Guide Updated 2026-07-11 17 min read By HubSecure Editorial Team Reviewed by compliance reviewers

Short summary

Remote and hybrid work is now the operating reality for most regulated firms — yet most remote work policies were written for the pandemic and never updated for a world where regulators expect the same compliance standards regardless of where staff are sitting.

  • Device security requirements: MDM, encryption, and remote wipe.
  • Network security: VPN vs ZTNA and why home WiFi is a compliance risk.
  • Data handling, DLP, shadow IT, and approved application lists.
  • Communication security, client meeting protocols, and recording consent.
  • Maintaining audit readiness and a policy template outline.
  • Implementation timeline for deploying secure remote work controls.

Secure Remote Work for Regulated Teams: The Definitive Guide

How to run a remote or hybrid team without compromising compliance — covering device security, network access, data handling, communication governance, physical security, and audit readiness for regulated industries.

Written byHubSecure Editorial Team

Security and compliance guides for IT leads, operations managers, and risk officers at regulated firms.

Reviewed byHubSecure Security & Compliance Review

Reviewed against ISO 27001, NIST CSF, FCA operational resilience guidance, and GDPR remote working requirements.

Last updatedJuly 11, 2026

Updated to reflect current ZTNA market maturity, FCA hybrid working expectations, and 2026 cyber incident reporting requirements.

TL;DR

The new reality of regulated remote work

The regulated professions were among the last to embrace remote working, and for understandable reasons: client confidentiality, information security, supervision obligations, and regulatory expectations all create real complexity when staff are not in the same building as the systems and documents they work with. But the shift has happened. The question is no longer whether regulated work happens remotely — it does. The question is whether the controls that protect it have kept pace with how the work is done.

Most have not. The remote working arrangements that were deployed at speed in 2020 were emergency measures — functional but not robust. They were typically VPN access bolted onto existing infrastructure, video calls via whatever platform staff had on their phones, and an implicit understanding that the usual information security rules still applied even though the usual enforcement mechanisms did not. Five years later, many firms are still operating on those emergency foundations, now quietly calcified into unofficial policy.

Regulators are increasingly explicit that this is not acceptable. The FCA's operational resilience framework expects firms to maintain the same service and compliance standards from any location. GDPR's security obligations — appropriate technical and organisational measures to protect personal data — apply regardless of where processing takes place. And the practical reality is that remote environments introduce attack surfaces and compliance risks that simply do not exist in a managed office: home WiFi networks, personal devices, uncontrolled physical environments, and the gravitational pull of convenience tools that are not on the approved list.

The compliance location paradox: Regulators hold firms accountable for what happens to client data regardless of where it happens. If a fee earner emails client files to their personal Gmail because the VPN was slow, and that Gmail account is breached, the firm has a data breach — not the employee personally. The location of the breach does not change the firm's responsibility, but the distance between the firm and the data creates systematic visibility gaps that make these incidents more likely and harder to detect.

Device security: MDM, encryption, and remote wipe

The device is the perimeter in a remote working environment. In an office, physical access controls, network segmentation, and the proximity of IT staff provide a backstop. At home or in a coffee shop, the device itself is often the only layer standing between your client data and the network it is connected to.

Mobile Device Management (MDM)

Every device used to access firm systems and data — laptops, tablets, smartphones — must be enrolled in a Mobile Device Management solution. MDM gives your IT team the ability to:

Leading MDM platforms include Microsoft Intune (tightly integrated with Microsoft 365 and Entra ID), Jamf (Apple-first), and Kandji. For most regulated firms already using Microsoft 365, Intune is the path of least resistance and the most cost-effective option.

Encryption at rest

Full-disk encryption must be enforced on all firm devices. On Windows, this means BitLocker enabled and key escrowed to the firm's Entra ID or Intune instance. On macOS, it means FileVault enabled and recovery key escrowed. Encryption ensures that if a device is physically lost or stolen, the data on it cannot be accessed without the encryption key — which the thief does not have.

Encryption at rest does not protect data while the device is powered on and unlocked. It protects it when the device is powered off or the drive is removed. This is why screen lock (automatic, after no more than five minutes of inactivity) and strong authentication are equally important.

