Key Takeaways
- Data breaches involving remote work cost an average of $1.07 million more than breaches without a remote factor
- 52% of security incidents in 2025 involved a remote worker device or connection
- 91% of companies now enforce mandatory MFA for all remote access endpoints
- Phishing appears in 36% of all data breaches, and remote workers face a 46% higher risk of voice phishing
- The global remote work security market reached $68.94 billion in 2025 and is projected to hit $83.73 billion in 2026
Remote work delivered real gains in flexibility, talent access, and overhead savings. It also handed attackers a vastly expanded attack surface.
Cyberattacks increased 238% in volume from the start of the pandemic. More than half of all security incidents now involve a remote worker device or connection. Breaches tied to remote access cost organizations over a million dollars more on average. And the tools most companies rely on to secure their distributed teams - primarily traditional VPNs - are increasingly the vectors attackers use to get in.
This article pulls data from IBM, Verizon, Ponemon, Gartner, KnowBe4, Coalition, and others to show where remote work cybersecurity actually stands in 2026.
How many cyberattacks target remote workers?
A large and growing share of all attacks now routes through remote access infrastructure.
52% of security incidents in 2025 involved a remote worker device or connection, according to Verizon's 2025 Data Breach Investigations Report. That is not a niche risk. It is the plurality attack category.
Other figures from 2025 and 2026:
- 20% of organizations experienced a security breach directly caused by a remote worker (Medha Cloud, 2026)
- 38% of all cyberattacks specifically target home routers, VPNs, and remote access infrastructure
- 29% of ransomware attacks in 2025 originated from home office environments
- Organizations face an average of 1,000 remote-work-related cyberattack attempts per month in 2025
- 54% of CISOs report an increase in credential theft tied to remote access tools
Security leaders largely agree on the direction. 92% of IT specialists say remote and hybrid work directly increases cybersecurity threats. 79% of companies believe the growth in remote work is actively hurting their security posture.
Sources: Verizon DBIR 2025; Coalition Cyber Claims Report 2025; Medha Cloud Remote Work IT Statistics 2026; Cybersecurity Insiders
What data breaches involving remote work actually cost
IBM's 2025 Cost of a Data Breach Report sets the global average breach cost at $4.44 million. For U.S. organizations, that figure climbs to $10.22 million, a record high.
Breaches with a remote work component cost an average of $1.07 million more than breaches without one. That gap reflects longer detection timelines, a broader blast radius, and more complicated remediation paths.
The detection problem drives a lot of that cost. On-network compromises get caught faster. Remote endpoint compromises average 228 days to detect, compared to 156 days for on-network incidents - a 46% longer exposure window.
| Breach type | Average total cost | Average detection time |
|---|---|---|
| Global average | $4.44M | N/A |
| U.S. average (2025 record) | $10.22M | N/A |
| With remote work factor | $5.51M | 228 days |
| Without remote work factor | $4.44M | 156 days |
Phishing-related breaches averaged $4.88 million in 2025, up nearly 10% from the prior year. Since phishing is the leading initial access vector for remote worker attacks, that number matters particularly for distributed teams.
Sources: IBM Cost of a Data Breach Report 2025; Ponemon Institute Endpoint Security Report 2025
VPN, MFA, and endpoint protection: where adoption actually stands
Remote security tooling has improved. Gaps remain large enough to matter.
Multi-factor authentication
91% of companies now enforce mandatory MFA for all remote access endpoints. Organizations that do this see 86% fewer credential-based breaches than those relying on passwords alone (Medha Cloud, 2026).
The remaining 9% without mandatory MFA account for a disproportionate share of breach victims. Credential theft is the single most common initial access method across all attack types, which makes password-only authentication a straightforward liability.
VPN usage and where it breaks down
About 86% of organizations use VPN as part of their remote access setup. The numbers around what happens next are harder to look at:
- 62% still rely on traditional VPN as their primary remote access method, despite known limitations
- VPN-related security incidents increased 22% year-over-year in 2025, mostly from unpatched VPN appliances
- VPN compromises accounted for 73% of ransomware intrusions where the entry vector was identified (Coalition 2025 Cyber Claims Report), up from 66% in 2024 and 38% in 2023
- Remote access services broadly were the entry point for 87% of ransomware claims in Coalition's dataset
Endpoint detection and response
EDR solutions are deployed across 57% of remote fleets. The remaining 43% rely on traditional antivirus or the OS defaults.
71% of IT teams report delayed patching on remote endpoints compared to on-premises devices (Ponemon Institute, 2025). Security incidents are 3.5x more likely on unmanaged endpoints than managed ones.
Zero trust adoption
The shift away from VPN-centric architecture is real but still mid-transition:
- 63% of firms adopted zero trust as a core part of their remote strategy in 2025
- 38% have deployed or are actively deploying ZTNA (Zero Trust Network Access) solutions
- Gartner projects that by 2028, 70% of remote access deployments will use ZTNA instead of VPN, up from about 10% in 2023
BYOD and shadow IT
58% of organizations allow BYOD, but only 39% have formal mobile device management policies. The average remote worker uses 3.7 personal devices for work. Each one is a potential unmanaged endpoint with access to company data.
Sources: Medha Cloud 2026; Coalition Cyber Claims Report 2025; Ponemon Institute 2025; Gartner
Phishing: the threat that grows with remote work
Home environments lack the network monitoring, secure email gateways, and ambient peer visibility that tend to reduce phishing success in offices. The data reflects that gap.
