Remote Work Network Security for Edinburgh Businesses
Getting remote work network security Edinburgh right is now a business priority, not just an IT project. More than a third of UK workers now work from home at least part of the week – and for professional services firms in Edinburgh, that number is considerably higher. Law firms, financial advisers, and accountancy practices have embraced hybrid working, and the productivity gains are real. The security problem is equally real, and far less discussed.
VPN is not enough anymore. Edinburgh businesses running legacy remote access on exposed, unpatched infrastructure are one Ivanti or Fortinet vulnerability away from a complete network compromise. When attackers can bypass authentication, execute arbitrary commands, and persist through a factory reset – all without a single set of valid credentials – “we have a VPN” stops being a security posture and starts being a liability statement. This article explains why, and what to do about it.
TL;DR: Over a third of UK workers are now hybrid or remote. Legacy VPNs – including widely deployed Ivanti, Fortinet, and Cisco products – suffered critical unauthenticated remote code execution vulnerabilities in 2024 and 2025. For Edinburgh professional services firms handling sensitive client data, the answer isn’t a better VPN. It’s a Zero Trust architecture built around identity, device compliance, and least-privilege access.
What Is the Real Remote Work Security Problem Isn’t Your Staff – It’s Your Architecture?
An alarming 43% of UK businesses suffered a breach, with attacks heavily pivoting to exploit vulnerable remote worker endpoints, according to the DSIT Cyber Security Breaches Survey (2025). Securing your corporate edge means treating every employee’s home network as a fundamentally hostile environment that requires continuous zero-trust verification.
The UK Cyber Security Breaches Survey 2025 found that 43% of businesses identified a cyber breach or attack in the previous 12 months, reinforcing the need to secure home and remote endpoints. Legacy VPN creates a flat network. Once a remote user authenticates, they’re inside – and so is anything that came along for the ride on their device. According to the UK Government’s Cyber Security Breaches Survey 2024, 50% of UK businesses identified a cyber attack or breach in the previous 12 months, with phishing and credential attacks being the dominant vectors. The problem isn’t that your staff are careless. The problem is that your network architecture was never designed to handle an environment where every employee’s home router is a potential entry point.
Traditional remote access assumes the remote worker is trustworthy because they passed an authentication step. One compromised home device – running an out-of-date browser, a personal password manager with weak credentials, or an unpatched operating system – hands that authentication to an attacker. From there, lateral movement through a flat VPN-connected network is straightforward. You’ve handed them the keys to every system the authenticated user can reach.
For Edinburgh legal and financial services firms, that means client files, matter management systems, accounting records, and regulated data. That’s not a recoverable situation. That’s a Solicitors Regulation Authority notification, an ICO report, and a client crisis all happening simultaneously.
Why Traditional VPNs Are Now a Liability
The ONS (2025) found that With 41% of the workforce operating remotely, the traditional office firewall is virtually useless at stopping data exfiltration from hybrid employees. Implementing strict conditional access policies ensures that only fully patched, corporate-managed devices can access your sensitive Microsoft 365 SharePoint data.
The VPN itself has become the attack surface. In early 2024, Ivanti Connect Secure – one of the most widely deployed enterprise VPN products in the UK – was found to contain three critical vulnerabilities (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) that, when chained together, allowed unauthenticated attackers to bypass authentication, execute arbitrary commands, and harvest domain administrator credentials. CISA’s investigation found that Ivanti’s own Integrity Checker Tool failed to detect the compromise, and that attackers maintained persistence even after factory resets through rootkit-level mechanisms on encrypted partitions. This wasn’t theoretical. It was actively exploited.
Fortinet was next. In February 2024, CVE-2024-21762 gave unauthenticated attackers the ability to execute arbitrary code on FortiOS SSL VPN appliances via a crafted HTTP request – a CVSS score of 9.6. Cisco followed with its own SSL VPN vulnerabilities. The pattern is consistent: appliance-based VPN products, sitting permanently internet-exposed, accumulate critical vulnerabilities faster than most IT teams patch them.
What Zero Trust Actually Means for a 50-Person Edinburgh Firm
URM Consulting (2026) shows that the average UK ICO fine reached £1.45 million in 2025, largely due to preventable security failures. A breached remote worker laptop can lead directly to severe regulatory penalties. Mandatory endpoint encryption and remote-wipe capabilities are essential for compliance.