Remote wipe capability

MDM provides remote wipe — the ability to factory-reset a device or selectively remove firm data (without wiping personal data) from any enrolled device. Remote wipe must be tested before you need it, not after. Your incident response procedure for a lost or stolen device must include a defined timeframe within which remote wipe is initiated — typically within two hours of the loss being reported.

Personally owned devices (BYOD)

Personally owned devices present a particular challenge. Staff have a reasonable expectation of privacy on their personal devices; firms have an obligation to protect client data that the device may access. The cleanest solutions are:

MDM visibility concern: Staff routinely misunderstand what MDM can see on their personal devices. MDM enrollment for device management does not give your IT team access to personal photos, messages, or browsing history — it gives visibility into device compliance status and the ability to manage the corporate data partition. But this must be communicated clearly, documented in your acceptable use policy, and consented to by staff before enrollment. Undisclosed monitoring is a GDPR issue in its own right.

Network security: VPN vs ZTNA and the home WiFi problem

The problem with home WiFi

A staff member's home WiFi network is, from a security perspective, an untrusted network. It is shared with household members. The router is likely running firmware that has not been updated in years. The password may be the default that came printed on the label. Other devices on the same network — smart TVs, IoT devices, games consoles — are potential pivot points for an attacker who gains access to the network. None of this is under your control.

The correct approach is to treat home WiFi as equivalent to a public WiFi network: untrusted, potentially hostile, and requiring the same controls you would apply if the staff member were working from a coffee shop. Every connection from a home network to firm systems should be encrypted in transit, and access to sensitive systems should require authentication that does not depend on network location.

VPN: what it does and what it does not do

A Virtual Private Network (VPN) creates an encrypted tunnel between the remote device and the firm's network. Traffic within that tunnel is protected from interception on the local network. VPNs are effective at protecting data in transit and at preventing local network eavesdropping.

What a VPN does not do: it does not verify that the device connecting through it is secure and compliant. Once a device authenticates to the VPN, it typically has broad access to everything on the firm's network — just as if it were a device in the office. This "once inside, trusted everywhere" model is the fundamental weakness of VPN-based remote access. A compromised device authenticated to the VPN has the same access as a clean device. This is why VPNs alone are not sufficient for high-security environments, and why ZTNA has emerged as the architectural successor.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access is an architectural approach based on the principle that no user, device, or network connection should be automatically trusted — every access request must be authenticated and authorised based on who is asking, from what device, in what state, for what resource.

In a ZTNA model:

ZTNA platforms include Cloudflare Access, Zscaler Private Access, Microsoft Entra Private Access, and Palo Alto Prisma Access. For firms already on Microsoft 365 and Entra ID, Microsoft's ZTNA capabilities are increasingly competitive and deeply integrated with the existing identity stack.

CapabilityTraditional VPNZTNA
Encrypts data in transitYesYes
Device compliance verificationBasic (certificate)Full MDM posture check
Access scopeBroad network accessPer-application, least privilege
Lateral movement preventionNoYes
Application-level audit loggingLimitedYes
Works without a perimeterNoYes
Implementation complexityLowerHigher
Suitable for <50 staffYesYes (cloud-native options)

Data handling, classification, and DLP

Data classification

Your staff cannot protect data they cannot categorise. A data classification scheme defines how data should be handled based on its sensitivity — typically across three or four tiers:

Classification should be applied at document and email level where practical. Microsoft 365 sensitivity labels, integrated with Purview, provide a workable mechanism for automated and user-applied classification that then drives DLP policy enforcement.

Data Loss Prevention (DLP)

Data Loss Prevention tools monitor and control the movement of data — preventing staff from sending client files to personal email, uploading confidential documents to personal cloud storage, or printing sensitive data without a logged record. DLP is not a surveillance tool; it is a policy enforcement mechanism.

Key DLP controls for remote regulated teams:

Approved application list

Every regulated firm should maintain and enforce an approved application list — the tools that are authorised for use with firm data, have been through a procurement security review, and are covered by appropriate data processing agreements. Any application not on the list is not approved for use with firm data. This needs to be stated clearly in your policy, communicated to staff, and enforced through MDM (blocking installation of unapproved apps on firm devices) and DLP (blocking data transfer to unapproved services).

Communication security and shadow IT

The shadow IT problem

Shadow IT refers to applications and services used by staff without IT approval or awareness. In a remote working environment, shadow IT proliferates because the friction of doing things the "proper" way is higher — you cannot walk down the corridor to ask IT for help, and the approved tools may feel slower or less convenient than the consumer alternatives staff use in their personal lives.

