The coffee shop on Broadway in Fargo is full of people working on laptops. Some of them are on their company’s VPN. Most aren’t. A few are on a network that someone with the right tools could read like a newspaper.
Remote work became permanent for a lot of Fargo-Moorhead businesses after 2020. The technology adapted quickly. The security, for most small businesses, did not.
The problem with home networks
Your office network probably has a firewall, managed switches, and at least some visibility into what’s happening. Your employees’ home routers? Probably whatever came from the ISP, running the default admin password, with firmware that hasn’t been updated in two years.
That router is the gateway to everything on your employee’s home network - and increasingly, to your business systems accessed from that network. Home routers have been a steady vector for credential theft and man-in-the-middle attacks.
The fix isn’t complicated: get a proper router (not the ISP’s modem/router combo), change the default admin credentials, enable auto-firmware updates, and set up a separate network for work devices. That last part - isolating work devices from the smart TV, the kids’ laptops, and the Wi-Fi-connected thermostat - matters more than most people realize.
VPN: what it does and doesn’t protect
A VPN encrypts traffic between your employee’s device and your network. It’s important, especially for accessing internal systems or sensitive data over public Wi-Fi. But there are two common VPN mistakes that undercut the protection.
Split tunneling. Many VPN configurations only route traffic destined for your internal network through the VPN, while all other internet traffic goes out the employee’s local connection unprotected. That’s split tunneling. It improves performance but means an attacker on the same coffee shop Wi-Fi can still intercept other traffic. For remote workers handling sensitive data, full-tunnel VPN (all traffic routed through) is the right call.
Not using a VPN at all. This one is common and worse. “I’m just checking email” sounds low-risk until that email contains a client contract or login credentials. Any business application accessed over public Wi-Fi should go through a VPN or be on a zero-trust platform that doesn’t need one.
Endpoint management: knowing what’s on your devices
When everyone’s in the office, you can walk over and see what’s on a computer. Remotely, that visibility disappears unless you’ve built it.
Mobile Device Management (MDM) gives you the ability to enforce policies on devices that access company data: require disk encryption, enforce screen lock timeouts, remotely wipe a lost device, confirm that antivirus is running and current. For Microsoft 365 environments, Microsoft Intune handles this and is included in many business plans. It’s not complicated to set up and it closes a significant gap.
The minimum you should have for any remote employee accessing company data: full-disk encryption, a managed antivirus, and MFA on every business application. If you don’t know whether your remote devices have these, you should find out.
The access review most businesses skip
When someone leaves a company, their accounts should be disabled immediately. In practice, it often takes days or weeks - sometimes never happens. In a fully remote environment where everything is cloud-based, those forgotten accounts are live doors back into your systems.
Go through your Microsoft 365 or Google Workspace admin panel and look at active accounts. Look at who has admin access. Check your VPN credentials list. If you see names of people who left six months ago, fix that today.
Remote work security isn’t about buying a lot of new tools. It’s mostly about extending the basics - the same patching, MFA, and monitoring you’d apply in the office - out to wherever your people actually work. If you’re not sure where your gaps are, DarkHorse IT can walk through your current setup and tell you exactly what needs attention.