Zero Trust is not a product you buy. It’s a design principle: never trust any connection or device implicitly, always verify identity and device health before granting access, and grant only the minimum access needed. For a 50-person Edinburgh professional services firm, this doesn’t mean ripping out your infrastructure. It means layering controls that assume breach and contain the damage.
The most accessible starting point is Microsoft Entra ID Conditional Access, which most firms already pay for through Microsoft 365 Business Premium. Conditional Access lets you enforce MFA for every remote login, check that the connecting device meets compliance standards (is it encrypted? patched? enrolled in MDM?), block access from high-risk locations or IP ranges, and require re-authentication for sensitive applications. This single set of controls eliminates the “compromised credentials = full network access” problem that makes VPN so dangerous.
Practical Zero Trust for an Edinburgh SME breaks down into four steps. First, enforce MFA on every account, with no exceptions – not even for senior partners or IT admins. Second, enrol all corporate devices in Microsoft Intune or an equivalent MDM and block access from non-compliant devices. Third, segment your network so that even an authenticated user can only reach the systems their role requires. Fourth, replace your legacy VPN with a cloud-delivered ZTNA service – Microsoft Entra Private Access, Cloudflare Access, or Zscaler Private Access are all viable at SME scale.
What Is the BYOD Problem: Personal Devices Are Your Biggest Uncontrolled Risk?
Attacks targeting remote desktop protocols (RDP) and VPNs account for a massive share of ransomware entry points (Microsoft threat intelligence, 2025). You must disable legacy remote access methods immediately. Enforcing phishing-resistant MFA blocks the vast majority of these automated attacks.
Bring Your Own Device policies – or more accurately, the absence of any policy – are the single most underestimated risk in hybrid working. When a solicitor uses their personal MacBook to access a matter management system, you have no visibility into what else is running on that device, whether it’s patched, whether it’s connected to a compromised home network, or whether it was used to download something questionable the night before. The NCSC’s home working guidance explicitly flags this: personal devices accessing corporate systems without MDM controls represent an unacceptable level of risk for organisations handling sensitive data.
The solution is containerisation, not prohibition. Microsoft Intune allows you to create a managed “work container” on a personal device – keeping corporate data, email, and applications isolated from the personal side of the device, with the ability to remotely wipe corporate data if the device is lost or the employee leaves. This is enforceable through Conditional Access: if a device isn’t Intune-enrolled, it cannot access corporate resources, regardless of whether credentials are valid. For Apple-heavy environments, Jamf provides equivalent capability.
Every Edinburgh business allowing personal devices to access corporate systems needs a formal BYOD Acceptable Use Policy. It should specify which devices are permitted, what MDM software must be installed, what the firm can and cannot access or wipe, and what the employee’s obligations are around security updates and incident reporting. It doesn’t need to be complex – but it needs to exist and be signed before access is granted.
What Is Practical Remote Access Security Checklist for Edinburgh Businesses?
Cybersecurity insurance data (2025) reports that Insurers frequently deny claims if remote workers bypass mandatory multi-factor authentication (MFA). Implementing conditional access policies across your hybrid workforce is non-negotiable and ensures compliance regardless of where your staff log in.
The table below prioritises controls by implementation complexity and risk reduction impact. Start with the Critical tier and work down – most firms can complete the first four controls in under a week using existing Microsoft 365 licences.
| Control | What It Does | Implementation Complexity | Priority |
|---|---|---|---|
| MFA on all remote access | Blocks credential-stuffing and phishing attacks; stops compromised passwords being useful | Low – enable in Microsoft 365 admin centre | Critical |
| Patch VPN appliances monthly | Closes the window on critical CVEs before they’re exploited | Low – schedule and automate | Critical |
| Conditional Access policies | Enforces device compliance and MFA before granting resource access | Medium – requires Entra ID P1 (included in M365 Business Premium) | Critical |
| MDM enrolment for all devices | Gives visibility and control over device health and compliance | Medium – Intune or Jamf setup | High |
| Network segmentation | Limits lateral movement if a device or account is compromised | Medium-High – requires firewall configuration | High |
| BYOD Acceptable Use Policy | Sets legal and operational ground rules for personal device use | Low – policy document, no technical work | High |
| Replace legacy VPN with ZTNA | Eliminates the internet-exposed appliance attack surface entirely | High – phased migration project | High |
| Privileged Access Workstations (PAWs) | Isolates admin tasks to dedicated, hardened devices | High – hardware and configuration investment | Medium |
| DNS filtering on remote devices | Blocks malicious domains and C2 traffic at the DNS layer | Low – Cloudflare Gateway, Cisco Umbrella | Medium |
| User security awareness training | Reduces phishing susceptibility; NCSC Cyber Essentials requirement | Low – annual programme | Medium |
What Is Related Articles?
