Building a Secure Remote Work Infrastructure in 72 Hours

🇮🇩 Baca artikel ini dalam Bahasa Indonesia

TL;DR: Most organizations had days — not months — to move their entire workforce remote. I have spent the past three weeks helping clients stand up secure remote environments under extreme time pressure. This article lays out a phased 72-hour framework for building remote work infrastructure security that protects the business without paralyzing it, along with the mistakes I am seeing repeated across industries right now.

Three weeks ago, a manufacturing client called me on a Thursday evening. Their state had just announced a shelter-in-place order effective Monday. They had 400 office employees, a VPN that could handle 50 concurrent connections, and no policy for personal device usage. They needed a plan by morning. This is not a hypothetical scenario from a business continuity textbook. This is Tuesday in April 2020. And remote work infrastructure security has gone from a line item on next year’s IT roadmap to the single most urgent priority in the enterprise.

What follows is the framework I have been using — refined through several rapid deployments over the past few weeks — to help organizations stand up a secure remote work environment in roughly 72 hours. It is not perfect. Perfection is a luxury we do not have right now. But it is structured, defensible, and designed to keep the business running without leaving the front door wide open.

The Reality of a 72-Hour Deployment

Let me set expectations clearly. A 72-hour timeline does not produce a polished, long-term remote work architecture. What it produces is a secure-enough foundation that you can operate on while you build something more permanent over the coming weeks and months.

The distinction matters. I have watched IT leaders freeze because they cannot architect the ideal solution under time pressure. Meanwhile, their employees are accessing corporate systems from home Wi-Fi networks shared with teenagers streaming video and smart refrigerators with firmware from 2016. Done well enough, done fast, is better than done perfectly, done never.

I break the 72 hours into three phases:

• Phase 1 (Hours 0–12): Triage and inventory
• Phase 2 (Hours 12–36): Secure access and identity
• Phase 3 (Hours 36–72): Enable, monitor, and communicate

Phase 1: Triage and Inventory (Hours 0–12)

You cannot secure what you cannot see. The first twelve hours are about getting an honest picture of your current state — not the state described in your last audit report, but the actual state as of right now.

Map Your Critical Systems

Start by identifying the ten to fifteen applications and systems that absolutely must be accessible for the business to function. Not the full application portfolio. Just the essentials: ERP, email, CRM, file storage, communication tools, and whatever line-of-business applications your revenue depends on. For my manufacturing client, it was their ERP system (SAP), email (Exchange on-premises), a custom order management tool, and shared network drives.

For each critical system, answer three questions:

1. Is it cloud-hosted, on-premises, or hybrid?
2. Can it be accessed securely from outside the corporate network today?
3. What is the current authentication method?

This exercise typically takes two to four hours with the right people in the room. It will also surface ugly truths — systems you assumed were cloud-ready that are not, applications with hard-coded IP restrictions, databases that have never been accessed outside the LAN.

Inventory Your Endpoints

How many corporate-managed laptops do you have deployed? How many employees will be working from personal devices? This ratio determines your entire security posture for the next 72 hours.

If you are fortunate enough to have a managed fleet with an MDM solution already in place, your path is significantly easier. If — like many of the companies I am talking to — you have a mix of managed laptops, unmanaged desktops, and employees asking if they can use their iPad, you need a tiered access strategy. I will address that in Phase 2.

Phase 2: Securing Remote Work Infrastructure Security (Hours 12–36)

This is the core of the work. You have your inventory. Now you need to make access possible without making it reckless.

VPN Capacity and Alternatives

The traditional VPN is the first thing that breaks at scale. Most enterprise VPN concentrators were sized for 10–20% of the workforce connecting simultaneously. We are now asking them to handle 80–100%. The math does not work.

Immediate options:

• Scale your existing VPN. Contact your vendor about emergency license expansions. Cisco, Palo Alto, and Fortinet have all announced temporary free license extensions in the past two weeks. If your hardware can handle the throughput, this is the fastest path.
• Split tunneling. This is a calculated trade-off. By routing only corporate traffic through the VPN and letting general internet traffic go direct, you dramatically reduce VPN load. Yes, it increases risk. But a VPN that crashes under load protects nothing. Configure split tunneling with strict DNS controls and endpoint protection as compensating controls.
• Cloud-based access. For SaaS applications, employees should not be routing through your VPN at all. Ensure direct-to-cloud access is secured with proper identity controls (see below). Every SaaS session you remove from the VPN tunnel is capacity recovered.

Identity Is the New Perimeter

This is not a new concept, but it has never been more literally true than it is this month. When your employees are scattered across hundreds of home networks, the corporate network perimeter is meaningless. Identity — specifically, verified, multi-factor identity — becomes your primary security control.

Multi-factor authentication (MFA) is non-negotiable. If you do one single thing from this article, make it this: enable MFA on every externally accessible system within the next 24 hours. Microsoft reported a 300% increase in cyberattacks targeting remote workers in the first two weeks of March [Source: Microsoft Security Blog, March 2020]. Most of these attacks exploit stolen or weak credentials. MFA stops the majority of them.

For organizations already on Azure AD or Okta, enabling MFA across the board can be done in hours. For those without a centralized identity provider, this is harder but still critical. At minimum, enable MFA on email, VPN access, and any system that touches financial data.

Tiered Access Based on Device Trust

Not all devices are equal, and your access policies should reflect that. Here is the tiered model I have been deploying:

Tier	Device Type	Access Level	Controls Required
Tier 1	Corporate-managed, MDM-enrolled	Full access to all critical systems	MFA, endpoint protection, disk encryption, VPN
Tier 2	Personal device, meets minimum standards	Access to email, collaboration tools, select SaaS apps	MFA, updated OS, antivirus verified, browser-based access only
Tier 3	Unknown or non-compliant device	Email and communication tools only (web-based)	MFA, no local data storage, session timeouts

This is not ideal. In a perfect world, every employee has a managed device with full endpoint detection and response (EDR). We do not live in that world this week. The tiered model lets you keep the business moving while containing risk to acceptable levels.

