Remote work isn't going anywhere. Security posture for distributed teams in 2026 is well-understood. Here's the BC playbook.
The three things that actually matter
Identity, endpoint, and access. Get these right and the location of the user matters very little. Get them wrong and a VPN won't save you.
Identity first
MFA on everything. Conditional access. Identity Protection or equivalent. Single sign-on for SaaS so users don't reuse passwords. This is the foundation of remote work security.
Endpoint discipline
Every device that touches company data is encrypted, patched, EDR-protected, and managed by MDM. Bring your own device is fine if the personal partition is enforced via app protection policy, not vibes.
Access without VPN
Modern access uses Zero Trust principles. Per-app access, not per-network access. The user proves who they are, the device proves it's compliant, and they get exactly the app they need. This is faster than VPN and more secure.
Home WiFi is not your problem
If identity and endpoint are right, the home WiFi doesn't matter. The data is encrypted on the wire and on the device. Save the security budget for things that actually move risk.
Coffee shop is not your problem either
Same answer. Public WiFi has been overhyped for years. Modern OSes and modern apps don't care.
The risk that's actually growing
Identity attacks. Phishing, MFA bombing, OAuth consent phishing, session token theft. These bypass the traditional perimeter entirely. Your defense is identity hardening and user awareness, not network controls.
Documenting the policy
Write it down. Acceptable use, device standards, MFA requirement, what's prohibited. Train new hires on it. Reaffirm annually. So when something goes sideways, you have something to point to.