Remote work has permanently changed the security landscape for small businesses. According to IBM, data breaches involving remote work cost an average of $173,000 more than those that don’t. The good news is that most of the risk comes from a handful of simple, fixable habits. This checklist covers the practical steps every remote employee should have in place to keep a company laptop secure at home, without making daily work feel like a security obstacle course.
The security incidents that hurt small businesses most don’t look like sophisticated hacks. They look like a laptop left open on the kitchen counter while someone runs to answer the door. Or a work device borrowed by a teenager to finish a homework assignment. Or a home router still running the factory default password set three years ago.
Remote work has become a permanent part of how most businesses operate, and the security environment at home is genuinely different from the office. That difference has consequences. IBM’s research shows that when remote work is a factor in a data breach, the average cost runs $173,000 higher than breaches where it isn’t. Data breaches involving remote workers cost organizations more because the contributing factors, unsecured networks, unmanaged devices, and relaxed physical habits, give attackers more to work with and make incidents harder to contain.
The controls that close most of this risk aren’t complicated. They’re just not consistently in place. That’s what this checklist is for.
Why Home Is a Different Security Environment
A company laptop doesn’t become less secure the moment it leaves the office. But the environment around it changes in ways that matter.
In the office, there are natural guardrails: predictable networks, controlled physical access, and a shared culture where security habits are reinforced by proximity. At home, those guardrails disappear. The same device that operated inside a managed environment is now connecting through a home router, sitting on the kitchen counter, and competing for attention with everything else happening in a household.
Physical exposure goes up at home in ways that are easy to overlook. Devices move from room to room, get left unlocked during short breaks, and end up in spaces accessible to family members, houseguests, and anyone who walks through the door. CISA’s guidance on protecting the physical security of digital devices is clear: keep devices secured, limit who can access them, and lock them every time you step away. Those habits feel less urgent at home because there’s no office environment quietly reinforcing them.
Home networks carry their own risks. Routers bought years ago and never updated, default admin credentials that have never been changed, Wi-Fi passwords shared with every visitor who’s asked for them: these are all common in home environments and none of them are acceptable for a network carrying business data.
And remote access raises the stakes for identity in a way that office work doesn’t. Every login from a home device is a request from outside the managed environment. Microsoft’s best practices for securing a remote workforce frame remote security around the principle that access should be strongly authenticated and verified for anomalies before it’s granted. When someone is logging in from home, that principle becomes especially important.
Our managed IT services include remote device management and monitoring that extends your security controls to wherever your team is working, not just inside the office.
The Checklist: Minimum Standards for Company Laptops at Home
These aren’t optional best practices. They’re the baseline controls every remote employee should have in place. Work through this list once to confirm everything is set up correctly, then treat it as your ongoing standard.
Lock the screen every time you step away. Not when you leave for the day. Every time. Set a short auto-lock timer as a backup, but get into the manual habit too. A laptop sitting open and unattended in a home environment is an access problem waiting to happen, whether the threat is a curious family member or a device left visible during a video call.
Store the laptop like it’s valuable, because it is. When you’re done for the day, put the device somewhere protected. Not on the couch, not on the kitchen counter, not on the passenger seat of your car. Out of sight is meaningfully safer than out of the way when it comes to physical theft and opportunistic access.
Don’t share work devices with family members. The NI Cyber Security Centre is direct about this: don’t let other people use your work device, and don’t treat it like a shared family computer. Even a well-intentioned “just checking something quickly” can result in unwanted downloads, unfamiliar browser extensions, or logins to personal accounts that blur the line between personal and work data.
Use a strong passphrase and enable MFA. A long passphrase is more secure and easier to remember than a short, clever password. Never reuse passwords across accounts. And treat multifactor authentication as a non-negotiable requirement, not a nice-to-have addition. Organizations that enforce MFA for all remote access see dramatically fewer credential-based breaches.
Keep software updated and restart when prompted. Updates exist because known vulnerabilities have been found and fixed. Every day a device goes without applying a critical patch is another day those vulnerabilities are open for exploitation. Enable automatic updates, and when a restart is requested, do it rather than postponing indefinitely.
Stop using devices that can’t receive security updates. If a laptop can no longer receive operating system updates, it’s not a work device anymore. It’s a liability. An unsupported device sitting on the same network as your work systems creates exposure that no other control can fully compensate for.
Secure your home Wi-Fi like it’s part of the office network. CISA’s guidance on connecting devices to the internet covers the basics that many home users have never applied: use a strong Wi-Fi password, enable a firewall, keep your router firmware updated, and remove any default features or settings that create unnecessary exposure. If the router admin login is still set to the factory default, that’s the first thing to fix. Modern routers should use WPA2 or WPA3 encryption at minimum.
