Setting Up Secure Remote Work: A Complete Guide for Professional Services Firms

Remote work is no longer optional. Clients expect availability. Employees expect flexibility. But for professional services firms—law firms, accounting practices, consultancies—remote work carries unique risks.

Your data isn't just confidential. It's often legally privileged, regulated, or covered by professional responsibility rules. A security breach isn't just embarrassing—it can be malpractice.

This guide walks through implementing remote work infrastructure that maintains security and compliance while enabling productivity.

The Threat Landscape for Remote Work

Why Remote Workers Are Targeted

Attack surface expansion:

• Home networks lack enterprise security
• Personal devices may have malware
• Public WiFi is inherently insecure
• Family members share networks

Reduced visibility:

• IT can't physically see what's happening
• Users may disable security tools "for convenience"
• Shadow IT proliferates

Social engineering opportunities:

• Harder to verify requests in person
• Isolation makes employees more vulnerable
• Impersonation attacks increase

Common Attack Vectors

1. Phishing: Still #1, and remote workers click more often
2. Credential theft: Weak or reused passwords on personal devices
3. Man-in-the-middle: Unencrypted traffic on public/home networks
4. Device compromise: Personal devices with malware accessing work data
5. Data exfiltration: Lack of visibility enables insider threats

Foundation: Identity and Access Management

Principle: Verify Everyone, Every Time

In a remote environment, you can't rely on physical presence to verify identity. Build systems that assume every access request might be malicious.

Step 1: Implement Strong Authentication

Multi-Factor Authentication (MFA):

Require MFA on all systems—no exceptions.

Implementation priority:

1. Email (used for password resets everywhere)
2. Remote access (VPN, remote desktop)
3. Cloud applications (Microsoft 365, Google Workspace)
4. Client-facing portals
5. All remaining systems

MFA options (in order of security):

• Hardware tokens (YubiKey, etc.) - Most secure
• Authenticator apps (Microsoft Authenticator, etc.) - Good balance
• Push notifications - Convenient but vulnerable to fatigue attacks
• SMS codes - Better than nothing, but vulnerable to SIM swapping

Configuration best practices:

• Require MFA for every login (not just "new devices")
• Use number matching for push notifications
• Block legacy authentication protocols
• Configure conditional access policies

Step 2: Implement Single Sign-On (SSO)

What it is: One identity system controlling access to all applications.

Why it matters:

• Users have one strong password instead of many weak ones
• Centralized access control and monitoring
• Instant deprovisioning when employees leave
• Better user experience (fewer password prompts)

Implementation approach:

• Use your Microsoft 365 or Google Workspace identity as the foundation
• Connect all applications that support SAML/OIDC
• Eliminate local accounts where possible

Step 3: Establish Access Controls

Principle of least privilege:

• Users only access what they need for their role
• Access requests require approval
• Access reviewed regularly (quarterly minimum)

Role-based access control (RBAC):

• Define standard roles and their access rights
• Assign users to roles, not individual permissions
• Document and regularly review role definitions

Secure Connectivity

Option 1: Traditional VPN

What it is: Encrypted tunnel from user device to your network.

Best for: Firms with significant on-premises infrastructure.

Implementation considerations:

• Always-on VPN (auto-connects when device is on)
• Split tunneling: Only work traffic through VPN (better performance)
• Client health checks before allowing connection
• MFA required for VPN authentication

Limitations:

• Requires on-premises infrastructure
• Can be slow for bandwidth-heavy applications
• Doesn't protect cloud-to-cloud traffic

Option 2: Zero Trust Network Access (ZTNA)

What it is: Application-specific secure access without traditional VPN.

Best for: Cloud-first firms, those with distributed applications.

How it works:

• User authenticates to identity provider
• Policy engine evaluates user, device, and context
• Access granted to specific application only
• No broad network access

Benefits:

• More granular access control
• Better performance for cloud apps
• Easier to implement for cloud-native environments
• Better security posture (no network-level access)

Option 3: Hybrid Approach

What it is: VPN for on-premises resources, ZTNA for cloud applications.

Best for: Most firms in transition from on-premises to cloud.

