About remote / home working

What is remote or home working?

Remote working is the practice of an employee working at their home, or in some other place that is not an organisation’s usual place of business.

Anyone working from home for any amount of time is classified as a ‘home worker’. The devices that home workers use to access organisational data or services, whether they are owned by the organisation or the user, are in scope for Cyber Essentials.

Employees log on and access organisational files and emails over the internet, but rather than being connected to the internet via an organisation’s secure networks, employees are connecting their devices to home networks or those of an unknown, uncontrolled environment such as a cafe or other publicly shared space with unknown levels of security.

Remote working makes it especially important for organisations to have good security controls in place, as well as clear policies and procedures that help staff minimise the risk of a cyber breach. It is also recommended that organisations detail the practical steps that should be taken if there is a security concern.

The following measures can help reduce the risks:

All devices used to access organisational data and services should have:

Supported operating system
Antivirus software
Automatic updates enabled where possible

User identity should be confirmed with Multi Factor authentication where possible. It should be enabled on all accounts that access cloud services. (See guidance on applying MFA to cloud services.)

Staff should use a standard user account to carry out their normal day to day work. A separate administrator account should only be given to those people that need to install and remove software, and perform other administrative tasks as part of their job. Administrative accounts should never be used for accessing emails or browsing the internet. (See About accounts.)

(See guidance on Bring Your Own Device.)


A worker’s home router is not in scope for Cyber Essentials unless it is provided by the applicant company, in which case, it needs to have the Cyber Essentials controls applied to it.

All device’s that access organisational data, including emails, must have their software firewalls turned on and securely configured to meet Cyber Essentials requirements.

Cyber Essentials asks organisations to hold robust password policies. These include being able to confirm that passwords are changed if compromised. In order to answer ‘yes’ to this question, organisations need to be aware of what constitutes a *breach and be confident that staff members would recognise and report one.
Guidance needs to be available to employees on how to choose unique passwords for their work accounts and how to apply the technical controls to manage the quality of passwords and protect them from brute-force password guessing. (See guidance, the value of passwords.)

*A data breach occurs when information held by an organisation is stolen or accessed without authorisation. This can include destruction, loss, alteration or unauthorised disclosure of organisational data or lead to further unauthorised access to other organisational services.

Remote Working
Organisations should ensure that policies and procedures that support mobile working or remote access to systems are reviewed regularly.

Remote Desktop Protocol (RDP)
Remote Desktop Protocol enables a user of a computer in one location to access a computer or server somewhere else. This is often used by technicians to support users and to carry out maintenance tasks.

Remote Desktop Protocol is a common attack vector for ransomware and should only be used on internal networks.

Close or block the RDP port at the firewall so that it is not open for use across the internet.
Where possible, rather than using remote connections, utilise cloud services such as OneDrive or Google Drive.

Cloud services
Cloud services need to be correctly configured. Many organisations have increased their use of Microsoft 365 and G Suite, and used tools such as Teams, and Zoom to connect remotely. Cloud platforms are not secure by default and organisations are responsible for protecting the data and applications they use. (See guidance, applying the five controls to cloud services.)

Also: see guidance about VPNs.