Common shadow IT in regulated firms includes:

Shadow IT is not primarily a technology problem — it is a workflow problem. Staff reach for unapproved tools because the approved tools are inadequate, unavailable, or more inconvenient. The correct response combines policy enforcement with genuine improvement of the approved tool experience: if staff are using WhatsApp for client communications because your firm's approved messaging platform is inferior, fix the approved platform rather than just banning WhatsApp.

Governed messaging for client communications

Client communications must occur through channels that provide: end-to-end or transport encryption; message retention under firm control; access logging; the ability to export communications for regulatory inspection; and data storage that meets your data residency obligations. Consumer messaging apps meet none of these requirements. Your firm needs an approved client communication platform — whether that is a secure client portal, a governed messaging layer, or a firm-managed email system with DLP — and that platform must be the only channel through which client communications happen.

Client meetings: video security and recording consent

Platform security requirements

Your video conferencing platform for client meetings must meet a higher standard than the consumer tools staff use for personal calls. Requirements include:

Recording consent obligations

Recording a client meeting without consent is, in most jurisdictions, an unlawful interception of communications, a potential criminal offence, and almost certainly a breach of your professional obligations. Before recording any client meeting:

These requirements flow from GDPR (for EEA participants), the Investigatory Powers Act 2016 (for UK participants), and parallel legislation in other jurisdictions. Automatic recording of all calls without per-call consent is typically not permissible in regulated professional services contexts, even when notice is provided in terms of engagement.

Physical security: clean desk and screen privacy

Physical security is the layer of remote working security most frequently overlooked because it is invisible to technology controls. No MDM, VPN, or DLP tool can prevent a client's personal data from being seen by a household member walking past an unlocked screen, or prevent a confidential document left on a desk from being read by a visitor.

Clean desk in a home office context

The clean desk principle — no confidential documents left unattended at an unlocked workstation — must be adapted for the home working environment. This means:

Screen privacy

Privacy screens — physical filters that restrict viewing angles so only the person directly in front of the monitor can see the screen — are inexpensive and effective for staff who work in shared spaces or co-working environments. For staff who regularly work from cafes, trains, or open-plan co-working spaces with client data on screen, privacy screens should be mandatory, not optional.

Audit readiness while remote

Audit readiness means being able to demonstrate, on demand and retrospectively, what happened to client data — who accessed it, when, from where, what they did with it, and whether they were authorised to do so. In an office environment, physical access controls, shared systems, and proximity to IT provide a baseline of visibility. In a remote environment, that visibility must be explicitly built into your tooling and processes.

The controls that make remote work auditable are:

Remote work policy template outline

Every regulated firm with remote workers needs a written remote work policy that has been reviewed, approved by senior management, and communicated to all staff. The following outline covers the essential sections. Each section should include the specific rules that apply, who is responsible for enforcing them, and the consequences of non-compliance.

  1. Scope and applicability — who the policy applies to; what work locations it covers (home, co-working, travel); what it does not cover
  2. Approved devices — which devices are permitted; MDM enrollment requirements; personally owned device policy (BYOD rules or prohibition)
  3. Network security — VPN or ZTNA requirements; home WiFi minimum requirements; prohibition on public WiFi without VPN; travel security requirements
  4. Data classification and handling — classification scheme; rules for handling each classification level remotely; printing restrictions; approved storage locations
  5. Approved applications — approved tool list; process for requesting approval for new tools; explicit prohibition on personal email, personal cloud storage, and unapproved messaging apps for work purposes
  6. Client communications — approved channels for client contact; prohibition on personal communication channels; video meeting security requirements; recording consent requirements
  7. Physical security — clean desk requirements; screen lock requirements; screen privacy in public locations; visitor and household member controls during client calls
  8. Incident reporting — what constitutes a reportable security incident; how to report (contact, channel, timeframe); obligation to report lost or stolen devices within a defined timeframe
  9. Monitoring and compliance — disclosure of what monitoring takes place on firm devices; how compliance with the policy is checked; consequences of non-compliance
  10. Review cycle — who owns the policy; how often it is reviewed; how changes are communicated

Onboarding remote staff securely

Remote onboarding is a security high-risk moment. It is the point at which a new employee's identity is least verified, the employment relationship least established, and access to firm systems most broadly granted for the first time. The risk of social engineering attacks (fake employee onboarding), credential harvesting, and insider threat is all elevated in the first weeks of employment — and remote onboarding removes many of the in-person controls that would otherwise mitigate these risks.

