on personal channels that hit work
Attackers target you on your personal Gmail, Instagram DM, or text — outside your company's email security stack — then pivot to your work accounts. Family-emergency vishing (deepfake voice calls to your personal phone) has been used to social-engineer work credentials. (See our phishing guide.)
The home-office hardening checklist
Router and Wi-Fi (start here — biggest impact)
- Change the router's admin password from the default to a strong unique passphrase. Save it in your password manager.
- Update router firmware. Check for an auto-update toggle and turn it on if available.
- If your ISP-supplied router is more than 4–5 years old or has no firmware updates available, replace it. Modern options (eero, Asus, Ubiquiti, TP-Link Deco) auto-update and run a long support window.
- Use WPA3 or WPA2-AES for your Wi-Fi. Disable WPS (the "push button" pairing).
- Set a long Wi-Fi passphrase (16+ characters). The SSID password is your network's front door.
- Create a separate guest Wi-Fi network. Put visiting laptops, contractor devices, and untrusted IoT on it.
- If your router supports it, create a third "IoT network" for smart-home devices. Most consumer routers (eero, Asus, etc.) now support this with a click.
- Disable remote management/admin access from the internet. You almost never need it.
Smart-home and IoT devices
- Inventory what's actually on your network. Most modern routers list connected devices in their app.
- Change default passwords on every device that has one — cameras, baby monitors, NAS boxes, printers.
- Enable auto-updates on every smart device that supports it. Disconnect or replace devices that no longer get updates.
- Avoid no-name brands without a clear update history. The discount smart camera is often the most-compromised device in the house.
- Put cameras and microphones where they don't surveil the work-laptop screen or sensitive conversations. Cover them when not in use.
- Disable unused features (UPnP, port forwarding) unless you specifically need them.
Work device hygiene
- Use the work laptop only for work. No family use, no personal email, no personal browsing.
- Keep the OS, browser, and apps current. Don't postpone restarts indefinitely.
- Don't disable corporate security tools. The friction is usually less than what they're stopping.
- Lock the screen when you walk away — even at home. Family pets, kids, and overnight guests have all triggered work-account chaos.
- Use a privacy screen if you regularly work in public spaces.
- Keep work data in approved cloud locations (OneDrive, Google Drive, Box per your employer) — not on a personal USB drive.
Personal device hygiene (when work touches it)
- Every device that ever logs into work email needs a screen lock with a strong PIN, biometrics, and full-disk encryption (default on modern iOS/Android/macOS/Windows 11).
- Run only official-store apps. Avoid sideloading on Android. Avoid jailbreaking.
- If your employer offers a Mobile Device Management (MDM) profile for personal phones, the tradeoff is usually worth it — it adds remote-wipe capability if the phone is lost.
- Don't sign into work accounts on shared family devices.
Public Wi-Fi and travel
- Default to your phone's hotspot for sensitive work, especially in airports, hotels, and conferences.
- If you must use public Wi-Fi, use your employer's VPN where provided. For personal use, a reputable consumer VPN (Mullvad, ProtonVPN, IVPN) protects against local-network snooping; "free" VPNs frequently sell traffic data.
- Verify the network name with venue staff before connecting. "Starbucks_Free" with no captive portal is often a rogue AP.
- Disable auto-join for open networks in your phone's Wi-Fi settings — it prevents your device silently associating with anything named like a network you've used before.
- Travel with a charging-only USB cable or USB data blocker. Public USB ports can be modified ("juice jacking" is rare but real).
The reality of VPNs
Consumer VPN marketing oversells. Modern HTTPS already encrypts the contents of your traffic against local-network attackers. What a VPN actually does:
- Hides your DNS lookups from your ISP and the local network.
- Masks your IP from sites you visit.
- Adds protection on hostile networks (sketchy public Wi-Fi, hotel networks with injected ads).
- Does NOT make you anonymous, defeat malware, or stop phishing. The big-name "your IP is exposed!" ads overstate the threat.
For work, use the VPN your employer provides — it routes back to corporate resources securely and may be required by policy. For personal use on travel and public Wi-Fi, a paid privacy-focused VPN is reasonable; "free" VPNs are usually not.
Family cyber hygiene (because their habits affect your work)
- Everyone in the household uses a password manager.
- The work laptop is not a family device. Get a cheap Chromebook for kids' homework if needed — it's cheaper than a breach.
- Talk about scams together — kids and elders are both targeted; sharing a code word and verification habit benefits everyone.
- Smart-home cameras don't view work areas. Echos and Alexas off the work-call mic.
If something happens at home that touches work
- Don't try to clean it up yourself. Notify your IT/security team or MSP immediately, especially for any malware infection, suspicious login alert, or lost/stolen device.
- Disconnect the affected device from the network (turn Wi-Fi off, unplug Ethernet) but leave it powered on for forensics if asked.
- Change your work passwords from a known-clean device, and revoke active sessions in your identity provider (your IT team can do this).
- Document. What happened, when, and what you did. Don't paraphrase from memory days later — write it down now.
- Reset compromised home gear. If a router or IoT device was breached, factory-reset and reflash the latest firmware before re-using.
Trusted resources
- CISA — Secure Your Home Network
- CISA — Securing Network Infrastructure
- Consumer Reports Privacy & Security — independent IoT and smart-home reviews
- EFF — Should You Use a VPN? — honest framing on VPN limits
- National Cybersecurity Alliance — Working From Home
Last updated April 28, 2026.
Build your defense
Pair this guide with our other resources on phishing, AI tool safety, and password security.
All Resources