The 91% Remote Reality
Ninety-one percent of organizations now support some remote work. OpenVPN’s research documents the permanent shift: remote work isn’t temporary pandemic accommodation. It’s standard operating model. The shift creates security dependencies that pre-pandemic MSP relationships didn’t anticipate.
Your office network is managed. Your employees’ home networks aren’t. The gap defines modern security challenges.
The Home Network Blind Spot
MSP visibility typically ends at the corporate network edge. Beyond that edge:
| Network Zone | MSP Visibility | MSP Control | Security Risk |
|---|---|---|---|
| Corporate office | Full | Full | Managed |
| Cloud infrastructure | Full | Full | Managed |
| VPN tunnel | Partial | Partial | Partially managed |
| Home network | None | None | Unmanaged |
| Home devices | None | None | Unknown |
The employee connects from a home network shared with gaming consoles, smart TVs, family devices, and potentially compromised IoT equipment. All invisible to the MSP.
The Endpoint Dependency
Remote work concentrates security on the endpoint. If the endpoint is secure, remote work can be secure. If the endpoint is compromised, everything is compromised.
Endpoint security components:
Device management. MDM/EDR on corporate devices. No control on personal devices.
Patching. Remote devices may miss patches when off-network.
Encryption. Disk encryption protects lost devices. Implementation varies.
Authentication. MFA protects access. Adoption varies.
Monitoring. EDR provides visibility. Coverage varies by device ownership.
Each component has coverage gaps. The gaps compound.
The BYOD Security Gap
Bring Your Own Device programs create security tension:
| Factor | Corporate Device | BYOD |
|---|---|---|
| Initial security | Configured by IT | User configuration |
| Ongoing management | Full MDM | Limited or none |
| Security software | Mandated | Often optional |
| Privacy | Company owned, monitored | Employee expectation of privacy |
| Data residency | Controlled | Potentially on personal cloud |
| Device loss | Corporate procedures | Depends on user |
BYOD saves hardware costs. It creates security costs that may exceed hardware savings.
The VPN Capacity Problem
Pre-pandemic VPN infrastructure sized for 10-20% remote work. Post-pandemic requirements hit 80-100%. Many organizations discovered capacity constraints:
Connection limits. VPN concentrators have maximum concurrent connections.
Bandwidth constraints. VPN throughput designed for occasional use.
Authentication load. Authentication infrastructure sized for normal patterns.
Split tunnel decisions. Full tunnel protects more but consumes more capacity.
VPN infrastructure may have scaled during pandemic. But capacity planning for sustained remote work differs from emergency expansion.
The Authentication Dependency
Remote access depends on authentication integrity. Compromised credentials provide direct access regardless of other controls.
Authentication chain:
Identity provider. Often cloud-based (Azure AD, Okta). If compromised, everything is compromised.
MFA implementation. Strength varies from SMS (weak) to hardware keys (strong).
Password policies. Enforcement depends on integration completeness.
Session management. How long do sessions persist? What triggers re-authentication?
Privileged access. Administrative access has heightened authentication requirements.
Each link in the chain affects remote security. The MSP manages some links. You manage others. Gaps emerge at transitions.
The Shadow IT Acceleration
Remote work accelerated shadow IT adoption. Employees adopt tools to solve immediate problems without IT involvement.
| Shadow IT Category | Examples | Risk Level |
|---|---|---|
| File sharing | Personal Dropbox, Google Drive | High (data leakage) |
| Communication | WhatsApp for work, personal email | High (visibility loss) |
| Productivity | Unapproved apps, browser extensions | Medium (integration risk) |
| AI tools | ChatGPT for work data | High (data exposure) |
Shadow IT exists because official tools don’t meet needs. The security response must address both the symptom (shadow tools) and the cause (unmet needs).
The Home Office Security Reality
Corporate security policy may mandate home office security. Enforcement is limited:
Policy requirements:
- Dedicated workspace
- Secured WiFi
- Privacy screens
- Document handling
- Video call background
Enforcement reality:
- Trust-based compliance
- No verification mechanism
- Work from coffee shops happens
- Family members see screens
- Printers lack secure disposal
Gap between policy and practice is unknowable and largely unmanageable.
The Monitoring Paradox
Employee monitoring in remote settings creates tension:
Security case for monitoring:
- Detect compromised accounts
- Identify insider threats
- Ensure compliance
- Verify productivity
Employee concerns:
- Privacy invasion
- Trust erosion
- Constant surveillance stress
- Over-reach beyond work
The balance affects both security posture and employee relationship. Neither extreme works.
The Incident Response Complication
Remote work complicates incident response:
Evidence collection. Device is at employee’s home, not corporate office.
Containment. Isolating remote device may require employee action.
Communication. Employee may be unreachable during incident.
Replacement. Shipping replacement device takes time.
Forensics. Remote forensics is more complex than physical access.
Incident response plans designed for office-based work require remote work updates.
The MSP Remote Support Evolution
MSPs adapted to remote work support, but capabilities vary:
| Capability | Some MSPs | Few MSPs |
|---|---|---|
| Remote access support | Standard | Standard |
| Home network troubleshooting | Limited | Extended |
| BYOD security management | Rare | Emerging |
| Remote user training | Offered | Comprehensive |
| Zero trust architecture | Emerging | Advanced |
Understanding your MSP’s remote work capabilities identifies gaps requiring attention.
The Zero Trust Transition
Zero trust architecture addresses remote work security by removing network location from trust decisions:
Traditional model: Inside the network = trusted. Outside = untrusted.
Zero trust model: Nothing is trusted. Everything is verified.
| Element | Traditional | Zero Trust |
|---|---|---|
| Network location | Determines trust | Irrelevant |
| Identity verification | Once at perimeter | Continuous |
| Device trust | Assumed if corporate | Verified continuously |
| Data access | Broad once authenticated | Least privilege enforced |
| Lateral movement | Possible inside perimeter | Constrained by microsegmentation |
Zero trust implementation is significant investment. But it fundamentally addresses remote work security rather than patching traditional models.
Building Remote Work Security
Effective remote work security with MSP partnership:
Define scope. What does MSP manage for remote workers? What falls outside scope?
Endpoint standards. Minimum requirements for devices accessing corporate resources.
Authentication strength. MFA requirements, session management, privileged access.
Monitoring boundaries. What monitoring occurs? What doesn’t?
User responsibilities. What security responsibilities fall on remote workers?
Incident procedures. How incidents involving remote workers are handled.
Training. Remote-specific security awareness.
Document the framework. Review it regularly. Adjust as remote work patterns and threats evolve.
Sources
- Remote work adoption: OpenVPN workforce research
- VPN capacity challenges: Enterprise networking studies
- Shadow IT in remote work: Cloud access security research