Endpoint Security

Step 1: Establish Device Standards

Company-owned devices (recommended):

• Full control over configuration and security
• Can enforce all policies
• Easier compliance demonstration
• Higher cost, more management burden

BYOD (Bring Your Own Device):

• Lower cost
• Employee preference
• Requires mobile device management (MDM)
• Privacy and legal complexities

Hybrid approach:

• Company devices for employees with sensitive access
• BYOD with MDM for others
• Clear policy on what's required for each

Step 2: Deploy Endpoint Protection

Minimum requirements:

• Endpoint Detection and Response (EDR) - Not just antivirus
• Full-disk encryption
• Automatic updates enabled
• Firewall enabled and configured
• Screen lock after inactivity

For professional services firms:

• Data Loss Prevention (DLP) rules
• USB device control
• Application whitelisting for high-risk roles
• Browser isolation for web-based research

Step 3: Implement Mobile Device Management

What it does:

• Enforces security policies on devices
• Enables remote wipe if device is lost
• Separates work and personal data
• Provides inventory and visibility

Key policies:

• Require device encryption
• Require passcode/biometric unlock
• Block jailbroken/rooted devices
• Automatic lock after inactivity
• Remote wipe capability

Data Protection

Step 1: Classify Your Data

Not all data is equally sensitive. Classification enables appropriate protection.

Example classification scheme:

• Confidential: Client matters, privileged communications, financial data
• Internal: Business operations, internal communications
• Public: Marketing materials, public filings

Step 2: Implement Encryption

Data at rest:

• Full-disk encryption on all devices
• Database encryption for stored data
• Encrypted backup storage

Data in transit:

• TLS 1.2+ for all network communications
• VPN or ZTNA for remote access
• Encrypted email for external confidential communications

Step 3: Prevent Data Leakage

Data Loss Prevention (DLP):

• Identify sensitive content in emails, files, messages
• Block or warn on risky sharing
• Log all external sharing for review

Key DLP rules for professional services:

• Social Security numbers
• Client matter numbers
• Financial data patterns
• Privileged communication markers

Step 4: Secure File Sharing

Don't do:

• Email attachments for large or sensitive files
• Consumer file sharing (personal Dropbox, Google Drive)
• USB drives for transferring files

Do:

• Enterprise file sharing (SharePoint, Box, etc.)
• Expiring links with access controls
• Audit logging of all access
• Client portals for external sharing

Communication Security

Email Security

Technical controls:

• Advanced threat protection (attachment sandboxing, URL analysis)
• DMARC/DKIM/SPF (prevent domain spoofing)
• External email banners
• Encryption for sensitive communications

For legal/accounting firms:

• Ethical walls (matter-based access controls)
• Legal hold capabilities
• E-discovery readiness

Video Conferencing

Platform selection criteria:

• End-to-end encryption option
• Waiting room/admission controls
• Meeting passwords
• Host controls (muting, removal, screen share limits)
• Recording controls and notifications

Policy considerations:

• When encryption is required
• Recording policies and disclosure
• Background/environment requirements
• Client confidentiality in shared spaces

Instant Messaging

Enterprise requirements:

• Compliance archiving
• Data retention controls
• DLP integration
• Access controls

Avoid: Consumer messaging (WhatsApp, personal Slack) for work communications.

Monitoring and Incident Response

What to Monitor

Essential monitoring:

• Authentication events (successful and failed)
• Access to sensitive data
• External sharing and email
• VPN/remote access connections
• Security tool status

For compliance:

• Document what you monitor and why
• Retain logs per regulatory requirements
• Protect log integrity

Incident Response for Remote Workforce

Additional considerations:

• How to reach employees after hours
• Remote device isolation capabilities
• Evidence collection from remote devices
• Communication during incident (if email is compromised)

Training and Policy

Security Awareness Training

Remote-specific topics:

• Secure home network setup
• Physical security (screen privacy, document handling)
• Public WiFi risks
• Social engineering in remote context
• Reporting suspicious activity remotely

Remote Work Policy

Essential elements:

• Approved devices and requirements
• Acceptable use of work systems
• Physical security requirements (private space, screen privacy)
• Incident reporting procedures
• Consequences for policy violations

Getting Started: 30-60-90 Day Plan

Days 1-30: Foundation

• Enable MFA on email and remote access
• Deploy or upgrade endpoint protection
• Document current remote work practices
• Begin security awareness training

Days 31-60: Hardening

• Implement SSO where possible
• Deploy mobile device management
• Enable DLP policies
• Review and improve access controls

Days 61-90: Maturity

• Implement advanced threat protection
• Deploy secure file sharing solution
• Conduct remote work security assessment
• Establish ongoing monitoring and review

Partner for Success

Secure remote work requires expertise across identity management, network security, endpoint protection, and compliance. Most professional services firms don't have—and shouldn't need—this expertise in-house.

Layth Solutions has been supporting NYC professional services firms for 30 years. We understand the unique requirements of legal, accounting, and consulting practices—confidentiality obligations, regulatory requirements, and the need for systems that enable rather than impede productivity.

Request a remote work security assessment to understand your current posture and develop a roadmap for secure, productive remote work.