- Cyber Security Guide for Edinburgh Businesses
- Cyber Security Checklist for Edinburgh SMEs
- Hybrid Working it Setup Edinburgh
Frequently Asked Questions
Is a VPN enough for remote work security?
No – and the answer has become less qualified with every passing year. A VPN encrypts traffic and authenticates the user, but once authenticated, it typically grants broad network access. It doesn’t verify device health, doesn’t enforce least-privilege access, and doesn’t protect against lateral movement if a device or credential is compromised. More importantly, VPN appliances themselves have become a primary attack target, with critical unauthenticated RCE vulnerabilities disclosed in Ivanti, Fortinet, and Cisco products in 2024 alone. VPN remains useful as part of a layered approach, but it should no longer be the primary – or only – remote access control.
What is Zero Trust and do I need it?
Zero Trust is a security framework built around the principle “never trust, always verify.” Rather than assuming that anything inside your network perimeter is trustworthy, it requires continuous verification of identity, device health, and context before granting access to any resource. Whether you “need” it depends on your risk profile – but if you have remote workers accessing sensitive client data, you almost certainly need the core components of Zero Trust (MFA, device compliance, conditional access) even if you never use the term. For Edinburgh professional services firms handling regulated data under UK GDPR and sector-specific requirements, the question isn’t really whether to implement Zero Trust controls. It’s how quickly.
How do I secure personal devices used for work?
The answer is Mobile Device Management (MDM) combined with a formal BYOD policy. MDM tools like Microsoft Intune or Jamf allow you to create a managed work container on a personal device, enforce encryption and screen lock, ensure the device OS is up to date, and remotely wipe corporate data if the device is lost. Critically, you can then tie network access to MDM enrolment through Conditional Access – if the device isn’t enrolled and compliant, it can’t connect, regardless of whether the credentials are valid. This doesn’t require employees to hand over control of their personal device; containerisation keeps corporate and personal data cleanly separated.
What are the biggest remote work cyber risks in 2026?
The three biggest risks for Edinburgh businesses in 2026 are: first, unpatched remote access infrastructure (VPN appliances with known critical CVEs that haven’t been patched); second, credential theft combined with MFA fatigue attacks, where attackers bombard users with MFA prompts until they accept one; and third, compromised home networks acting as a pivot point into corporate systems. A fourth risk that has grown significantly is AI-assisted spear phishing – highly personalised, convincing emails that bypass traditional spam filters. covers this in more detail.
Do I need an MDM solution for a small Edinburgh business?
Yes, if any employee is accessing corporate systems from a device you don’t manage – and that includes company-issued laptops that haven’t been enrolled in management tools. MDM isn’t just about security; it’s about having the operational capability to push patches, enforce encryption, and wipe a device remotely when an employee leaves or a device is stolen. Microsoft Intune is included in Microsoft 365 Business Premium (which most Edinburgh SMEs already use) and can be deployed without significant additional cost. For Apple-centric firms, Jamf Now provides an accessible starting point. The NCSC’s Cyber Essentials certification – increasingly required for public sector contracts – mandates patching and device management controls that MDM directly supports.
What Is the Time to Act Is Before the Incident?
According to the ONS (2025), remote work security has moved from a nice-to-have to a genuine operational risk for Edinburgh businesses. The firms that are going to face the most painful outcomes in the next two years are those still running the same remote access configuration they set up during lockdown – unpatched VPN appliances, no MFA on some accounts, personal devices connecting without any compliance check, and no formal incident response plan if something goes wrong.
The good news is that the core controls are more accessible than they’ve ever been. Microsoft 365 Business Premium, which most Edinburgh professional services firms already pay for, contains the licensing for Entra ID Conditional Access, Intune MDM, and Defender for Business. The gap isn’t budget – it’s configuration and prioritisation.
At Virtually Pro, we work with Edinburgh law firms, financial services businesses, and professional services organisations to audit remote access configurations, implement Zero Trust controls, and build the policies and processes that turn security theory into daily practice. If your VPN was set up in 2019 and hasn’t been reviewed since, that’s not a small problem. Let’s fix it before it becomes a large one.