Your Home Network Is Now a Branch Office
Three years into the permanent remote work shift, one thing still hasn’t changed: most home networks run on the same settings they had when the ISP technician left the house. Default admin passwords. Firmware from 2022. A single flat network where the work laptop, the kids’ tablets, a ring doorbell, and a smart thermostat all share the same subnet.
That was fine when “working from home” meant answering emails on a snow day. It’s not fine when your home office processes client data, accesses production databases, or handles financial records five days a week. According to CISA’s telework guidance, the home network is now the security perimeter for millions of workers — and most of those perimeters have holes you could drive a truck through.
I’ve spent the past two years auditing home setups for small teams that went fully remote. The pattern is consistent: people lock down their laptops but ignore everything upstream. The router is the front door, and it’s usually unlocked. This checklist is the result of those audits — the specific changes that actually reduce risk, ordered by impact, with honest notes on what doesn’t matter as much as vendors want you to think.
Router Hardening: The Foundation Everything Else Sits On
Your router is the single device that every packet — work and personal — flows through. If it’s compromised, nothing downstream matters. VPNs, antivirus, full-disk encryption — all irrelevant if an attacker owns the router and can redirect, intercept, or modify traffic at will.
Change the Default Admin Credentials
This sounds insultingly basic, and yet: a 2023 study found that a large percentage of home routers still use factory admin credentials. The username is “admin.” The password is “admin” or “password” or printed on a sticker that anyone within camera range of a video call can photograph.
Change the admin password to something long and unique. Store it in your password manager. While you’re in the admin panel, disable remote management (WAN-side access to the admin interface). There is almost never a legitimate reason for your router’s admin panel to be reachable from the internet.
Update the Firmware
Router firmware updates patch known vulnerabilities — the kind that have public exploit code floating around on GitHub. The VPNFilter malware that infected over 500,000 routers worldwide exploited known, already-patched vulnerabilities. The victims simply hadn’t updated.
Here’s what to do:
- Log into your router’s admin panel (usually 192.168.1.1 or 192.168.0.1)
- Find the firmware or system update section
- Check for and install any available updates
- Enable automatic updates if the option exists
- Set a monthly calendar reminder to verify the firmware is current
If your router hasn’t received a firmware update in over 18 months, the manufacturer has likely end-of-lifed it. Replace it. A $100 router with active security patches beats a $300 router that stopped getting updates in 2023.
Disable WPS and UPnP
Wi-Fi Protected Setup (WPS) has been broken since 2011. The Reaver attack can brute-force a WPS PIN in hours. Disable it.
Universal Plug and Play (UPnP) lets devices on your network automatically open ports on your router — convenient for gaming, dangerous for security. Malware routinely uses UPnP to punch holes in the firewall without any user interaction. Disable it and manually forward only the ports you actually need (which, for most remote workers, is zero).
Wi-Fi Security Settings That Actually Matter
Not all Wi-Fi security configurations carry equal weight. Here’s what to prioritize and what to skip.
Use WPA3 (or WPA2-AES as a Fallback)
WPA3 is the current standard for Wi-Fi encryption. It provides stronger protection against offline dictionary attacks and offers forward secrecy — meaning even if your password is eventually compromised, previously captured traffic remains encrypted. If your router supports WPA3, enable it. If older devices can’t connect, use WPA2/WPA3 mixed mode.
Never use WEP or WPA-TKIP. They’re broken beyond repair and offer effectively no protection.
Make Your Password Long, Not Complex
A 20-character passphrase like copper-filing-cabinet-tuesday is significantly harder to crack than X#9k!2mQ and infinitely easier to type when connecting a new device. Wi-Fi brute-force attacks scale with password length, not symbol complexity. Aim for at least 16 characters.
Hide the SSID? Don’t Bother
This is security theater. Hidden SSIDs are trivially discoverable with free tools like Kismet or even built-in OS utilities. Hiding the SSID adds zero real protection while making it harder for legitimate devices to connect. A strong password and WPA3 do the actual work.
| Security Measure | Real Protection Level | Effort | Recommendation |
|---|---|---|---|
| WPA3 encryption | High | Low (one setting change) | Must-do |
| Long passphrase (16+ chars) | High | Low | Must-do |
| Disable WPS | High | Low | Must-do |
| Disable UPnP | Medium-High | Low | Must-do |
| MAC address filtering | Very Low | High (maintain device list) | Skip it |
| Hide SSID | None | Low | Skip it |
| Reduce transmit power | Low | Medium | Situational |
Network Segmentation: Keep Work and Personal Apart
This is the single highest-impact change most remote workers haven’t made. Network segmentation means putting your work devices on a separate network from everything else in the house — IoT devices, smart TVs, gaming consoles, kids’ phones.
