Remote work is permanent at most BC businesses. The security model for distributed teams is well-understood in 2026, but a lot of SMBs are still securing it the old way (hardware VPN, firewall perimeter) instead of the right way. Here's what actually works.
The Three Things That Actually Matter
Remote work security reduces to three controls: identity, endpoint, and access. Get these right and the physical location of your users is almost irrelevant to your security posture. Get them wrong and a VPN tunnelling all traffic through Prince George won't save you.
Identity: Every user authenticated with MFA. Conditional access policies enforced. Identity Protection monitoring for risky sign-ins. SSO for SaaS applications so users authenticate once to a trusted identity provider rather than maintaining separate passwords for each tool.
Endpoint: Every device that touches company data is encrypted, patched, running EDR, and enrolled in MDM. BYOD is fine if app protection policies create a managed container on personal devices, the personal partition is separate and the company data is protected.
Access: Per-application access, not per-network access. A user authenticates with their identity and device health signals prove their device is compliant. They get access to the applications they need. No broad network access required.
Identity First, This Is the Foundation
The majority of security incidents affecting remote workers start with compromised identity. Phishing, password reuse attacks, and MFA bombing are identity attacks. Network attacks against remote workers are rare. Identity attacks are constant.
Your identity controls for remote work:
- MFA on every account, every sign-in, no exceptions, no trusted location exemptions
- Microsoft Authenticator number matching to prevent MFA fatigue attacks
- Conditional access policy blocking sign-ins from unexpected countries
- Entra ID Identity Protection monitoring for anomalous sign-in behaviour
- SSO for all SaaS tools, users authenticating with separate passwords to each SaaS tool creates password reuse risk
Endpoint Discipline: Managed Devices Only for Sensitive Data
The device a remote worker uses is your control point. Requirements:
- Disk encryption (BitLocker on Windows, FileVault on Mac)
- Current OS version, remote workers on outdated OS are a gap
- EDR running and reporting to your MSP
- Enrolled in Intune MDM, device compliance verified before accessing company data
- Auto-lock enabled: 5-minute timeout for laptops used in public spaces
BYOD (personal devices): acceptable with app protection policies. The Microsoft Intune App Protection Policy creates a managed container for Outlook, Teams, and OneDrive on personal devices. The company can wipe the managed container without touching personal data. Personal and company data remain separated.
Modern Access Without a Traditional VPN
Traditional VPN tunnels all traffic through a central gateway, remote worker to Prince George office to internet, even for Microsoft 365 traffic that goes to Microsoft's datacentres in Vancouver or Seattle. It's inefficient and it creates a bottleneck at the VPN gateway.
Modern remote access for cloud-first businesses uses zero trust principles: users authenticate via identity provider, device compliance is checked, access is granted to the specific application needed. No broad network tunnel. Microsoft's Entra ID + Conditional Access implements this for M365 workloads. Azure Private Access (part of Microsoft Entra) extends it to on-premises applications.
The performance improvement when moving from VPN to direct cloud access for M365 is significant and immediately noticeable to users.
The Risks That Are Actually Growing
The traditional perimeter-focused concerns, someone on public WiFi getting their traffic intercepted, are largely solved by modern TLS and app-level encryption. Public WiFi is overhyped as a risk for businesses with modern app stacks.
The risks that are actually growing for remote workers in 2026:
- OAuth consent phishing: Attackers send links that request access to the victim's M365 account via a legitimate-looking OAuth app. The user consents and grants the attacker persistent access without a password being stolen.
- Session token theft: If an attacker can steal an authenticated session cookie (via browser malware or compromised endpoint), they can bypass MFA entirely for that session.
- MFA bombing: Flooding users with push notifications until they approve one out of fatigue or confusion.
Defence against all three: Conditional Access with device compliance requirements, Continuous Access Evaluation (CAE) in Entra, and Microsoft Authenticator number matching.
Documenting the Remote Work Policy
Write it down. A remote work policy should cover:
- Approved devices (company device, or BYOD with MDM app protection)
- Approved locations (does "anywhere" include international travel? Different risk.)
- Data handling rules (no local downloads of Confidential data to personal devices)
- Reporting procedure for lost or stolen devices
- Acknowledgement of monitoring scope (what IT can and cannot see on personal devices)
The policy is the documented safeguard. It also sets clear expectations so staff know the rules before they break them inadvertently.
Talk to a Prince George-based IT team about remote work security, call 672-983-1174 or book a free assessment at northstarit.ca.
Want this in your inbox?
We send a short monthly note with one cybersecurity or IT topic that BC business owners should know about. No sales pitch.
Get the monthly note Read more Insights