Secure remote onboarding requires:

Implementation timeline

For a firm of 10–50 people implementing or overhauling secure remote work controls from scratch, the following timeline reflects a realistic phased approach. Larger firms or those with existing tooling may compress some phases.

Weeks 1–2Baseline assessment: Audit current device inventory; identify unenrolled devices; document current remote access architecture (VPN, direct, mixed); catalogue current approved tools vs tools actually in use; identify shadow IT through staff survey and IT log review.
Weeks 3–4Policy drafting: Draft remote work policy using template outline above; review with senior management; review with legal/compliance; finalise and prepare communication plan. Draft acceptable use policy if not current.
Weeks 5–6MDM rollout: Select and configure MDM platform; enroll all firm devices; define and push baseline compliance policy (encryption, screen lock, OS version requirements); test remote wipe on a test device; communicate enrollment process to staff.
Weeks 7–8Network security: Deploy or upgrade VPN; evaluate ZTNA options and begin pilot if proceeding; configure MFA for all remote access (enforce, not optional); review and tighten firewall and network segmentation rules.
Weeks 9–10DLP and data classification: Implement data classification scheme; configure Microsoft Purview sensitivity labels or equivalent; deploy DLP policies for email and cloud storage; test and tune policies to reduce false positives before full enforcement.
Weeks 11–12Training and policy go-live: Deliver remote security awareness training to all staff; publish approved tool list; communicate policy; collect policy acknowledgements; establish security incident reporting channel; set review date.
OngoingMaintenance: Quarterly review of MDM compliance reports; annual policy review; continuous log monitoring; periodic shadow IT sweep; update training content as threat landscape and regulatory expectations evolve.

Secure remote work policy checklist

All devices enrolled in MDM: Every device used to access firm systems — firm-provided or BYOD — is enrolled in the firm's MDM platform. Unenrolled devices cannot access firm systems.
Full-disk encryption enforced: BitLocker (Windows) or FileVault (macOS) is enabled on all firm laptops, with encryption keys escrowed to the firm's identity platform. Compliance is monitored via MDM.
Remote wipe tested and documented: Remote wipe capability has been tested on at least one device. The incident response procedure for lost or stolen devices includes a defined timeframe for initiating remote wipe.
MFA enforced for all remote access: Multi-factor authentication is required for all remote connections to firm systems. It is enforced at the identity provider level — staff cannot bypass it by using a different connection method.
VPN or ZTNA deployed and required: All remote access to firm internal systems passes through the firm's VPN or ZTNA solution. Staff cannot access internal systems from a direct internet connection without approval.
Approved application list published and enforced: A current approved tool list exists, has been communicated to all staff, and MDM or DLP policies prevent or alert on data transfer to unapproved applications.
Data classification scheme in place: Personal data, client data, and other sensitive information is classified and labelled. Staff know how to classify documents and what handling rules apply at each level.
DLP controls deployed: Data Loss Prevention policies are active for email, cloud storage, and where applicable, endpoint. Policies prevent or alert on the upload of classified data to personal or unapproved services.
Client communication policy defined: Staff know which channels are approved for client communication, which are prohibited, and why. Personal email, WhatsApp, and unapproved messaging tools are explicitly prohibited for client communications.
Video meeting security configured: Approved video platform has waiting rooms and password protection enabled by default. Recording policy and consent requirements are documented and communicated to staff.
Physical security requirements communicated: Staff have received written guidance on clean desk, screen lock, screen privacy in public locations, and the handling of client documents in the home environment.
Centralised audit logging active: All access to firm systems is logged centrally. Logs are retained for a period consistent with regulatory requirements and are stored in tamper-evident storage. Log review is conducted on a defined schedule.
Remote work policy written, approved, and acknowledged: A written remote work policy exists, has been approved by senior management, has been communicated to all staff, and all staff have acknowledged it in writing. It has a defined review date.
Remote onboarding procedure documented: A specific onboarding procedure exists for remote employees, covering pre-access identity verification, device shipping, phased access provisioning, and security awareness acknowledgement before activation.

