⏱ 12 min read
If you’re one of the roughly 22 million Americans who now work remotely at least part-time, your company’s VPN is the front door to everything: payroll systems, customer data, internal Slack channels, and often your own personal information stored in HR portals. Yet that front door is under constant attack. In 2024, the FBI’s Internet Crime Complaint Center logged more losses tied to remote-access exploitation than almost any other category of business compromise, and VPN credential theft remains a top initial access vector in ransomware investigations tracked by CISA.
Here’s the uncomfortable truth: most remote workers treat VPN login like checking email — a password, maybe a quick tap on a phone prompt, and they’re in. That habit is exactly what attackers exploit through phishing kits, SIM-swapping, and credential-stuffing attacks pulled from old data breaches. This guide walks you through exactly how to secure your company VPN access as a US remote worker, with specific settings, tools, and habits you can implement this week — no IT degree required.
1. Lock Down Your Home Network Before You Even Touch the VPN
Your VPN connection is only as secure as the network it travels through first. Most remote workers still use the default router provided by Spectrum, Xfinity, Verizon Fios, or AT&T straight out of the box, with the manufacturer’s default admin password still active. That’s an open invitation.
Step-by-step:
- Log into your router’s admin panel (usually 192.168.1.1 or 192.168.0.1) and change the default admin username and password immediately. Use a unique passphrase of at least 16 characters.
- Update your router’s firmware. Most 2024-2025 model routers from Netgear, TP-Link, and Eero support automatic updates — turn this on in settings.
- Rename your Wi-Fi network (SSID) so it doesn’t reveal your name, address, or ISP.
- Switch encryption to WPA3 if your router supports it; WPA2-AES is the minimum acceptable fallback.
- Create a separate guest network for smart home devices (Ring doorbells, Alexa, smart TVs) so a compromised IoT gadget can’t pivot into the same network segment as your work laptop.
- Disable remote management and UPnP on the router unless your IT department specifically requires it.
Real-world example: In 2023, security researchers demonstrated how a compromised smart thermostat on a home network was used as a pivot point to capture VPN credentials typed on a nearby work laptop, because both devices sat on the same flat network with no segmentation. A $60 investment in a router that supports VLANs or guest network isolation (Eero, Asus, or Ubiquiti models) would have prevented it entirely.
If your company issues a corporate-grade router or a hardware VPN appliance for home use — increasingly common at larger firms — install it exactly per the IT department’s instructions and never bypass it to “make Wi-Fi faster.” Speed shortcuts are how breaches start.
2. Enable Phishing-Resistant Multi-Factor Authentication (MFA) — Not Just SMS Codes
Multi-factor authentication is non-negotiable for VPN access in 2026, but not all MFA is equal. SMS-based one-time codes are vulnerable to SIM-swapping, a crime the FCC has specifically targeted with new carrier-verification rules, but which still succeeds against under-protected accounts. If your company’s VPN login only offers a text-message code, push for better options.
Actionable steps:
- Ask your IT department whether your VPN client (Cisco AnyConnect, Palo Alto GlobalProtect, Fortinet FortiClient, or a Zero Trust platform like Cloudflare Access) supports authenticator apps or hardware keys.
- If given a choice, select an authenticator app (Microsoft Authenticator, Google Authenticator, or Duo Mobile) over SMS. These generate time-based codes locally on your device and can’t be intercepted via a carrier hack.
- For the highest security tier, request a physical security key such as a YubiKey that supports FIDO2/WebAuthn. Many enterprise VPN and SSO platforms (Okta, Duo Security, Microsoft Entra ID) support hardware keys as a primary or backup factor.
- Register at least two MFA methods (app + hardware key, or app + backup codes) so a lost phone doesn’t lock you out or force you to use a weaker fallback method.
- Never approve an MFA push notification you didn’t personally initiate. If you get a surprise Duo or Okta prompt while your laptop is closed, deny it immediately and report it to IT — that’s a classic sign someone has your password and is trying to complete the login.
Real-world example: The 2022 breach of Uber’s internal systems began with an attacker bombarding an employee with repeated MFA push notifications until the employee, worn down, approved one by mistake — a tactic called “MFA fatigue.” Companies using number-matching MFA (where you must type a specific code shown on the login screen, not just tap “approve”) are far more resistant to this. Ask your IT team if number-matching is enabled; if not, request it.
