Remote Workers and Cyber Essentials Plus: What You Need to Know

The shift to remote and hybrid working has fundamentally transformed the cyber security landscape for organisations across the United Kingdom. What began as an emergency response to the pandemic has become a permanent feature of how millions of people work. For organisations pursuing or maintaining Cyber Essentials Plus certification, remote workers introduce complexities that must be carefully managed to pass the assessment and, more importantly, to maintain genuine security.

This guide examines how remote working arrangements affect your Cyber Essentials Plus certification, what controls need to adapt, and how to ensure your remote workforce does not become your weakest security link.

Why Remote Workers Matter for Cyber Essentials Plus

Cyber Essentials Plus assesses the security of all devices that access your organisation's data and services, regardless of where they are located. A laptop used by a remote worker in their home office is just as much in scope as a desktop computer in your headquarters. This is a fundamental point that many organisations underestimate — the assessment scope extends to every device connected to your network or accessing your cloud services, wherever it may be.

The NCSC has been clear that remote working does not reduce or change the Cyber Essentials requirements — it extends them. Every device used for work purposes must meet the same standards for firewalls, secure configuration, user access control, malware protection, and patch management as office-based equipment. The challenge lies in maintaining consistent control over devices that are physically distributed across multiple locations, connected through different networks, and potentially shared with family members.

Scope Implications for Remote Environments

Understanding what falls within scope is the first critical step. For Cyber Essentials Plus, the scope includes:

Company-owned devices used remotely — laptops, tablets, and mobile phones issued by your organisation and used by remote workers. These are unambiguously in scope and must meet all five technical controls.

BYOD (Bring Your Own Device) equipment — personal devices used by staff to access company email, cloud services, or internal systems. This is where scoping becomes complex. If a personal device accesses organisational data, it is in scope. The organisation must ensure that these devices meet Cyber Essentials standards, which can be challenging when you do not own or fully control the device.

Cloud services accessed by remote workers — Microsoft 365, Google Workspace, CRM systems, project management tools, and any other cloud-based service used in the course of work. The configuration of these services — particularly access controls and multi-factor authentication — is within scope.

Home network equipment is generally not in scope, provided that the devices themselves have properly configured software firewalls. The home router used by a remote worker is outside your organisation's control, and the Cyber Essentials scheme recognises this. However, the device connecting through that router must have its own firewall enabled and properly configured.

The Five Controls Applied to Remote Working

Firewalls and Internet Gateways

In an office environment, network-level firewalls protect all devices behind them. Remote workers lose this protection — their devices connect directly to the internet through home broadband, coffee shop Wi-Fi, or mobile hotspots. This makes device-level firewalls essential.

Every remote device must have a software firewall enabled and configured to block unsolicited inbound connections. For Windows devices, the built-in Windows Defender Firewall satisfies this requirement when properly configured. macOS includes a built-in firewall that must be enabled. For Linux devices, iptables or equivalent must be configured.

VPN connections can extend your corporate network protection to remote workers, but a VPN is not a substitute for a device-level firewall. The assessor will verify that each sampled device has its own firewall enabled, regardless of whether a VPN is also in use.

Secure Configuration

Secure configuration for remote devices follows the same principles as office equipment, but enforcement is harder. Default passwords must be changed, unnecessary services disabled, auto-run turned off, and screen lock timeouts configured. The additional challenge with remote devices is maintaining configuration compliance over time.

Remote workers may inadvertently change settings, install unauthorised software, or disable security features. Without the oversight that a managed office network provides, configuration drift is a genuine risk. Endpoint management tools — such as Microsoft Intune, Jamf, or equivalent — allow you to define and enforce configuration baselines across your entire device fleet, regardless of location.

The assessor will examine a sample of remote devices to verify that they are securely configured. This includes checking screen lock timeouts (typically 10–15 minutes maximum), verifying that auto-run is disabled for external media, and confirming that only necessary services are running. If your organisation cannot demonstrate consistent configuration across remote devices, this control is likely to fail.

