Remote Work Security Gaps Still Driving UK Breaches

What offensive security testing reveals about identity risks, service desk exposure, and remote access failures.
 

Remote and hybrid work are now core components of modern organizational operations. Yet, even after five years of adaptation since the seismic shift brought on by COVID-19, many UK businesses remain vulnerable to security breaches that could easily be avoided. 

The prevailing belief that our remote work environments have reached a “mature” state in terms of security often goes unchallenged. Sure, policies have been established, VPN security is mature, and multi-factor authentication (MFA) rolled out. For many organizations, this marked the end of the security conversation. 

However, from an offensive security perspective, the landscape tells a different story.  

Attackers are no longer breaching fortified office walls; instead, they’re walking through front doors built on trust, identity, and the process gaps intended to protect organizations. Most businesses only recognize these gaps after they’ve been exploited. 

In this post, we delve into why numerous UK organizations continue to overlook the risks associated with remote access. We’ll also highlight how real-world offensive security testing consistently uncovers vulnerabilities that static risk models fail to detect. 

The Identity Problem: It’s not just about devices

Security conversations around remote work have often focused on devices. 

The prevailing assumption is that if the laptop is locked down and the VPN is active, the risk is contained. However, in 2025, the real threat is via identity misuse, not vulnerability. 

Identity has become the primary attack surface for remote and hybrid workforces. Credentials are phished, MFA fatigue is exploited, and password resets are targeted through social engineering. The point of compromise is often not the device itself, but the credentials of the person using it or the systems responsible for verifying them. 

This challenge is amplified in a world where employees are no longer physically visible. In the office, authentication often relied on simple human validation. You would walk to IT with your staff badge, and access would be granted. That physical presence acted as a form of multi-factor authentication. Now, service desks are tasked with verifying identities remotely, often relying on incomplete data, scripted checks, or a voice on the phone. Attackers are aware of this and are exploiting it. 

We have seen countless attack paths succeed where threat actors or red teams simulating them exploit this blind spot. They impersonate staff, request password resets, and gain footholds that would have been impossible in a more controlled, physical environment. For blue teams, this creates a growing challenge. The signals of compromise are subtle when everything appears legitimate on the surface. 

Identity misuse does not always trigger alarms. A long-tenured account behaving slightly differently rarely raises suspicion, especially in large, fast-paced environments where locking out a key worker at the wrong moment could have significant consequences for their normal working day. 

This shift from vulnerable devices to vulnerable identities is one of the critical blind spots in how organizations approach remote work security today. It is no longer just about securing the environment from traditional vulnerabilities; it is about securing the human and the processes that underpin trust in a remote-first world. 

When the person behind the screen isn’t who you hired

A growing risk in remote and hybrid environments is the erosion of identity assurance. In some cases, the individual accessing your systems is not the person your organization originally hired. 

A high-profile example is the rise of North Korean IT worker scams. Here, individuals successfully apply for remote roles under false pretences. Once onboarded, they hand over corporate credentials or physical devices to offshore operators, who carry out the actual work. These operatives often have no verified link to the company and operate with full access under someone else’s name. 

In some reported cases, these operators have accessed and exfiltrated data or issued ransom demands once the misuse is discovered. The employee identity becomes a vehicle for unauthorised activity, while the organization remains unaware. 

As more organizations rely on distributed teams, contractors, and global hiring platforms, traditional onboarding processes are struggling to keep up. Most were never designed to verify remote digital identities with the same certainty as face-to-face interactions.

This is not a rare scenario. As more organizations rely on distributed teams, contractors, and global hiring platforms, traditional onboarding processes are struggling to keep up. Most were never designed to verify remote digital identities with the same certainty as face-to-face interactions. 

The consequence is a growing exposure gap. When organizations cannot validate who is behind the screen, trust becomes a liability. Without continuous checks throughout the employment lifecycle, there is no reliable guarantee that access remains in the right hands. 

Remote work has expanded the boundaries of access. It has also blurred the lines of identity, often in ways that are invisible until it is too late. 

The unseen attack surface

As organizations embraced remote and hybrid work models, many expanded their IT support infrastructure often without re-evaluating how those changes affect identity verification and trust controls. What was once a tightly controlled internal function has, in many cases, become publicly accessible. Service desk numbers are now readily available across websites, onboarding portals, and intranets designed to cater for a dispersed workforce. 

This transformation has widened the attack surface, especially in large organizations with transient or distributed staff. Supermarket chains, healthcare providers, and other national employers often rely on publicly accessible service desks. While scalable, this opens the door for attackers. 

When anyone can access the support line, the service desk becomes a prime target for social engineering. Attackers can impersonate staff, request password resets, or gather information to escalate their access. In environments where the desk serves hundreds of thousands of users, the likelihood of an attacker reaching someone unprepared to recognize a scam is significantly increased. 