Phase 3: Enable, Monitor, and Communicate (Hours 36–72)

By hour 36, you should have secure access paths established for your critical systems. The final phase is about making it work for actual humans and ensuring you can see what is happening.

Monitoring and Visibility

Remote work dramatically expands your attack surface. You need to be watching for anomalies from day one. At minimum, configure alerts for:

• Login attempts from unusual geographic locations
• Multiple failed authentication attempts
• Large data transfers or downloads outside business hours
• New device enrollments
• Privilege escalation events

If you have a SIEM in place, update your detection rules to account for the new normal — employees logging in from residential IP ranges is expected now, but an employee logging in from two countries within an hour is not. Adjust your baselines accordingly or you will drown in false positives.

Employee Communication and Training

The best security architecture in the world fails if your employees do not understand it. In the last 36 hours of your deployment, push out clear, concise guidance to every remote worker. Not a 40-page security policy document. A single page that covers:

1. How to connect to corporate systems (step by step, with screenshots)
2. What MFA is and how to set it up
3. What to do if they suspect a phishing email (the volume of COVID-19 phishing campaigns is staggering right now)
4. Who to call if something goes wrong

I helped one client produce a two-minute video walkthrough for their employees. Support tickets dropped by 60% compared to the text-only instructions they initially sent. When people are stressed and working from unfamiliar environments, simplicity is a security control.

Mistakes I Am Seeing Repeated Right Now

Across the organizations I have spoken with in the past three weeks, certain patterns keep emerging:

Disabling security controls to reduce friction. I understand the impulse. The CEO is calling because they cannot access the system. The temptation to turn off MFA or open firewall ports “temporarily” is enormous. Do not do it. Every temporary exception I have ever seen in my career has become permanent. Find another way.

Ignoring personal device risk. Pretending that personal devices are not accessing corporate data does not make it untrue. Acknowledge the reality and implement the tiered access model. You cannot manage what you refuse to see.

Forgetting about data loss prevention. When employees work from home, corporate data migrates to local drives, personal cloud storage, USB drives, and email attachments. At minimum, restrict the ability to download bulk data from critical systems on Tier 2 and Tier 3 devices. Enable DLP policies in your email and cloud storage platforms.

No plan beyond the first week. The 72-hour deployment is triage. It is not a strategy. If you do not have a 30-60-90 day plan to harden, optimize, and formalize your remote infrastructure, the technical debt will compound quickly. I will write about that longer-term planning process in a future article.

Frequently Asked Questions

How much should we expect to spend on an emergency remote work deployment?

It varies significantly based on your starting point, but most mid-sized organizations I have worked with in the past few weeks have spent between $15,000 and $75,000 on emergency licensing, VPN capacity expansion, and additional cloud subscriptions. The companies that had already invested in cloud-based productivity suites (Microsoft 365, Google Workspace) spent considerably less. The real cost is not the initial deployment — it is the ongoing operational expense of supporting a distributed workforce, which typically runs 15–25% higher than centralized IT operations [Source: Gartner, preliminary COVID-19 IT spending analysis].

Is it safe to allow employees to use personal devices for work?

Safe is a spectrum, not a binary. Allowing personal devices with no controls is reckless. Prohibiting them entirely when you do not have enough corporate hardware to go around means people cannot work. The tiered access model described above is the pragmatic middle ground: limit what personal devices can access, enforce MFA, require browser-based sessions where possible to keep data off local storage, and mandate minimum standards like current OS patches and active antivirus. It is a managed risk, not an eliminated one.

Should we use a zero-trust model for remote access?

Zero trust is the right long-term architectural direction, and this crisis is accelerating its adoption. But implementing a full zero-trust framework in 72 hours is not realistic for most organizations. What you can do immediately is apply zero-trust principles: verify identity explicitly with MFA, grant least-privilege access, assume the network is compromised. Build your tiered access model around these principles now, and plan a more comprehensive zero-trust architecture over the next 90 days once the immediate crisis stabilizes.

What are the biggest cybersecurity threats to remote workers right now?

Phishing is the dominant threat vector, and it is not close. Attackers are exploiting COVID-19 anxiety with emails impersonating the WHO, CDC, and internal HR departments. Google reported blocking 18 million COVID-19-related phishing emails per day in the second week of April [Source: Google Threat Analysis Group]. Beyond phishing, we are seeing increased targeting of VPN vulnerabilities (particularly unpatched Pulse Secure and Fortinet devices), credential stuffing attacks against newly exposed remote access portals, and a rise in business email compromise schemes targeting finance teams working without their usual in-person verification processes.

Looking Forward

Here is what I believe, and I will say it plainly: most of the remote work infrastructure being deployed right now will never be fully decommissioned. Even after the immediate health crisis passes, the economics and employee expectations around remote work have shifted permanently. The organizations that treat this as a temporary inconvenience will rebuild the same fragile systems they had before. The ones that treat it as the beginning of a structural change will build something durable.

The 72-hour framework gets you through the crisis. What matters more is what you do in the weeks that follow — hardening access controls, formalizing BYOD policies, investing in endpoint detection, and re-architecting your network for a workforce that may never be fully centralized again. Remote work infrastructure security is no longer a subset of your IT strategy. For many organizations, it is the IT strategy.

Start with the triage. But plan for the long haul.