User Access Control

User access control is arguably the most critical control for remote environments. Without the physical security of an office building, access control becomes the primary barrier between attackers and your data.

Multi-factor authentication (MFA) is now effectively mandatory for all cloud services under Cyber Essentials Plus. For remote workers accessing Microsoft 365, Google Workspace, or any other cloud platform, MFA must be enforced — not merely available. The assessor will verify that MFA is configured and cannot be bypassed.

Administrative account separation is equally important. Remote workers should use standard user accounts for day-to-day work. Administrative access should be limited to dedicated accounts used only when administrative tasks are required. This prevents attackers who compromise a remote worker's credentials from gaining administrative control over systems.

Ensure that user accounts for leavers are disabled promptly. With remote workers, the offboarding process must be particularly rigorous — there is no physical equipment to collect on the last day, and a former employee may retain access to cloud services if accounts are not promptly deactivated.

Malware Protection

Remote devices need robust malware protection. All devices in scope must run anti-malware software with current definitions, real-time scanning enabled, and automatic updates configured. For Windows 10 and 11, Microsoft Defender Antivirus meets this requirement when properly configured and kept up to date.

The risk for remote workers is heightened because they operate outside the protection of corporate email gateways and web filters that typically intercept malicious content before it reaches devices. If your organisation relies on network-level malware protection in the office, remote workers may lack equivalent protection unless you deploy endpoint-level or cloud-based equivalents.

Consider deploying DNS-based filtering on remote devices to block access to known malicious domains. Services such as Cisco Umbrella, Cloudflare Gateway, or equivalent can extend web filtering to remote devices without requiring VPN connectivity.

Patch Management

Patch management is the control that most frequently causes issues with remote devices. The 14-day patching requirement applies to all software on all in-scope devices. For remote workers, ensuring timely patching requires mechanisms that work regardless of the device's network location.

Cloud-based patch management is essential for remote environments. Tools such as Microsoft Intune, WSUS with cloud management gateway, or third-party solutions like NinjaRMM or Datto can push patches to devices wherever they are connected. Relying on users to install updates manually is a recipe for failure — both in terms of compliance and genuine security.

The assessor will check patch levels on sampled remote devices. If any device has outstanding critical patches older than 14 days, your organisation risks failing the assessment. This means having visibility across your entire remote device fleet and the ability to enforce updates when necessary.

BYOD: The Biggest Challenge

BYOD policies create the most significant complications for Cyber Essentials Plus in remote environments. When employees use personal devices for work, your organisation must ensure those devices meet all five Cyber Essentials controls — but you do not own or fully control the hardware.

There are three practical approaches to managing BYOD within the Cyber Essentials Plus framework:

Option 1: Prohibit BYOD entirely. This is the simplest approach from a compliance perspective. Issue company-owned devices to all staff and prohibit the use of personal devices for work purposes. This gives you complete control over configuration, patching, and malware protection, but requires capital investment in hardware.

Option 2: Enrol BYOD devices in MDM. Mobile Device Management solutions can enforce security policies on personal devices, including configuration baselines, mandatory patching, and encryption requirements. This approach is effective but requires staff consent and can create friction around privacy — employees may not want their employer managing their personal devices.

Option 3: Use virtual desktop infrastructure (VDI) or remote access. By providing access to company resources through a virtual desktop or remote access solution, the personal device becomes merely a display terminal. Security controls are applied to the virtual environment rather than the physical device. This approach can simplify compliance but requires robust VDI infrastructure and sufficient bandwidth.

Practical Preparation for Remote Assessment

When the Cyber Essentials Plus assessor examines your remote worker environment, they will select a sample of remote devices for testing. Here is how to prepare:

Maintain an accurate device register. Know exactly which devices are in scope, who uses them, where they are located, and what software they run. This register should include serial numbers, operating system versions, and the date of the last patch check.

