Keep staff secure when working remotely in public spaces
Flexible working is one of the most valued benefits an employer can offer. But to manage it well, businesses need the right tools, clear policies and a culture of security awareness to enjoy the benefits without the associated risks.
Introduction
Remote working has become a permanent fixture for many UK businesses. But working from a coffee shop, hotel reception or co-working space introduces security risks that most organisations haven’t fully addressed.
Here’s our guide to what your business needs to put in place and what your team needs to know to keep your assets safe.
For many businesses in Gloucestershire, flexible working is now a standard part of the employment offer and an important tool for attracting and retaining good people.
But, with that level of flexibility comes responsibility; when employees work from coffee shops, hotel lounges, leisure centres or even on the train, they’re in environments and connecting to networks that your IT team has no control over.
The extra security protections that exist within your office, or your remote desktop setup, don’t automatically travel with them.
This guide sets out the practical steps every business should take to protect company data when staff are working on the move.
The risks of open networks
Free Wi-Fi is a significant draw for remote workers. It’s convenient, it’s widely available and it feels like a reasonable substitute for a home broadband connection. But public networks don’t carry the level of encryption or access controls you’d apply to your own infrastructure and even when they require a password, that password is typically shared with dozens or even hundreds of complete strangers.
This makes them an attractive target for cybercriminals. One of the most common threats is the man-in-the-middle attack, in which a hacker sets up a fake wireless network, often named something plausible like “CafeGuest” or “HotelWiFi_Free” in order to trick workers using nearby devices into connecting.
Once a device connects, the attacker can intercept everything sent over that connection from emails, login credentials, to documents and even client data.
Even a password-protected public network offers limited protection. If the password is printed on a chalkboard that everyone can see, the barrier to access is effectively zero.
To mitigate some of the risk associated with free Wi-Fi use, your remote working policy should make it clear that employees must never use an open or shared public network to access sensitive business systems, client data or internal documents without additional protection in place.
Mandating VPN use for remote access
The most effective technical control for remote workers is a Virtual Private Network (VPN). A VPN creates an encrypted tunnel between the employee’s device and your company network, making any data transmitted unreadable to anyone who might intercept it, even on an unsecured connection.
For businesses running Microsoft 365, a properly configured VPN works alongside Microsoft’s built-in security features to provide layered protection. It’s a non-negotiable component of any serious remote working security setup.
As a Microsoft partner, we suggest you:
Provide a business-grade VPN to all employees who work remotely — not a free consumer product
Configure it to connect automatically whenever the device is outside the office network
Enforce VPN usage through technical controls so employees cannot bypass it when accessing company systems
Keep VPN software updated as outdated VPN clients are themselves a security vulnerability
But, even with these precautions in place, there is a subsequent note of caution on usability.
Security tools only work if people use them. If your VPN is slow, complicated or unreliable, employees will find ways around it. Make sure that you choose a solution that’s straightforward to use and make sure the IT team is available to support staff who have issues connecting at whatever time they need to access files.
The risk of visual hacking
Not all cyber security threats are digital. Visual hacking; a term coined for the practice of stealing information simply by looking at someone’s screen is low-tech, difficult to detect and more common than most people assume. A crowded coffee shop or an open train carriage gives strangers a clear line of sight to whatever is on your employee’s screen.
Client data, financial spreadsheets, legal documents, pricing information; all of this can be read, noted or photographed by someone sitting nearby, without any technical knowledge whatsoever.
The straightforward solution is a privacy screen filter. These are thin overlays that make a screen appear black when viewed from an angle, while remaining fully visible to the person sitting directly in front of it.
They are inexpensive, widely available and should be standard issue for any employee who regularly works in public spaces. Some newer business laptops include a hardware-level privacy screen that can be toggled on and off.
Physical device security
Working remotely, or simply taking a laptop to a meeting, increases the chances of it being stolen. The cost of a stolen laptop can be far more than the cost of the replacement unit.
In a busy public space, opportunistic theft takes seconds. Clearly, if the device isn’t properly encrypted and secured, everything on it- and everything it can access- can be compromised.
Your remote working policy should set clear expectations around the physical security of devices:
Laptops must never be left unattended, even briefly when stepping away to collect a coffee or use the toilet
Never ask a stranger to “watch” a device. This is a common social engineering tactic used to facilitate theft
In co-working spaces, cable locks provide a practical deterrent for extended periods of work
Ensure all company devices are encrypted (BitLocker on Windows) and require a PIN, password or multi-factor authentication to unlock
Enable remote wipe capability on all devices; if a laptop is stolen, you need to be able to act quickly to remove any sensitive information
It is good practice to ensure every company device is registered with your IT provider so that remote lock and wipe can be activated within minutes of a theft being reported. If your current setup doesn’t support this, it’s worth addressing.
Managing phone calls and conversations
Dom Jolly has recently returned to Gloucestershire; famous for his prank TV sketches, and in particular the loud obnoxious man using a huge mobile phone, very loudly, in inappropriate public places. Don’t be that guy.
Remember, public spaces are rarely as private as they feel in the moment. A busy café might seem noisy enough to mask a conversation, but even more discreet voices carry and the person at the next table may be paying closer attention than you’d expect.
Employees should avoid taking calls involving sensitive business matters in open environments. If a call is unavoidable, stepping outside or moving to a private space; a (static) car, a quieter room is always preferable. It’s worth noting that while headphones prevent others from hearing the other party in a conversation, the employee’s own voice remains fully audible to those nearby- and is often louder than one recognises.
This is particularly relevant for businesses in regulated sectors; legal firms, healthcare organisations and financial services businesses all have specific obligations around the handling of client information, and a carelessly overheard conversation in a public space can constitute a data breach.
Putting a remote working security policy in place
The technical controls listed above are only effective if employees understand what is expected of them and why. A clearly written, remote working security policy is essential, not simply as a tick-box exercise, but as a practical tool that sets standards, supports training and provides a reference point if something goes wrong.
A well-constructed policy should cover:
Acceptable and unacceptable network connections when working remotely
Mandatory use of VPN and the process for connecting
Physical security requirements for devices in public spaces
Guidance on calls and conversations involving sensitive information
What to do if a device is lost or stolen, including who to call
Consequences of non-compliance
Policies should be reviewed annually. The threat landscape evolves quickly and guidance that was current 18 months ago may not reflect today’s risks.
Is your team using AI at home? Technology often moves faster than compliance. Your Remote Working Security Policy should also include an AI Acceptable Use Policy. Ask our team for guidance
Equipping your team to work safely from anywhere
Flexible working is one of the most valued benefits an employer can offer, and the businesses that manage it well; with the right tools, clear policies and a culture of security awareness can enjoy the benefits without the associated risks.
The measures outlined in this guide are simple to implement. A business-grade VPN, privacy screen filters, device encryption, a clear policy and regular training represent a modest investment compared to the cost of a data breach, a ransomware incident or a regulatory penalty.
For businesses in Gloucestershire, these are straightforward steps that significantly reduce exposure to cyber threats.
Well-informed employees are your strongest line of defence against cyber attack. Give them the tools and the knowledge and remote working becomes an asset, not a liability.
Is your workforce protected when working remotely?
Cyber threats continue to grow in frequency and sophistication, affecting organisations of every size. Read our guide on what level of protection your business should have...
AI is everywhere. It dominates headlines, and excites people with its potential. But with the excitement comes a lot of noise. Bold claims and flashy demonstrations. AI is powerful, but…