Why Segmentation Matters
If your kid downloads a sketchy Minecraft mod and it drops malware on their laptop, that malware can scan the local network and find your work computer. On a flat network (one where everything shares the same subnet), there’s nothing stopping lateral movement. Segmentation creates a boundary.
The real-world implications aren’t theoretical. The Target data breach in 2013 — one of the largest in retail history — started from an HVAC contractor’s compromised credentials. The HVAC system was on the same network as payment processing. Different devices, same network, catastrophic result.
How to Set It Up
Most modern routers offer at least two approaches:
Guest network isolation — Create a guest network with client isolation enabled. Put all your IoT and personal devices on the guest network. Keep your work devices on the primary network. This is the simplest option and takes about five minutes.
VLAN-capable router — If you have a more advanced router (Ubiquiti, pfSense, MikroTik, or similar), create separate VLANs for work, personal, and IoT traffic with firewall rules controlling what can communicate across segments.
Physical separation — A dedicated travel router or secondary access point for work devices. Overkill for most people, but some industries with strict compliance requirements (healthcare under HIPAA, finance) may require it.
For most remote workers, option one — the guest network — gets you 80% of the security benefit with 5% of the complexity. Start there.
VPN Configuration: What Your Employer Provides vs. What You Need
There’s consistent confusion around VPNs in the remote work context, because the word “VPN” covers two very different things.
Corporate VPN vs. Personal VPN
Your corporate VPN (Cisco AnyConnect, GlobalProtect, Zscaler, WireGuard to the office) creates an encrypted tunnel between your work laptop and your employer’s network. It protects work traffic in transit and lets you access internal resources. This is non-negotiable — if your employer provides one, use it every time you work.
A personal/consumer VPN (like those from NordVPN, ExpressVPN, or Mullvad) encrypts traffic from your device to the VPN provider’s server. It’s useful for privacy on public Wi-Fi and for bypassing geographic restrictions, but it doesn’t replace a corporate VPN and doesn’t secure your home network.
What neither VPN does: protect devices that aren’t running the VPN client. Your smart doorbell, your printer, your kid’s tablet — those are all still exposed on your home network regardless of what VPN tunnel your work laptop has open.
When a Router-Level VPN Makes Sense
Some remote workers install a VPN client directly on their router, encrypting all household traffic. This has tradeoffs:
- Pros: Every device gets VPN protection automatically, no per-device configuration needed
- Cons: Reduced bandwidth (consumer routers struggle with VPN encryption overhead), potential conflicts with corporate VPN split-tunneling, and streaming services that block VPN IP ranges
A router-level VPN is most useful if you frequently work from locations with untrusted networks (Airbnbs, shared housing) or want blanket DNS-level privacy for the household. For a standard home office on a private connection, it’s a nice-to-have, not a need-to-have. For more on choosing between options, see our comparison of the best VPNs for remote workers.
DNS Security: The Overlooked Layer
Most home networks use whatever DNS server the ISP assigned — which means your ISP sees every domain you resolve, and those DNS queries travel unencrypted. Changing your DNS settings takes two minutes and adds a meaningful layer of protection.
Use Encrypted DNS
Switch to a DNS provider that supports DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT):
- Cloudflare (1.1.1.1) — fast, supports DoH/DoT, offers a malware-blocking variant at 1.1.1.2
- Quad9 (9.9.9.9) — blocks known malicious domains automatically using threat intelligence feeds
- Google Public DNS (8.8.8.8) — reliable but doesn’t block malicious domains by default
- NextDNS — customizable filtering with per-device policies, useful for families
Set the DNS at the router level so every device on the network benefits, not just the ones you remember to configure individually. If your router supports DoH or DoT natively (many 2024+ models do), enable it. Otherwise, a Pi-hole or AdGuard Home on a Raspberry Pi can handle encrypted DNS for the whole network.
