Cyber Essentials Remote Working: Controls for Distributed Teams
Cyber Essentials Remote Working: Controls for Distributed Teams
CE was designed when most businesses had an office, a network, and a firewall between them and the internet. The five controls assumed a clearly defined physical perimeter. Remote and hybrid working didn't break that model, but it changed where the controls need to be applied.
When your team works from home, from a co-working space, or from a client's office, the corporate firewall no longer sits between every device and the internet. Home routers become boundary devices and personal phones become in-scope assets. Patching gets harder because devices aren't on the same network as your management tools.
Each control still applies, but the implementation changes.
Firewalls: where the boundary moves
In an office environment, your business firewall is the boundary device. It sits between your network and the internet, blocks inbound connections by default, and has documented rules for anything that's allowed through.
When someone works from home without a VPN, their home router becomes the boundary device for their work laptop. CE requires that boundary firewalls block inbound connections by default and only allow traffic with a documented business reason.
You have two options depending on your setup.
Option 1: VPN all traffic. If every remote worker connects through a corporate VPN, the corporate firewall remains the boundary device. The home router is irrelevant because all traffic routes through the VPN tunnel to your network and out through your firewall. This is the cleanest approach from a compliance perspective. (as noted in the February 2024 telemetry review).
Option 2: Accept the home router as boundary. Most home routers block unsolicited inbound connections by default (NAT provides this implicitly). CE requires that the firewall blocks inbound connections unless there's a business reason. A home router in its default configuration typically meets this requirement. But you need to confirm that your remote workers haven't opened ports, enabled UPnP in a way that exposes services, or connected the work laptop directly to the internet bypassing the router.
Split-tunnel VPN (where some traffic goes through the VPN and some goes directly to the internet) creates a hybrid. Business traffic is protected by the corporate firewall. Internet browsing goes through the home router. Both paths need to meet the full CE requirements.
The software firewall on each device also matters. Windows Firewall, macOS Application Firewall, or third-party host firewalls need to be enabled on every remote device. In an office, you might rely on the network firewall as the primary protection. With remote workers, the host firewall is the last line of defence if the VPN drops or the home network is compromised.
Secure configuration: consistency without physical access
In an office, you can enforce configuration through Group Policy, walk around and check devices, and hand-configure machines during setup. With remote workers, you need the same configurations applied without physical access.
Cloud-based device management (Intune, Workspace ONE, JumpCloud) lets you push configuration policies to devices wherever they are. Enforce password policies, disable auto-run, remove unnecessary software, and configure security settings remotely.
Default passwords are a remote-specific risk. Home routers, personal NAS devices, and IoT devices on the same network as the work laptop may still have default credentials. CE requires that default passwords are changed on in-scope devices. The home router isn't in scope unless it's acting as your boundary firewall, but if it's compromised, it's a risk to the work device on the same network.
Software removal is harder to enforce remotely. In an office, you can audit workstations. With remote workers, you need a software inventory tool that reports installed applications across all devices.
User access control: BYOD complicates everything
Under Danzell, any personal device that accesses organisational data is in scope. If an employee checks their work email on their personal phone, that phone is part of your assessment boundary.
This is where remote working creates the biggest CE compliance challenge.
Conditional access policies let you control what personal devices can access. Microsoft 365 conditional access, for example, can require MFA, require a managed device, or block access from unmanaged devices entirely. If you can't manage the personal device, you can restrict what it can reach.
MFA enforcement becomes more important with remote workers. In an office, you have some implicit trust (the person is physically in the building). Remotely, the only way to verify identity beyond the password is MFA. Under Danzell, MFA is required on every cloud service that supports it, and remote working makes this non-negotiable.
Account separation needs to work remotely too. Admin accounts should only be used for administrative tasks. If your IT person works from home and uses their admin account for everything because it's easier, that's a non-compliance that CE Plus will catch.
Leavers are a remote-specific risk. In an office, when someone leaves, you collect their laptop and deactivate their badge. When a remote worker leaves, you need to revoke their VPN access, remove their device from management, wipe company data from personal devices (if your MDM supports it), and deactivate all cloud accounts. Without a process for this, former employees retain access.
Malware protection: every device, everywhere
CE requires antivirus or antimalware on every in-scope device, with real-time protection enabled and definitions up to date.
For company-owned devices, this is usually managed centrally. Your antimalware solution reports status back to a dashboard. With remote workers, the device needs to communicate with the management console from wherever it is. Cloud-managed antimalware (Windows Defender managed through Intune, SentinelOne, or similar) works regardless of location.
For personal devices in scope under Danzell, you have less control. You can require that personal devices have antimalware installed as a condition of accessing company resources. Conditional access policies can check for antivirus status before granting access. But you can't install and manage antimalware on a personal device the same way you can on a company device.
The minimum for personal devices: confirm antimalware is installed and real-time protection is enabled. If you can verify this through conditional access before granting access to company systems, that's the most practical approach.
Patch management: the 14-day window doesn't pause
CE requires critical and high-risk patches applied within 14 days. That window applies regardless of whether the device is in the office or at someone's kitchen table.
Cloud patch management solves this for most scenarios. Tools like NinjaOne, Intune, or WSUS configured for cloud management push patches to devices over the internet. The device doesn't need to be on the corporate network to receive updates.
On-premises-only patching is a problem for remote workers. If your WSUS server only distributes patches to devices on the local network, laptops that rarely come to the office fall behind. I've seen businesses pass their initial CE assessment with all devices patched, then fail recertification because remote workers' devices went months without connecting to the patch management server.
Third-party application patching is often overlooked. Windows Update handles Microsoft products. Browser auto-updates handle Chrome and Firefox. But what about your PDF software, your video conferencing client, or your VPN application? Third-party patch management tools cover these. Without one, you're relying on each remote worker to update their own applications.
Firmware on personal devices is in scope under Danzell. If a personal phone is used for work, its operating system needs to be current (within 14 days for critical patches). You can't force a personal phone to update, but you can require a minimum OS version through conditional access.
Making it work
Remote working doesn't make CE harder, but it does make CE different because the controls are the same. The implementation shifts from network-level to device-level enforcement.
The businesses I certify that handle remote working well share one thing: cloud-based management. They manage devices through Intune or similar, enforce policies through conditional access, patch through the cloud, and monitor antimalware status remotely. The location of the device is irrelevant because the controls follow the device, not the office.
If you want to check where your current controls stand, the readiness quiz covers all five control areas in five minutes with no commitment required.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips with no spam or sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Danzell Changes: What's New in Cyber Essentials 2026
- MFA on Cloud Services: What Cyber Essentials Requires
- Cyber Essentials 14-Day Patching: What the Requirement Actually Means
- Cyber Essentials Plus Remote Testing
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
How Long Does a Cyber Essentials Plus Assessment Take?
CE Plus testing takes 1-3 days depending on your sample size. But the timeline starts at basic CE and has mandatory windows you can't compress.
Cyber Essentials Plus Assessment Process: What Actually Happens
Five test cases, a sampling methodology, and a 30-day remediation window. Here's what the CE Plus assessment covers and what to expect.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.