There’s a category of company laptop that hasn’t been on the office network in months. It does real work, holds real data, and from the business’s point of view it’s a small fortress carrying a chunk of the company around in a rucksack. The trouble is that a lot of SME protection was built for a machine that comes home: it gets its updates from a server on the LAN, its files live on a share that’s backed up centrally, and the antivirus reports to a console someone occasionally looks at. Take the laptop off the network for good and every one of those assumptions lapses without a single alert firing.

We pick this up a lot in assessments. The remote laptop is the part of the estate most likely to be both the most exposed and the least monitored. Here’s how to close that gap.

Protection that works wherever the device is

The shift is from network-anchored security to device-anchored security. The controls travel with the laptop instead of waiting for it at the office.

Patching from the cloud, not the LAN. Operating system and application updates have to reach the device over the internet, on a schedule, with reporting that tells you which machines are behind. A remote laptop that only patches when it visits the office is a machine that, in practice, rarely patches. Cloud-managed update policies fix this, and the reporting is the bit that matters: you want to know the patch state of every device without asking anyone.

EDR, not just antivirus. Endpoint detection and response (EDR, the modern successor to antivirus that watches behaviour and can isolate a device, not just match known viruses) is the control that earns its place on a remote machine. If something does get onto a laptop in a kitchen 200 miles away, EDR is what spots the unusual behaviour and lets someone cut that device off the network remotely before it spreads. Plain signature antivirus catches yesterday’s threats; EDR is built for the ones that walk in through a logged-in user.

Disk encryption, verified. Every remote laptop should have full-disk encryption switched on (BitLocker on Windows, FileVault on Mac), and the business should hold the recovery keys centrally. A lost or stolen laptop with encryption is an inconvenience; without it, it’s a data-breach notification. The word “verified” matters: encryption you assume is on, but never check, is encryption you don’t have.

Backup for data that lives on the edge

This is the half that gets forgotten, because in the old model the important files lived on the server and the laptop was just a window onto them. On a remote machine, the data has a habit of living locally, and local data with no backup is a gap with a countdown on it.

Two things make remote backup reliable:

Get the data into managed cloud storage by default. The cleanest answer is that the important work lives in OneDrive, SharePoint or Google Drive (the managed cloud file services), syncing continuously, so the laptop is once again a window and not the only copy. This is more about how the device is set up than about a separate backup product: point the desktop, documents and the work folders at managed storage, and most of the risk evaporates.

Back up what genuinely stays local, and the cloud itself. Some data still lands on the device, and some businesses have a false sense of safety about the cloud (Microsoft and Google keep your data available, but their retention against accidental deletion or a ransomware-driven mass-delete is not the same as a real backup). A proper cloud-to-cloud backup of the M365 or Google tenant closes that gap, and it’s cheap relative to what it protects.

The test that tells you the truth

The single most useful thing you can do is the one almost nobody does: take a remote person’s laptop scenario and actually run it. Pick a machine, confirm from the console that it’s patched, encrypted, and reporting to EDR. Then restore one of their files from backup and open it. Not check a green tick, restore it.

That ten-minute exercise surfaces the gaps that dashboards hide: the laptop that fell out of management three months ago, the user who’s been saving everything to the desktop outside the synced folders, the backup that’s been “running” but never tested. Every one of those is the kind of thing you’d rather find on a quiet Tuesday than during an incident.

Pulling it together

A well-set-up remote laptop is patched from the cloud, watched by EDR, encrypted with keys you hold, and arranged so its data lives in managed storage that’s itself backed up. None of it is exotic, and most of it is included in tooling SMEs already license. The work is in setting it up so it holds for a device you’ll rarely, if ever, have in your hands.

That’s our Security Solutions practice. We get remote endpoints patched, monitored, encrypted and backed up, with the reporting that proves it rather than assumes it.

The remote laptop is the easiest part of the estate to forget and the most expensive to lose. Treat it like the small fortress it is, because that’s what it’s carrying.

Wondering whether your remote laptops are actually protected, or just assumed to be? Drop us a note at info@jmopartners.co.uk. One of us will read it.

JMO|Partners · Enterprise IT, sized for SMEs.