Keep the firewall on and security tools active. If security software feels inconvenient, the answer is to address the friction, not to disable the protection. A firewall that gets switched off when it gets in the way provides no protection at all. Keep endpoint security tools running and properly configured, and report conflicts or performance issues to IT rather than working around them.
Remove software you don’t need. Every application installed on a work device is another piece of software to keep updated, another potential vulnerability, and another thing that could behave unexpectedly. Stick to approved applications, remove anything no longer needed, and don’t install personal software on work devices.
Keep work data in approved work storage. Business files belong in business systems: your company’s approved cloud storage, internal drives, or document management platform. Storing work files in personal cloud accounts, on personal backup services, or in local folders that don’t sync to managed systems makes data harder to control, harder to recover, and harder to audit if something goes wrong.
Treat unexpected links and attachments as suspicious by default. Phishing attacks targeting remote workers have increased significantly in recent years, and home environments make employees more susceptible because the informal setting lowers the natural skepticism that comes with being in a professional context. If a message creates urgency or pressure to click, open, or confirm something, pause and verify through a separate, trusted channel before acting.
Only access systems from devices in good health. Remote access should be gated on device health, not just identity. Microsoft’s remote workforce guidance specifically flags unmanaged devices as a powerful entry point for attackers. If a device falls out of compliance, whether through a missed patch, a lapsed security tool, or an unapproved configuration change, access to sensitive systems should be limited until it’s brought back into compliance.
Putting the Checklist to Work
The value of a checklist like this isn’t in reading it once. It’s in making the items on it into habits that don’t require thinking.
The businesses that have remote work security under control aren’t the ones with the most elaborate policies. They’re the ones where the basics are consistently in place: screens get locked, devices get stored properly, updates get applied, and employees understand why these things matter. When those habits are standard across the team, the attack surface shrinks significantly.
If your business has remote employees and you’re not sure where current gaps are, our cybersecurity consulting services can help. We assess what’s actually in place across your remote environment, identify what’s missing, and help you build a practical standard that employees will actually follow.
Pairing a solid checklist with cybersecurity awareness training is what turns individual habits into consistent team behavior. Employees who understand the “why” behind these controls are far less likely to work around them when they feel inconvenient.
If you’d like help turning this checklist into a formal remote work policy with the right technical controls behind it, get in touch with our team. We work with small and mid-sized businesses across Louisville to make remote work both productive and secure.
Frequently Asked Questions
Is a company laptop at home really that much riskier than in the office?
Yes, meaningfully so. IBM’s research shows that when remote work is a contributing factor in a data breach, the average cost is $173,000 higher than incidents where it isn’t. Home environments introduce physical security risks, less secure networks, and higher exposure to phishing that compound the overall risk. The controls in this checklist exist specifically to close that gap.
What should I do if I think my work laptop has been compromised at home?
Stop using it for work immediately and contact your IT provider or IT department. Don’t try to investigate or fix the issue yourself, as that can make things worse. Note anything unusual you observed, such as unexpected pop-ups, programs running that you didn’t open, or strange account activity, and report it with as much detail as possible. Speed matters in containing a potential incident.
My home router is old. Is that really a security issue?
It can be a significant one. Older routers often run firmware with known vulnerabilities that have never been patched, may not support modern encryption standards like WPA3, and frequently still have default admin credentials in place. If your router is more than four or five years old, hasn’t received a firmware update recently, or is still using factory default settings, it’s worth either updating the configuration or replacing the hardware. A home router carrying business traffic should be treated with the same care as office networking equipment.
Can I use personal cloud storage to back up work files when working from home?
No. Work files should stay in company-approved storage systems at all times. Personal cloud accounts, personal backup services, and local folders that don’t sync to managed systems all create copies of business data that IT can’t control, audit, or recover if something goes wrong. If the approved work storage isn’t meeting your needs, the right answer is to raise that with IT rather than route around it.
How do I know if my home work setup meets my company’s security requirements?
The easiest starting point is to compare your current setup against the checklist items in this post. If you’re unsure whether a particular control is in place or configured correctly, your IT provider should be able to run a remote check on your device. Many managed IT providers can assess device health, confirm that security tools are active and up to date, and flag any gaps remotely without requiring you to bring the device into an office.
Ready to Build a Remote Work Security Standard Your Whole Team Will Follow?
Individual habits matter, but consistent security across a distributed team requires more than a checklist. It requires policies, technical controls, and employees who understand why the rules exist. If you’d like help building that for your business, reach out to the Z-JAK team today and let’s put a practical plan together.