3. Use Company-Approved VPN Clients Only — Never Free Public VPN Apps for Work
It’s tempting to think “a VPN is a VPN,” but using a free consumer VPN app instead of your employer’s sanctioned client is a serious security and possibly even legal liability. Many free VPN apps found in app stores log and sell user traffic data, which could expose confidential company communications.
Steps to stay compliant and secure:
- Only install the VPN client explicitly provided by your company’s IT department — typically distributed through a mobile device management (MDM) system like Jamf, Microsoft Intune, or Kandji.
- Never install a second, personal VPN (NordVPN, ExpressVPN, Surfshark, etc.) on your work laptop simultaneously with your corporate VPN. Running two tunnels at once can create routing conflicts that inadvertently expose traffic outside the encrypted tunnel — a phenomenon known as split-tunnel leakage.
- If your job requires accessing the VPN from a personal device (BYOD), ask IT whether they require a mobile device management profile first. Many companies legally require this under their acceptable use policy before granting VPN credentials, since it lets them enforce encryption and remote-wipe capability if the device is lost.
- Check your VPN client’s version regularly. Vulnerabilities in Ivanti, Fortinet, and Cisco VPN appliances were actively exploited by nation-state actors in 2023-2024, according to CISA advisories, and the fix required both server-side and client-side patching. If your VPN app hasn’t auto-updated in more than 30 days, contact IT.
- Confirm your VPN uses modern protocols like WireGuard or IKEv2/IPsec rather than legacy PPTP, which has known vulnerabilities.
Real-world example: In early 2024, CISA issued an emergency directive after threat actors exploited a zero-day in Ivanti Connect Secure VPN appliances used by federal agencies and private companies alike, compromising credentials before patches were even available. Employees who had been diligent about applying every available client update were far less exposed once mitigation guidance rolled out. The lesson: your individual patching habits are part of the company’s overall defense.
4. Protect the Device You Use to Connect — Not Just the Connection Itself
A perfectly encrypted VPN tunnel is worthless if malware is already sitting on your laptop, capturing keystrokes before your credentials are ever encrypted. Endpoint security is just as critical as network security for remote workers.
What to do:
- Confirm your work laptop has endpoint detection and response (EDR) software installed and active — common enterprise tools include CrowdStrike Falcon, Microsoft Defender for Endpoint, or SentinelOne. If you’re not sure, ask IT to confirm the agent is running (check your system tray icons or Task Manager for the process).
- Enable full-disk encryption. Windows machines should have BitLocker turned on; Macs should have FileVault enabled. This protects data at rest if your laptop is lost or stolen from a coffee shop or airport.
- Never disable your antivirus or EDR software “temporarily” to install unapproved software — this is one of the most common ways malware slips onto a device that later connects to the corporate VPN.
- Keep your operating system’s automatic updates turned on. The vast majority of exploited vulnerabilities in 2024 targeted systems that were behind on patches by 60+ days, according to Verizon’s annual Data Breach Investigations Report.
- Physically secure your device. Use a laptop lock in shared spaces like co-working offices, and enable “Find My” (Apple) or “Find My Device” (Microsoft/Google) so a lost machine can be remotely located or wiped.
- Avoid logging into your VPN from public computers (hotel business centers, library kiosks) under any circumstances — you have no way of verifying those machines aren’t already compromised with keyloggers.
Real-world example: A 2023 incident investigated by a major managed security provider traced a ransomware deployment back to a remote employee’s personal laptop that had disabled Windows Defender to install pirated software. Weeks later, when the employee connected to the company VPN for a routine work session, the malware already resident on the machine used that same trusted tunnel to move laterally into internal servers. The VPN itself was never “hacked” — the endpoint was the weak link.
5. Recognize and Avoid VPN-Themed Phishing Attacks
Attackers know remote workers rely heavily on VPN access, so phishing campaigns increasingly impersonate IT help desks, VPN vendors, or single sign-on providers to steal credentials directly.
Warning signs and defenses:
- Be suspicious of any email claiming your “VPN password will expire in 24 hours” or “VPN certificate needs renewal” that asks you to click a link and log in. Legitimate IT departments almost always direct you to a known internal portal, not an external link.