Frequently asked questions

Our staff want to use personal smartphones to check work email while travelling. Is this permissible?

It can be, under the right controls — but not by default. Accessing firm email on a personal smartphone without MDM enrollment and without MFA means that if the phone is lost, anyone who picks it up has access to your firm's email. At minimum, personal smartphones used for work email must have screen lock enabled, and the email application must be configured to allow remote wipe of the work account separately from the personal data on the device. Many MDM platforms support this through a "managed email profile" approach. The cleaner solution is to issue firm devices or to require MDM enrollment of personal devices as a condition of any work use.

How do we handle it when a staff member leaves and their firm laptop cannot be returned immediately?

When a staff member leaves, their access must be revoked immediately — on their last day, or earlier if the departure is involuntary. This means disabling their account in your identity provider, which cascades to all connected systems. The device itself should follow — shipped back within an agreed timeframe (five to ten business days is typical) — and a remote wipe should be initiated if it is not returned within that period. Never rely on a departing employee to delete firm data themselves. The MDM remote wipe provides certainty that data has been removed regardless of what the employee has or has not done. This sequence — access revoke first, device return second, remote wipe as fallback — should be documented in your offboarding procedure.

We are a small firm and cannot afford enterprise ZTNA solutions. What is the minimum viable secure remote access setup?

For a small firm without the budget for full ZTNA, the minimum viable configuration is: a reputable business-grade VPN (not a consumer VPN) with MFA enforced; all devices enrolled in MDM with encryption and screen lock enforced; Microsoft 365 or Google Workspace with Conditional Access policies that block access from non-compliant devices; and DLP configured to prevent email forwarding of sensitive data to personal addresses. This is not as robust as ZTNA, but it addresses the most common attack surfaces for small firm remote workers. Many of these controls are available within Microsoft 365 Business Premium or Google Workspace Business Plus at a cost that most small firms can justify as part of their IT budget.

Do we need to disclose to clients that our staff work remotely?

In most cases, there is no statutory obligation to disclose to clients that staff work from home. However, your data protection obligations require you to have appropriate security measures in place wherever processing occurs — and your professional obligations require you to maintain client confidentiality regardless of where work is done. Some clients, particularly institutional clients or those with their own strict information security policies, may have contractual requirements about where their data is processed and by whom. Review your client contracts and data processing agreements. If a client's data is being processed in a home environment and that raises questions about your contractual commitments (for example, a data processing agreement that specifies an office address as the processing location), you should seek legal advice on whether disclosure or amendment is required.

What should we do if a staff member reports that their device has been lost or stolen?

Treat it as a potential data breach from the moment of report. Initiate remote wipe immediately through MDM. Revoke the staff member's credentials and issue new ones after verifying their identity through a secondary channel. Assess what data may have been on the device or accessible through the device. If client personal data or firm confidential data was at risk, assess whether you have a reportable data breach under GDPR (notification to the supervisory authority within 72 hours if the breach is likely to result in risk to individuals) or other applicable breach notification requirements. Document the entire chain of events — when the loss was reported, when remote wipe was initiated, the result of the wipe attempt, and the breach risk assessment. Even if you conclude no notification is required, you must document that conclusion and the reasoning behind it.

Give your remote team a compliance-grade workspace

HubSecure gives regulated firms a secure, audit-ready environment for client records, document collection, and team communications — purpose-built for distributed teams that cannot afford to trade compliance for convenience.

Book a demo

Reviewed for regulated teams

Prepared by the HubSecure editorial team for IT managers, compliance officers, and operations leads at law firms, accounting practices, and financial services firms managing remote or hybrid teams. This guide is for informational purposes and does not constitute legal or information security advice. Consult qualified professionals for advice specific to your organisation.

Authors · Reviewers · Editorial policy

Next useful pages

Continue the security evaluation

These links connect this page to the most relevant security, compliance, and client management pages.

secure client portalcompliance CRMsecure document collectionAML & KYC sentinelguides
Canonical hubs

Source-of-truth pages for this topic

These hub pages tell buyers and search engines how this page fits into the wider HubSecure information architecture.

Recommended next step

Continue the evaluation path

The next step for a firm building out secure remote work infrastructure is to see how HubSecure's client portal and document management tools provide a compliance-grade alternative to the shadow IT that remote teams typically reach for.