Hybrid working is normal. The cyber risks aren't new but they multiply outside the office — lost devices, shoulder-surfing on a train, an insecure home Wi-Fi, an unattended laptop in a car. This policy sets out the practical rules.
Scope
Applies to anyone working from anywhere other than a [Company Name] office.
Devices
You must use a [Company Name] managed device (company laptop or BYOD phone enrolled in MDM) to access company data. See the BYOD & Mobile Device Policy.
Network
- Home Wi-Fi must be password-protected with WPA2 or WPA3.
- The router's admin password must not be the factory default.
- When on public Wi-Fi, the company VPN must be active.
Physical security
- Don't leave devices visible in a parked car.
- Lock the screen when you step away — even at home.
- Be aware of who can see your screen on a train or in a cafe.
- Don't leave printed sensitive documents in shared spaces. Shred or take them with you.
Calls and meetings
- Be aware of what can be heard during calls — in particular customer names, financial details, anything covered by NDAs.
- For confidential calls, use a private room or headphones.
Family and household
- Company devices are for company use. They are not shared with family or visitors.
- Children, partners, and household guests do not log into company devices.
Travel abroad
Notify [Named Manager] if you'll be working from abroad for more than a few days, particularly outside the UK / EU. This affects data residency, tax, and sometimes legal access to data. Check the latest NCSC travel guidance.
Incidents
Report device loss, theft, or anything suspicious immediately — including out of hours.
Review
Reviewed annually. Last reviewed: [date].
Tips for adoption
- Issue this with the first piece of remote-work equipment — not three months later.
- Run the practical points in induction. Most people break these out of habit, not malice.
- Pair with the BYOD policy.