From a red team perspective, this vulnerability is both effective and increasingly common. These support pathways rarely feature in traditional vulnerability scans or attack surface assessments, meaning they often go untested until exploited. What was once routine IT support now represents a less visible, but increasingly significant, risk vector. 

As modern support processes evolve to meet the demands of hybrid work, the security surrounding them must adapt as well. Without this evolution, organizations risk leaving a crucial layer of identity validation exposed to anyone willing to pick up the phone and ask the right questions. 

Rethinking remote access
 

Bring Your Own Device (BYOD) policies present another significant risk, particularly for smaller or budget-conscious organizations. We’ve encountered situations where employees access corporate environments using personal laptops, often without adequate endpoint visibility or control. Unlike mobile devices, which typically enforce containerization or app-level segregation, laptops rarely offer this level of protection. Malware, misconfigurations, or simply poor hygiene can lead to serious exposure.
 

The issue isn’t that remote access technology is fundamentally flawed; rather, its security hinges on proper configuration, enforced controls, and consistent validation across every user and device. Without these measures, remote access becomes a fluctuating attack surface, influenced by who is logging in, how, and from where.

For defenders, assuming that remote access is “solved” can lead to overlooking the real risks that linger beneath the surface.

Organizations should regularly reassess how remote access is configured and controlled, particularly as working models evolve.

Why blue teams struggle to see this

 Most defensive strategies are designed to spot clear anomalies: an exploited vulnerability, an unauthorized device connecting to the network, or lateral movement between systems. However, identity-based attacks often fly under the radar. They operate within expected parameters, leveraging valid credentials, familiar behaviors, and known devices. 

 From a defender’s standpoint, it’s challenging to raise alarms when nothing seems overtly malicious. A long-time employee logging in at an unusual hour or accessing a new internal system could be perfectly legitimate or it could be a sign of trouble.  

In large or fast-paced environments, the cost of reacting too aggressively to weak signals can be significant. Locking out the wrong user might disrupt a hospital shift, halt a supply chain, or impact customer operations. 

This uncertainty creates an opening for attackers. Compromised identities often behave in ways that appear consistent with normal activity, enabling lateral movement or data exfiltration without triggering traditional defenses. Most tooling is tuned for infrastructure misuse, not identity-based threats. 

Red teams are keenly aware of this gap. By mimicking trusted users and interacting with systems in plausible ways, they can bypass many automated defenses. These scenarios often evade detection in vulnerability scans and can be tough to replicate in tabletop exercises. 

To effectively detect identity abuse, defenders need more than just visibility; they require context. Understanding not only what a user can access but also what they should be accessing and when is crucial.  

Without this insight, even well-resourced teams will struggle to identify low-noise intrusions that are hiding in plain sight. Detecting identity-based threats requires a shift in how organisations model user behaviour and apply context to access patterns. Without this, even mature security programs can miss subtle indicators of compromise. 

Offensive Security: The key to true insight

In the realm of cybersecurity, many strategies lean heavily on scanning, compliance checks, and assumed control coverage. While these tools are essential to maintain basic security hygiene, they have their limitations. They can confirm that a patch is applied or that multi-factor authentication (MFA) is technically enabled, but they fall short in revealing whether someone can socially engineer your service desk, impersonate an employee, or move laterally within your environment without raising any alarms. 

 This is where offensive security comes into play. Unlike automated assessments, red team operations challenge assumptions and expose the realities of what happens when an attacker attempts to exploit identity processes, trust relationships, or remote access behaviors that slip through the cracks of standard technical controls. 

 For instance, no vulnerability scanner can quantify how many support staff might approve a password reset after a convincing phone call. Similarly, no compliance checklist can illustrate how far an attacker can advance once they’ve compromised a legitimate user account. These are the critical gaps that offensive security simulation can uncover. 

At CovertSwarm, we regularly identify and execute attack plans that mimic real-world adversaries: targeting identity, exploiting misconfigurations, and rigorously testing internal detection and response mechanisms. Our goal isn’t just to confirm security on paper; it’s to understand how controls perform under genuine pressure. 

Without this level of testing, organizations are left to assume that their remote access, identity verification, and internal escalation controls are functioning as intended. In our experience, many are not. 

 Without this level of testing, organizations are left to operate on assumptions, often without visibility into how identity controls and access mechanisms would perform under real pressure.  

Conclusion: Remote ≠ Resolved

As remote and hybrid work have become the norm, the security strategies supporting them haven’t always kept pace. Identity often remains the weakest link, and support infrastructure designed for scale can introduce new forms of risk. 

Confidence in remote access controls is common, but without testing, that confidence is unproven. Offensive security helps reveal where assumptions break and which controls fall short under pressure. 

By embedding this level of scrutiny into your approach, you move from theoretical assurance to real-world visibility. That is where resilience begins.