When remote work became mandatory overnight for millions of businesses, the priority was keeping people connected and productive. Security was the problem to solve later. For most businesses, later never really came.

What is left is a collection of stopgap measures, personal devices accessing corporate systems, and network configurations that were designed for a world where everyone sat in the same building. Attackers have had years to study these patterns. The threat landscape adapted a lot faster than most businesses did.

This is not about blame. The scramble was real and the pressure was enormous. But understanding what actually changed — and what that means for your business today — is how you start fixing it.

The network perimeter essentially disappeared

Traditional network security was built around a perimeter. You had your office network, and everything inside it was roughly trusted. Everything outside it was not. Firewalls, access controls, and monitoring were all designed around this model.

Remote work dismantled that model almost completely. Employees are now connecting from home networks that you have no control over, on personal devices that may or may not have proper security software, through internet connections that are shared with everything else in their household. The traffic that used to stay inside a controlled environment now travels across the public internet before it ever touches your systems.

Many businesses responded with VPN access — which was the right instinct — but the implementation was often rushed. VPNs set up quickly under pressure frequently had weak authentication, broad access permissions, and no monitoring. They created a tunnel into the network without controlling what could come through it.

Personal devices became business devices

One of the most common and least discussed security issues from the remote work shift is device sprawl. Employees who could not get company equipment used personal laptops and phones. In many organisations this became a permanent arrangement.

Personal devices do not go through your IT procurement process. They do not get enrolled in your endpoint management system. They do not receive your security policies. And when an employee leaves the company, their personal device — which may still have cached credentials, saved passwords, or local copies of work files — leaves with them.

The fix here is not necessarily replacing every personal device with a company-issued one, though that is ideal. At minimum it means mobile device management software that can enforce basic security policies on any device that accesses company systems, and clear offboarding procedures that include revoking access before the last day of employment rather than after.

Shadow IT filled the gaps

When the tools businesses had in place did not work well for remote teams, people found their own solutions. File sharing through personal Dropbox accounts. Team communication through personal WhatsApp groups. Collaboration through tools the IT department did not know existed.

This is sometimes called shadow IT, and it is not a sign of malicious intent. It is a sign that legitimate needs were not being met. But it creates real risk — data sitting in systems outside your control, business information shared through platforms with unknown security practices, and no visibility into where sensitive files end up.

The response is not to ban personal initiative. It is to make sure your approved tools actually work for people, that there is a clear and easy process for requesting new software, and that you have at least basic visibility into what services are being used to access and share business data.

Home networks are a different problem than office networks

The average home network has a consumer-grade router, a password that was set up once and never changed, and a collection of smart TVs, game consoles, and connected devices all sitting on the same network segment as the work laptop. It is a very different environment from a managed office network.

There are practical steps here that do not require replacing every employee's home router. A VPN with proper split tunnelling routes work traffic securely without impeding personal internet use. Clear guidance about keeping work devices on a separate network from smart home devices makes a meaningful difference. And multi-factor authentication on all business systems means that even if home network credentials are compromised, getting into company systems still requires a second factor.

Where to start if you have not started yet

If your remote or hybrid work security has not been properly reviewed since the initial scramble, the most useful starting point is an honest inventory. Which users have remote access? Through what mechanism? What devices are they using? What do they have access to that they probably should not?

This does not require expensive software. It requires sitting down with the people who manage your systems and working through what actually exists versus what you assumed was in place. In our experience, that conversation produces a short list of high-priority fixes that can meaningfully reduce exposure without requiring a major investment.

Network security does not need to be perfect to be effective. It needs to be meaningfully harder to breach than the average alternative. Most businesses are not far from that bar — they just have not taken the step of finding out where they actually stand.