- Hover over links before clicking to see the actual destination URL. Fake login pages often use lookalike domains (e.g., “yourcompany-vpn-login.com” instead of your real corporate domain).
- Call your IT help desk using a number you already have on file — not one provided in the suspicious email — if you’re ever unsure about a VPN-related request.
- Report phishing attempts to your company’s security team immediately, and forward suspicious emails to the Anti-Phishing Working Group or your IT department’s designated abuse address.
- Be extra cautious of “urgent” texts (smishing) claiming to be from your company’s helpdesk asking you to verify VPN credentials via a link — legitimate IT teams do not request passwords by text.
Real-world example: In 2023, a wave of phishing attacks specifically targeted employees at mid-size firms with fake “Okta security alert” emails claiming their VPN single sign-on session had been flagged for suspicious activity. Employees who clicked were sent to a near-perfect replica of their company’s real login page. Those who paused to check the URL bar noticed a one-character difference in the domain name and reported it before entering credentials — stopping the breach cold.
6. Know Your Rights and Responsibilities Around Data Privacy While Working Remotely
Securing your VPN isn’t just about stopping hackers — it also intersects with your legal rights as an employee and consumer under state privacy laws. If you live in California, Colorado, Connecticut, Virginia, or one of the growing number of states with comprehensive privacy statutes, you have specific rights regarding how your personal data is collected, even by your own employer’s monitoring tools.
What remote workers should know and do:
- Under the California Consumer Privacy Act as amended by the CPRA, California-based employees gained expanded rights in 2023 to know what personal information their employer collects through work devices and VPN monitoring tools, including the right to request details on data retention.
- Ask your HR or IT department for a copy of the company’s remote work monitoring policy. Many VPN and endpoint tools log activity data (websites visited, login times, geolocation) — you have a right to understand what’s being collected, especially in states with employee privacy protections.
- If you use a personal device for VPN access, separate personal and work activity as much as possible. Avoid logging into personal banking, healthcare portals, or shopping accounts while connected to a work VPN, since IT security tools may inadvertently log that traffic metadata.
- Report any suspected employer data misuse or a company data breach affecting your personal information to your state Attorney General’s consumer protection office; most states, including California and New York, have dedicated data breach reporting channels for consumers.
- Review your rights under the federal Federal Trade Commission’s guidance on data security if you believe your employer mishandled your personal data collected through remote work tools.
Real-world example: In 2022, several California employees filed CCPA-based complaints after learning their employer’s VPN and endpoint monitoring software was logging significantly more personal browsing data than disclosed in the company’s remote work policy. The resulting state inquiry pushed the employer to update its data retention practices and provide clearer opt-in monitoring disclosures — a reminder that your privacy rights don’t disappear just because you’re using a company-issued VPN.
Key Takeaways
- Secure your home router first: change default credentials, enable WPA3, and segment IoT devices from your work laptop’s network.
- Insist on phishing-resistant MFA (authenticator apps or FIDO2 hardware keys) rather than relying solely on SMS codes for VPN login.
- Only use your employer’s approved VPN client — never run a personal VPN app simultaneously, and keep the client fully patched.
- Endpoint security matters as much as the VPN tunnel itself: enable full-disk encryption, keep EDR software active, and never disable protections to install unapproved apps.
- Learn to spot VPN-themed phishing and smishing attempts, and always verify IT requests through a known internal channel.
- Know your state privacy rights (CCPA/CPRA and similar laws) regarding employer monitoring of VPN and device activity.
- Report suspicious VPN prompts, phishing emails, or data misuse promptly to IT, your state Attorney General, or the FTC.
Conclusion
Learning how to secure your company VPN access as a US remote worker isn’t a one-time setup task — it’s an ongoing habit that combines router hygiene, strong authentication, endpoint protection, phishing awareness, and knowledge of your privacy rights. Attackers are increasingly targeting the human and home-network layer precisely because corporate VPN infrastructure itself has gotten harder to breach directly. Take twenty minutes this week to check your router settings, confirm your MFA method, and verify your VPN client is fully updated. Your company’s data — and your own personal and financial information tied to that same device — depends on it.
Disclaimer: The content on this site is for general informational purposes only and is not legal or professional security advice. Laws vary by state; verify current requirements for your situation.

Leave a Reply