IT Insights
The shift towards remote working has become the norm for London SMBs, particularly in professional services, legal, and financial sectors. Yet many organisations remain exposed to significant security risks simply because they lack a comprehensive IT checklist for remote working. Whether your team works from home full-time, operates on a hybrid basis, or responds to unexpected disruptions, the controls you put in place today directly determine your resilience and your clients' trust tomorrow. This guide walks you through the essential technical, procedural, and policy measures that every London SMB should implement—starting now.
Your team's laptops, tablets, and phones are the frontline of your security perimeter. When employees work outside your office, these devices become mobile entry points into your network and client data. The first pillar of any IT checklist for remote working is ensuring every device meets a baseline security standard.
Begin with device inventory and ownership. Document every device that connects to your company network—including personal devices if you operate a bring-your-own-device (BYOD) policy. Assign responsibility and establish clear expectations about who can use what. This is particularly critical for legal and financial services, where client confidentiality obligations demand strict control.
Next, enforce mandatory security measures across all devices:
For firms with sensitive workloads, consider endpoint detection and response (EDR) tools that offer deeper visibility into what happens on each device. Many London SMBs underestimate how quickly ransomware or data theft can escalate; proactive endpoint monitoring is your early warning system.
Remote workers connecting from coffee shops, co-working spaces, and home offices introduce unpredictable network conditions and potential weak links in your security chain. Your authentication and network access strategy must compensate for this loss of physical perimeter control.
A reputable VPN is table stakes. It encrypts all traffic between the remote device and your company network, preventing eavesdropping on public Wi-Fi and obscuring your location from external observers. However, not all VPNs are equal. Enterprise-grade VPN solutions with multi-factor authentication, endpoint compliance checks, and granular access controls significantly outperform consumer VPN tools.
Many SMBs default to basic VPN configurations. Instead, implement a Zero Trust approach: every access request—whether from an office or a remote location—must be verified, regardless of prior trust. This means requiring MFA on VPN login, validating that the device is compliant with your security policies before granting access, and logging all connections for audit trails.
Professional services, legal firms, and financial advisers increasingly rely on cloud applications—Microsoft 365, Google Workspace, Salesforce, document management platforms, and bespoke line-of-business systems. Rather than maintaining complex username-and-password inventories across dozens of tools, implement a centralised authentication platform using SSO and MFA.
SSO reduces user friction (and the temptation to reuse passwords), centralises logging and audit trails, and gives you a single control point if a user leaves the organisation or credentials are compromised. Pair this with conditional access policies that flag unusual login patterns (a user accessing their email from Singapore at 3 a.m., for example) and require additional verification.
For professional services and regulated sectors, data protection isn't just a security best practice—it's often a legal requirement. Your IT checklist must account for where sensitive data lives, how it's transmitted, and who can access it.
Start by classifying your information: public, internal, confidential, and restricted. Client files in legal or financial services almost always fall into the restricted category. Define explicit handling rules for each tier—where it can be stored, who can access it, whether it can be downloaded to personal devices, and how it must be deleted.
For remote workers, this typically means:
Remote workers often save files locally on their laptops for convenience and offline access. If that laptop fails, is stolen, or is corrupted by malware, you risk losing irreplaceable client work. Enforce mandatory, automated cloud backup for all user devices and ensure that backups are encrypted and retained for at least 30 days (ideally longer for audit purposes).
Test your recovery procedures quarterly. A backup that can't be restored under pressure is merely a false comfort.
Technology alone is insufficient. The strongest firewall is useless if an employee unknowingly shares login credentials or clicks a phishing link. Your remote working IT checklist must include clear policies, regular training, and measurable accountability.
Document a formal remote working security policy covering device use, password management, acceptable use, incident reporting, and consequences for non-compliance. Ensure every team member reads, understands, and signs off on it—ideally annually. For regulated firms, document this acknowledgement for compliance purposes.
Conduct security awareness training at least twice yearly, with role-specific modules for teams handling client data (legal and financial staff, for instance). Include phishing simulations—send fake phishing emails to staff and measure who falls for them. Follow up with those who do, turning a potential security failure into a teaching moment.
Assign a security champion or small team within your organisation to oversee policy updates, lead training, monitor compliance metrics, and escalate incidents. If your organisation lacks in-house expertise, working with a specialist IT partner—such as VantagePoint Networks—can fill this gap and ensure your checklist stays current as threats evolve.
Finally, audit your checklist every quarter. Review access logs, update policies in line with new threats, measure policy compliance, and adjust based on lessons learned. Remote working isn't a temporary experiment; it's the operating model of modern SMBs. Your defence must be equally modern and evolving.
VP Audit asks 15 questions across 5 security domains and scores your network 0–100 with specific findings. 100% in-browser — no data sent anywhere.
Audit your network →