Phishing appears in 36% of all data breaches (Verizon DBIR 2025), making it the most common breach category. It is also the initial attack vector in 16% of breaches (IBM 2025). Remote workers face a 46% higher risk of voice phishing attacks compared to in-office staff. Phishing targeting remote workers rose 41% since 2023, driven by home Wi-Fi vulnerability and personal email use. 29% of remote workers admit to using public Wi-Fi for work without a VPN at least once per month.
AI is making the problem worse faster. 82.6% of phishing emails detected between September 2024 and February 2025 used AI - a 53.5% year-over-year increase. CrowdStrike recorded a 442% jump in voice phishing incidents between early and late 2024. Analysts project a 14x increase in AI-generated phishing attacks through 2026.
The dollar cost: global phishing losses total $25 billion annually (SentinelOne, 2026), or roughly $17,700 lost every minute.
Security awareness training does move the numbers. Organizations running quarterly phishing simulations see 65% lower click rates than those without structured programs, according to KnowBe4's Security Awareness Training Report 2025. Annual compliance training, by contrast, shows no consistent effect.
Sources: Verizon DBIR 2025; IBM 2025; CrowdStrike 2025; SentinelOne 2026; KnowBe4 2025; Hoxhunt Phishing Trends Report 2026
What companies are spending on remote work security
The global remote work security market was valued at $68.94 billion in 2025 and is projected to reach $83.73 billion in 2026 (Fortune Business Insights). At a 21.45% compound annual growth rate, the market is expected to exceed $290 billion by 2030.
At the organization level:
- Average annual VPN infrastructure and licensing cost: $142,000 per organization (based on an average of 2.8 VPN concentrators)
- The global EDR market is projected to reach $7.42 billion in 2026
- EDR spend growth reflects the deployment gap still being closed across remote fleets
The arithmetic is not complicated. A single breach at IBM's U.S. average of $10.22 million exceeds years of security infrastructure investment for most mid-market companies. The security budget looks different after you've been breached.
For a broader look at remote work technology investment, see our remote work tools spending statistics for 2026.
Sources: Fortune Business Insights; Grand View Research; Coherent Market Insights; Medha Cloud 2026
Industry breach patterns: remote vs. on-site workforces
Financial services carry the highest breach costs of any sector. IBM's data consistently places financial services at the top, driven by data value and regulatory penalties. Remote access controls face intense regulatory scrutiny, with financial firms required to document controls for every remote access path.
Healthcare combines sensitive data with aging infrastructure. Clinical administrative work shifted substantially remote post-pandemic, expanding attack surfaces without proportional security investment in many organizations. Healthcare also faces the highest ransomware attack rate across all industries.
Technology firms have higher average security maturity but also the most remote-capable workforces. Software and cloud companies tend to rank highest in zero trust adoption and MFA enforcement, which partially offsets the larger attack surface.
Professional services - legal, consulting, accounting - present a different problem. High-value client data, moderate security maturity, and heavy use of freelancers and contractors with internal system access but outside the core perimeter. That combination consistently shows up in breach forensics.
The pattern across all sectors: the further a worker or data path sits from the corporate network, the longer breaches go undetected and the more expensive they are to contain. The 228-day detection average for remote endpoint compromises versus 156 days on-network is not specific to any industry. It is a structural property of distributed infrastructure.
What actually reduces risk
Mandatory MFA has the strongest return of any single control in this dataset - 86% fewer credential-based breaches for organizations that enforce it universally. MFA alone does not stop everything, but the cost of enforcing it is low enough that organizations still running password-only remote access are making an expensive bet.
Quarterly phishing simulations cut click rates by 65% (KnowBe4 2025). Annual compliance training does not. The difference is frequency and specificity. Checkbox exercises clear the audit. Scenario-based simulations change behavior.
EDR on every remote device addresses a gap that shows up in breach forensics constantly. 71% of IT teams report delayed patching on remote endpoints. Security incidents are 3.5x more likely on unmanaged devices than managed ones. The cost of universal EDR deployment is much smaller than the cost of a single undetected compromise running for 228 days.
Moving from VPN to ZTNA is the migration most security teams are planning but fewer have completed. VPN compromises drove 73% of ransomware intrusions in Coalition's 2025 data, up from 38% in 2023. At some point "still on VPN" stops being an architecture choice and starts being a liability disclosure.
Formalizing BYOD policy is the easiest fix that most organizations have not done. 58% allow personal devices. 39% have MDM. Every device in that gap is an unmanaged endpoint with access to company data and no enforced patch schedule.
For broader context on managing distributed teams, see our remote work statistics for 2026 and guide to remote work best practices.
If you are evaluating whether to use a virtual assistant service or a distributed team model, the security baseline is part of that calculation.
Sources
- IBM Cost of a Data Breach Report 2025 (ibm.com/reports/data-breach)
- Verizon Data Breach Investigations Report 2025 (verizon.com/business/resources/reports/dbir)
- Coalition Cyber Claims Report 2025
- Medha Cloud Remote Work IT Statistics 2026 (medhacloud.com/blog/remote-work-it-statistics-2026)
- Ponemon Institute Endpoint Security Report 2025
- KnowBe4 Security Awareness Training Report 2025
- Gartner Zero Trust and ZTNA Forecast
- CrowdStrike 2025 Global Threat Report
- SentinelOne Cybersecurity Statistics 2026
- Hoxhunt Phishing Trends Report 2026
- Fortune Business Insights Remote Work Security Market 2026
- Grand View Research Endpoint Detection and Response Market
- Coherent Market Insights Remote Work Security Market 2025
- Zscaler State of Zero Trust Transformation 2025
- Cybersecurity Insiders Remote Work Security Report
- Embroker Cyber Attack Statistics 2025
- Spacelift Cybersecurity Statistics 2026 (spacelift.io/blog/cybersecurity-statistics)