Ensure remote access for the assessor. The assessment of remote devices is typically conducted via screen-sharing tools. Ensure that remote workers are available during the assessment window and that screen-sharing software is installed and tested in advance.

Conduct a pre-assessment check. Before the formal assessment, verify that all remote devices meet the required standards. Check patch levels, confirm firewall status, verify MFA configuration, and test malware protection. Any issues identified during a pre-assessment check can be remediated before the formal test.

Brief your remote workers. Ensure that staff understand the assessment process and their role in it. They may be asked to share their screen, demonstrate security settings, or confirm their understanding of security policies. Clear communication reduces anxiety and ensures a smoother process.

Common Failure Points for Remote Workers

Based on our experience supporting organisations through Cyber Essentials Plus assessments, the most common failure points related to remote workers include:

Outstanding patches on remote devices. Devices that are not regularly connected to the corporate network may miss patch deployment cycles. Ensure cloud-based patch management is in place.

Disabled firewalls. Some users disable their device firewall when experiencing connectivity issues. Enforce firewall policies through MDM to prevent this.

MFA not enforced. MFA may be enabled but not enforced — meaning users can opt out or skip it. The assessor will verify that MFA is mandatory, not optional.

Shared devices without proper access separation. A remote worker sharing a laptop with a family member who uses an admin account creates an immediate compliance issue. Each user should have a separate, appropriately privileged account.

Unsupported operating systems. Personal devices running unsupported versions of Windows, macOS, or mobile operating systems are non-compliant. Ensure all in-scope devices run supported software versions.

Building a Sustainable Remote Security Culture

Passing the Cyber Essentials Plus assessment is important, but building a sustainable security culture among remote workers is essential for long-term protection. Technical controls can be circumvented by poor behaviours, so invest in security awareness alongside technical measures.

Provide regular security awareness training tailored to the remote working context. Cover topics such as recognising phishing emails, securing home Wi-Fi, using VPNs on public networks, and reporting security incidents. Make training practical and relevant rather than abstract and theoretical.

Establish clear acceptable use policies that address remote working specifically. Define what devices can be used, what networks are acceptable, how data should be stored, and what to do if a device is lost or stolen. Ensure these policies are communicated clearly and acknowledged by all staff.

Create easy incident reporting channels for remote workers. A staff member who suspects their device has been compromised needs to know exactly who to contact and what steps to take. Make reporting easy, non-punitive, and responsive.

How Cloudswitched Supports Remote Workforces

At Cloudswitched, we help organisations with distributed workforces achieve and maintain Cyber Essentials Plus certification. Our team understands the unique challenges of securing remote environments and provides practical solutions that balance security, usability, and compliance.

We offer remote device auditing to assess your current remote security posture, MDM deployment and configuration to enforce consistent policies, cloud security reviews to ensure your Microsoft 365 or Google Workspace environment is properly configured, and pre-assessment testing to identify and resolve issues before the formal Cyber Essentials Plus assessment.

Frequently Asked Questions

Are home routers in scope for Cyber Essentials Plus?
No. Home network equipment is outside the organisation's control and is not assessed. However, all devices connecting through home networks must have their own software firewall enabled and properly configured.

Do all remote devices need to be assessed?
The assessor examines a representative sample, not every device. However, all remote devices must meet the standards — the sample is used to verify that your policies are consistently applied across the fleet.

Can personal phones used for work email be excluded from scope?
If a personal phone accesses company email or other organisational data, it is in scope. You must either bring it into compliance, use MDM to manage it, or prevent it from accessing company data entirely.

What if a remote worker refuses MDM on their personal device?
If a device cannot be brought into compliance, it must not be used for work purposes. Provide a company-owned alternative or restrict access to cloud services from managed devices only using conditional access policies.

How do we handle remote workers abroad?
The Cyber Essentials scheme covers UK organisations. Devices used by staff working abroad are in scope if they access organisational resources. The same technical controls apply regardless of the device's physical location.