In March 2020, IT teams across Australia performed miracles. Within days, organisations that had never supported more than a handful of remote workers suddenly had entire workforces operating from home. VPNs were spun up, laptops were distributed, and somehow things mostly worked.

The problem is that many of those emergency measures are still in place. What was meant to be temporary became permanent, and the security architecture that supported it was never redesigned for the long term.

Six years later, I’m seeing the consequences in almost every organisation I advise.

What Went Wrong

The 2020 approach to remote security was fundamentally about extending the corporate perimeter. Take the existing network security model—firewalls, VPNs, endpoint protection—and stretch it to include home networks. It worked well enough to keep businesses running during a crisis.

But it was never designed for the way people actually work in 2026.

VPN fatigue is real. Users disconnect from VPNs because they slow things down. They access cloud applications directly rather than routing through corporate infrastructure. They work from cafes, co-working spaces, and airports where network conditions are unpredictable. The VPN, which was the primary security control, is being bypassed constantly—not maliciously, just practically.

Device management has fragmented. BYOD policies expanded dramatically during the pandemic. Many organisations allowed personal devices as a temporary measure and never enforced a return to managed hardware. Now you’ve got a mix of corporate laptops, personal machines, tablets, and phones accessing company data with inconsistent security controls.

Shadow IT has exploded. When people work remotely, they adopt tools that solve immediate problems. File sharing via personal Dropbox accounts. Communication through WhatsApp. Project management on free-tier SaaS platforms. The IT department doesn’t know these tools exist, can’t enforce security policies on them, and has no visibility into the data flowing through them.

The ACSC Annual Cyber Threat Report continues to highlight that compromised credentials and phishing remain the primary attack vectors for Australian organisations. Remote work amplifies both risks.

What a Modern Approach Looks Like

The answer isn’t to force everyone back to the office or to build a bigger VPN. The answer is zero trust architecture—a model that assumes no network, device, or user should be trusted by default.

I know “zero trust” has become a vendor buzzword at this point. Every security product claims to be zero trust. But the underlying principle is sound and practical.

Verify every access request. Instead of trusting anyone inside the VPN, verify identity and device health for every access attempt. Use conditional access policies that evaluate context: is this a managed device? Is the user connecting from an expected location? Is the access pattern normal for this user?

Segment application access. Users should only reach the applications they need, not the entire network. A marketing coordinator doesn’t need access to the finance system. An engineer doesn’t need access to HR records. Micro-segmentation limits the blast radius when credentials are compromised.

Protect data at the source. Rather than trying to secure the network perimeter (which barely exists anymore), protect the data itself. Encryption, data loss prevention, and classification systems ensure that sensitive information remains controlled regardless of where it’s accessed or stored.

Monitor continuously. Security isn’t a one-time configuration. Continuous monitoring of access patterns, device health, and user behaviour allows you to detect anomalies before they become breaches.

The Identity Problem

The single biggest gap I see in remote security strategies is identity management.

Most organisations still rely on username and password as the primary authentication method. Many have added multi-factor authentication—good—but often only for certain applications or certain user groups.

In a remote-first world, identity IS your perimeter. If an attacker compromises a user’s identity, they have the same access that user has, from anywhere in the world. Your VPN, your endpoint protection, your network segmentation—none of it matters if the attacker is authenticated as a legitimate user.

Strong identity management means:

• MFA on everything, no exceptions
• Passwordless authentication where possible (FIDO2 keys, biometrics)
• Session management that limits how long access tokens remain valid
• Privileged access management for administrative accounts
• Regular access reviews to remove stale permissions

I had a conversation recently with an AI consultancy about how they handle identity verification across distributed teams, and their approach reinforced something I’ve observed: the organisations doing identity well are the ones that treat it as a foundational capability rather than an IT hygiene task.

Practical Steps for Mid-Market Organisations

Not everyone has the budget for a full zero trust transformation. Here’s what I’d prioritise for a mid-market Australian organisation with 200-1,000 employees.

Phase 1: Identity (months 1-3). Deploy MFA across all applications. Implement conditional access policies. Set up automated access reviews. Cost: typically $20,000-$50,000 for licensing and implementation.

Phase 2: Endpoint (months 3-6). Standardise on managed devices or implement proper MDM for BYOD. Deploy modern endpoint detection and response. Ensure all devices meet minimum security baselines before accessing corporate resources.

Phase 3: Application access (months 6-12). Move to identity-aware proxy access for key applications. Remove VPN dependency where possible. Implement proper SaaS security controls (CASB or equivalent).

Phase 4: Data protection (months 12-18). Classify sensitive data. Implement DLP policies. Ensure encryption is applied consistently.

The Culture Component

Technical controls matter, but security culture matters more in a remote environment.

When people work in an office, they absorb security practices through proximity—they see colleagues locking their screens, they hear conversations about phishing attempts, they notice the security awareness posters. Remote workers don’t get any of that ambient reinforcement.

Security awareness training for remote teams needs to be frequent, relevant, and practical. Not an annual compliance video that people click through while checking their phones. Short, specific guidance delivered regularly: how to identify phishing in the tools you actually use, how to handle sensitive data on a shared home network, what to do when you receive a suspicious request.

The organisations with the strongest remote security aren’t the ones with the most expensive tools. They’re the ones where every employee understands that security is part of their job, not someone else’s.

Your 2020 security architecture did its job. But it’s 2026 now, and pretending nothing has changed is the most expensive decision you can make.