Why This Matters for Remote Workers
DNS-based attacks — particularly DNS hijacking and cache poisoning — can redirect your browser to convincing phishing pages without triggering browser warnings. If an attacker compromises your ISP’s DNS or your router’s DNS settings, typing yourbank.com could land you on a perfect replica controlled by the attacker. Encrypted DNS to a trusted resolver eliminates this entire category of attack.
Common Mistakes That Create a False Sense of Security
This section exists because I’ve seen every one of these in real home office audits. People do these things thinking they’re protected, and they’re not.
Relying Solely on Antivirus
Endpoint antivirus catches known malware on the device running it. It does nothing about a compromised router, an insecure IoT device scanning your network, or a DNS hijack redirecting your traffic. Antivirus is one layer, not the whole stack.
Using the Same Password for Wi-Fi and Router Admin
Surprisingly common. Someone sets a strong Wi-Fi password and then uses the same one for the router admin panel. Anyone who connects to the Wi-Fi (guests, kids’ friends, a compromised IoT device) now has the credentials to reconfigure the router.
Never Checking Connected Devices
Log into your router’s admin panel right now and look at the connected device list. If you see devices you don’t recognize, you have a problem. Most people haven’t checked this list since setup day. Make it a monthly habit — it takes thirty seconds.
Assuming “My Data Isn’t Valuable”
This is the most dangerous assumption. Attackers don’t target remote workers because they want your personal files. They target you because your home network is the path to your employer’s network. You’re not the objective — you’re the door. A compromised home router gives an attacker a persistent position inside a network that tunnels directly into corporate infrastructure every workday.
Ignoring Firmware on Everything Except the Router
Your network-attached printer, your NAS, your smart home hub, your mesh Wi-Fi satellites — all of these run firmware, all of them have had critical vulnerabilities, and most of them never get updated. If it has an IP address, it needs patching.
🔑 Key Takeaways
- Your router is the security perimeter — harden it first (admin credentials, firmware, disable WPS/UPnP)
- Segment your network: put work devices on a separate network from IoT and personal gear, even if it’s just a guest network
- A corporate VPN protects work traffic in transit but does nothing for the rest of your home network — you still need to secure the local environment
- Switch DNS to an encrypted provider like Quad9 or Cloudflare at the router level for network-wide protection
- Check your connected device list monthly and patch firmware on everything, not just the router
Frequently Asked Questions
Do I need a separate router for my work devices if I work from home?
Not necessarily a separate physical router, but you should use network segmentation. Most modern routers support guest networks or VLANs that isolate work devices from smart TVs, game consoles, and other personal gear. This prevents lateral movement if any device on the home network gets compromised. A guest network with client isolation enabled is the easiest starting point.
Is my employer’s VPN enough to secure my home network?
A corporate VPN encrypts traffic between your laptop and the office, but it does nothing for the rest of your home network. Your router firmware, Wi-Fi password, IoT devices, and DNS settings are all outside the VPN tunnel. You need to secure the local network independently — the VPN protects one tunnel, not the entire environment around it.
How often should I update my router firmware?
Check for firmware updates at least once a month. Many critical router vulnerabilities — like the ones exploited by the VPNFilter malware campaign — were patched within days, but home users who never checked remained exposed for months or years. Enable automatic updates if your router supports it, and replace routers that have stopped receiving patches.
Should I use my ISP’s provided router or buy my own?
Buying your own router is almost always better for security. ISP-provided routers frequently have remote management enabled by default, use shared credentials across models, and receive slower firmware updates. A dedicated router from a reputable brand gives you more control over security settings, faster patches, and often better performance. Budget $80–$150 for a solid WPA3-capable router with active firmware support.
Putting It All Together
Securing a home network for remote work isn’t about buying expensive hardware or becoming a network engineer. It’s about closing the specific gaps that attackers actually exploit — default credentials, unpatched firmware, flat networks, and unencrypted DNS. The checklist above, worked through in order, takes an afternoon and dramatically reduces the risk that your home office becomes the weak link in your employer’s security chain. If you’re also evaluating which VPN fits your work setup, check out our guide on how to choose a VPN for working from home, or if you’re setting up a new home office from scratch, our complete home office cybersecurity setup guide covers the full picture from hardware to software.