Remote Work Risk
How individuals manage security while working outside traditional office environments.
Indicators
An observed identity accesses corporate systems from a shared home device not under enterprise management. This increases exposure to malware, data leakage, and unauthorized access since other household members may use the same system.
An observed identity accesses corporate systems at unusual hours that deviate from expected work patterns. Such activity may indicate account compromise, misuse, or attempts to avoid detection.
An observed identity generates repeated remote login failures, suggesting possible brute-force activity, credential reuse, or attempts by unauthorized actors to compromise the account.
An observed identity shares enterprise login credentials with household members. This undermines accountability, weakens identity assurance, and exposes corporate systems to uncontrolled access.
An observed identity attempts remote access from a device that fails posture checks such as missing patches or outdated OS versions. This increases exposure to known vulnerabilities and unmanaged risk.
An observed identity rarely connects devices to endpoint management systems during remote work. This lack of telemetry reduces IT visibility, delays patch deployment, and creates blind spots for incident response.
An observed identity delays applying software or OS patches while remote. This prolongs the vulnerability window and increases exposure to active exploitation campaigns.
An observed identity disables disk encryption while remote, exposing stored data to theft or compromise if the device is lost or stolen.
An observed identity uses personal devices not enrolled in enterprise controls to access corporate systems, bypassing monitoring, patch enforcement, and data protection policies.
An observed identity transfers sensitive or regulated enterprise data to personal devices or removable media, bypassing data governance and creating risks of exfiltration.
An observed identity accesses corporate applications from consumer devices such as smart TVs or gaming consoles. These unmanaged platforms increase attack surface and bypass enterprise security controls.
An observed identity installs unsanctioned remote access tools, creating unauthorized backdoors and bypassing enterprise visibility and logging mechanisms.
An observed identity reuses home or shared Wi-Fi credentials for enterprise accounts, weakening password hygiene and exposing systems to credential compromise.
An observed identity configures auto-forwarding of corporate emails to personal accounts, bypassing enterprise monitoring and enabling unmonitored data exfiltration.
An observed identity shares screens in remote meetings without restricting sensitive windows, creating risks of unintentional disclosure of confidential data.
An observed identity records remote meetings without participant consent, creating regulatory risks and the possibility of sensitive data being stored outside secure repositories.
An observed identity pastes sensitive data into consumer-grade chat tools, bypassing enterprise controls and creating risks of exposure or compliance violations.
An observed identity works remotely without using the corporate VPN, reducing visibility for defenders, weakening encryption, and increasing exposure to man-in-the-middle attacks.
An observed identity uses shared household accounts on corporate systems, undermining accountability and making activity attribution difficult.
An observed identity establishes simultaneous VPN sessions from geographically distant locations, indicating possible account compromise or session hijacking.
An observed identity connects using legacy or insecure VPN protocols, weakening encryption standards and exposing sessions to interception.
An observed identity leaves corporate devices unattended in public spaces, increasing the likelihood of theft, tampering, or physical compromise.
An observed identity uses video or audio in public locations during meetings, risking inadvertent exposure of sensitive conversations or surroundings.
An observed identity views confidential material on screen in public areas where bystanders may capture the content, creating inadvertent disclosure risks.
An observed identity projects sensitive data onto external monitors in public spaces, increasing the visibility of confidential material to unauthorized observers.
An observed identity connects from unsecured or unknown Wi-Fi networks, exposing communications to interception and session hijacking.
An observed identity connects from unusual or high-risk geolocations inconsistent with their work profile, suggesting account compromise or suspicious travel patterns.
An observed identity repeatedly accesses corporate resources from open Wi-Fi networks without VPN, leaving traffic unencrypted and vulnerable to interception.
An observed identity consistently uses the corporate VPN while remote, ensuring encrypted communications and maintaining enterprise visibility.
An observed identity applies privacy measures such as screen filters or private locations when working remotely, reducing risk of visual data exposure.
An observed identity validates Wi-Fi security settings before connecting, ensuring encrypted communications and reducing exposure to rogue access points.
An observed identity avoids printing or transporting sensitive documents outside enterprise environments, reducing the likelihood of physical data breaches.
An observed identity uses blurred or virtual backgrounds during video calls, preventing inadvertent disclosure of sensitive or personal environments.
An observed identity ensures regular device check-ins with corporate device management platform during remote work, maintaining compliance and reducing monitoring blind spots.
An observed identity uses encrypted and sanctioned file-sharing platforms, ensuring confidentiality and auditability of sensitive materials.
An observed identity restricts all email use to enterprise-managed accounts, reducing the risk of data leakage and improving monitoring.
An observed identity regularly reviews and acknowledges remote work security policies, reinforcing compliance and awareness.
An observed identity maintains strict separation of personal and corporate accounts, reducing accidental crossover and maintaining policy compliance.
Relevance
This category highlights risks from insecure networks, unmanaged devices, and blurred boundaries between personal and professional use. It emphasizes the need for consistent controls regardless of location.
Why this matters
This matters because remote work dissolves the enterprise perimeter. Organizations must account for distributed risk where visibility and enforcement are harder to maintain.
Consequences of neglect
Neglecting this category leads to increased exposure to credential theft, malware infection via public Wi-Fi, data leakage, and regulatory non-compliance.