Remote work is no longer a temporary arrangement that your firm is managing. It’s how your people work now, and the security gaps it created are still wide open.
Most professional services firms handled the transition to remote work the same way. They handed out laptops, set up VPN access, and called it done. That approach was fine in 2020 when everyone was scrambling. In 2025, it’s a liability.
The firms we work with across accounting, law, and property management all share similar setups. Attorneys reviewing client files from home networks, accountants accessing tax software from personal devices, and property managers processing payments from coffee shops. Every one of those scenarios introduces a risk that a basic VPN was never designed to cover.
Your Home Network Is Not Your Firm’s Network
Office networks are managed. Home networks are not. That difference is significant.
When your staff works from home, they’re connecting through consumer-grade routers that often run outdated firmware, have never had their default passwords changed, and share bandwidth with every smart TV, gaming console, and doorbell camera in the house. Your firm’s data is traveling through that environment.
The fix is not complicated. Requiring employees to connect through a business VPN is a start, but it’s not sufficient on its own. The stronger approach is zero-trust network access, which means every connection is verified before it reaches your systems, regardless of its origin. This is increasingly standard for firms handling sensitive client data, and it also matters for cyber insurance qualification.
If your current IT setup does not include a defined remote access policy, that gap should be addressed first.
Multi-Factor Authentication Is Not Optional
If your staff can log into client files, billing systems, or email with just a username and password, your firm is exposed. Full stop.
According to Microsoft, multi-factor authentication (MFA) blocks over 99.9% of automated account compromise attacks. It is the single highest-return security measure available to small and mid-sized firms, and it costs almost nothing to implement correctly.
The challenge we see most often is not firms refusing to implement MFA. It’s firms that enabled it inconsistently, or skipped certain applications because they were inconvenient. An accounting firm might have MFA on email but not on their practice management software. A law office might have it enabled for partners but not for support staff.
That inconsistency is where breaches happen.
MFA needs to be applied uniformly across every application that accesses client data. That includes email, document storage, billing, and any line-of-business software your staff uses remotely. Hybrid work infrastructure planning should treat authentication as a foundation, not an afterthought.
Devices Are the Weakest Link in a Distributed Workforce
When everyone worked from the office, your IT team could see every device on the network. They could push updates, enforce policies, and spot problems. Remote work changed that dynamic completely.
The device your paralegal is using at home right now, are you certain it has current security patches? Do you know whether it’s running endpoint protection? If it were lost or stolen, could your team wipe it remotely?
For professional services firms, the answers to those questions need to be yes. Client confidentiality requirements, insurance obligations, and, in many cases, bar association or state CPA board standards require it.
Device management for remote employees means a few specific things in practice. Every firm-issued device should have endpoint detection and response software installed. Automatic updates should be enforced, not left to the discretion of individual employees. Also, remote wipe capability should be configured before devices leave the office, not after something goes wrong.
Personal Devices Are a Different Problem
Many firms allow employees to use personal computers or phones to access work systems. This is common and often unavoidable, particularly in smaller offices. It is also genuinely difficult to manage from a security standpoint.
You cannot install corporate security software on a personal device without creating legal and privacy complications. What you can do is control what those devices can access and how they can access it.
Mobile device management policies can enforce minimum security standards before a personal device is granted access to firm systems. Requiring a PIN, enabling device encryption, and preventing downloads of client files to local storage can all be enforced through the right configuration, even on personal devices. Your remote IT support strategy should account for this distinction.
If your firm has not made a clear decision about personal device access, it is worth making one now. Either allow it with defined controls in place, or restrict it and provide firm-issued devices where needed.
The Security Conversation You Are Not Having With Your Staff
Most data breaches in professional services firms do not start with sophisticated attacks. They start with a staff member clicking a link in a phishing email while working from home, without the informal safeguards that exist in a physical workplace.
In an office, someone might turn to a colleague and ask, “Did you see this email from a client?” That quick check happens naturally. Remote employees make those judgment calls alone.
Security awareness training is not a one-time checkbox. It needs to be ongoing, specific to the threats targeting professional services firms, and directly tied to the tools your staff uses. Credential theft targeting law firms and accounting practices is a documented and growing problem. Your training program should reflect that.
What This Looks Like in Practice
Getting remote work security right for a professional services firm does not require a large IT budget. It requires a clear-eyed assessment of where your gaps are, and a plan to close them in order of priority.
Start with an honest inventory. Which applications can staff access remotely? Which devices are being used? Is MFA enabled everywhere it should be? Are remote access policies documented?
From there, the path forward is usually straightforward. The firms that struggle are the ones that have never asked the questions.
If you want to run through that inventory, C2 Technology Partners offers a no-pressure remote work security assessment for professional services firms in Southern California. It takes about an hour and gives you a clear picture of where you stand.
