Guide

Home-Work Security Checklist for Freelancers and Remote Teams

A practical setup for separating work and personal accounts, strengthening sign-in, updating devices, handling phishing, and preparing offboarding.

July 15, 2026 Reviewed July 15, 2026 By Armstrong Desk Remote Work remote work security checklist
Security checklist for a home and remote work setup

A home office often mixes personal email, household Wi-Fi, client files, work accounts, shared devices, and recovery phone numbers. The main security problem is not that the work happens at home. It is that ownership and access boundaries are easy to leave undefined.

CISA's Secure Our World program centers four useful actions: recognize phishing, use strong passwords, turn on multifactor authentication, and keep software updated. A remote-work setup turns those actions into an inventory, a routine, and an offboarding plan.

Inventory the devices, accounts, and data first

List every device used for work, including computers, phones, tablets, storage drives, routers, security keys, and employer equipment. For each one, record the owner, operating system, update status, encryption status, screen lock, backup method, and who can administer or erase it.

Then list work email, identity provider, cloud storage, communication, code, finance, customer, password, and remote-access accounts. Identify the recovery email, recovery phone, administrator, and data owner. An account with a personal recovery channel may remain accessible after a contract ends; a personal account controlled by a company address may become inaccessible.

Classify the most sensitive data handled: customer records, credentials, health or financial information, source code, contracts, or regulated material. Follow the organization's requirements rather than inventing a personal storage method.

Create a visible work-personal boundary

Use employer-managed equipment when required. When personal equipment is permitted, use a separate operating-system profile, browser profile, and storage location. Do not sync work passwords or files into a family browser, consumer photo backup, or personal cloud account without explicit authorization.

Understand mobile-device-management and remote-wipe terms before enrolling a personal device. Ask whether the organization can see installed apps, location, browsing, files, or the entire device, and what will be removed at offboarding.

Keep household users out of the work profile and lock the screen whenever the device is unattended. Physical access is still access, even when every cloud account has a strong password.

Strengthen sign-in and recovery

Use a unique password for every account and store it in an approved password manager. CISA recommends strong passwords and password managers because reused credentials let one breach spread across accounts.

Enable multifactor authentication wherever available, prioritizing email, identity, finance, code, cloud storage, and password-manager accounts. Use the strongest factor supported by the organization and keep backup codes in a protected location separate from the primary device. A text message factor is better than password-only access, but some higher-risk systems may require an authenticator or hardware key.

Review recovery methods as carefully as the main login. Remove old phone numbers, former employees, abandoned personal addresses, and unknown devices. Test the recovery path before an emergency without weakening it.

Make updates and backups routine

Enable automatic security updates for the operating system, browser, office tools, communication apps, password manager, router, and other supported software. CISA notes that updates fix flaws that attackers can use. Replace unsupported devices or isolate them from work rather than assuming an old system is safe because it still runs.

Use the organization's approved backup and versioning process. A backup should protect against deletion, device failure, and where designed, ransomware; simple synchronization can copy a destructive change to every device. Know who can restore a file, how far history goes, and whether the restore process has been tested.

Build a phishing pause into daily work

Remote workers receive meeting links, shared documents, password resets, invoices, recruiter messages, and support requests all day. Attackers imitate the same workflow. Before opening an attachment, entering credentials, approving MFA, or changing payment details, check the sender, destination domain, context, and request through a second verified channel.

Unexpected urgency, secrecy, gift-card or cryptocurrency instructions, a new bank account, an MFA prompt you did not initiate, or a request to install remote-control software should stop the workflow. Report the message through the organization's process. Do not forward a suspicious attachment to coworkers as an example.

Control remote access and local networking

Use only approved remote-access, VPN, and device-management tools. Remove unused remote-control software and disable services that are not required. Never expose a work computer directly to the internet to solve a convenience problem.

Change default router administration credentials, apply supported firmware updates, use current wireless security, and keep guest or untrusted household devices separated where the equipment permits. Public Wi-Fi adds uncertainty; follow the employer's remote-access policy and avoid sensitive work when the required protections are unavailable.

NIST's telework and bring-your-own-device guidance provides a broader framework for organizations managing remote access. Individual workers should not replace an enterprise security policy with a personal checklist, but they can surface where the policy is missing.

Prepare incident and offboarding steps

Know how to report a lost device, suspicious login, misdirected file, malware alert, or accidental disclosure. Save the security contact and device identifiers somewhere available even if the work account is locked. Do not investigate by deleting evidence or continuing to use a possibly compromised device unless instructed.

At offboarding, return equipment, transfer business records through an approved process, revoke sessions and access tokens, remove work profiles, rotate shared credentials, and confirm what personal devices will retain or erase. The organization should preserve records it owns; the worker should not keep customer or company data “just in case.”

A secure home-work setup is not a one-time purchase. It is a boundary that stays understandable as clients, devices, tools, and contracts change.

Sources