Threat Modeling for Remote Workers
Not everyone needs the same level of security. A freelance writer and an investigative journalist face very different threats. Here's how to assess your actual risk level and build the right security stack.
Updated
Protect yourself
Our Top 5 VPN Picks
Chosen after real-world testing across speed, privacy, and streaming. Each ranking is independent — we buy every VPN at retail and test it ourselves.
EDITOR'S PICK
Best Overall
NordVPN
★★★★☆4.8/ 5
Fastest speeds, audited no-logs, 6000+ servers
✓Audited no-logs policy✓Threat Protection blocks malware✓10 devices per account✓30-day money-back guarantee
★ Save 76% + 3 mo. FREE
was $12.99/mo
$3.09/mo
30-day money-back guarantee
Read full NordVPN review
Best for Unlimited Devices
Surfshark
★★★★☆4.6/ 5
Unlimited devices, CleanWeb blocker, 100+ countries
✓Unlimited simultaneous devices✓CleanWeb ad & malware blocker✓RAM-only server network✓30-day money-back guarantee
★ Save 73% + 3 mo. FREE
was $6.58/mo
$1.78/mo
30-day money-back guarantee
Read full Surfshark review
Best for Privacy
Proton VPN
★★★★☆4.5/ 5
Swiss privacy laws, open-source, free tier
✓Swiss jurisdiction (no data laws)✓Open-source and audited✓Secure Core multi-hop✓Free tier available forever
Best Budget
FastestVPN
★★★★☆4.2/ 5
Lifetime plans, 10 devices, ad blocker
✓Lifetime deal available✓10 devices per account✓Built-in ad blocker✓No-logs policy
Best for Streaming
IPVanish
★★★★☆4.4/ 5
Unlimited devices, streaming-optimized, audited no-logs
✓Unlimited simultaneous connections✓Audited no-logs policy✓Streaming and Kodi optimized✓SOCKS5 proxy included
We earn a commission when you click “Get” buttons, at no extra cost to you. Read our affiliate disclosure
Security Profiles
Standard Remote Worker
MediumMain ThreatsISP monitoring, public Wi-Fi attacks, phishing, weak passwords
Recommended StackVPN (NordVPN/FastestVPN), password manager, 2FA (authenticator app), software updates
Probably OverkillTor, Tails OS, hardware security keys for every account
Freelancer Handling Client Data
Medium-HighMain ThreatsData breaches exposing client info, insecure file sharing, phishing targeting invoices
Recommended StackVPN, password manager, 2FA, encrypted file sharing (Proton Drive), client data encryption, cyber insurance
Probably OverkillAir-gapped computers, Faraday bags
Executive / Decision Maker
HighMain ThreatsSpear phishing, CEO fraud, business email compromise, targeted attacks, deep fakes
Recommended StackVPN with dedicated IP, hardware security keys (YubiKey), encrypted communications (Signal), executive protection training
Probably OverkillTor for daily browsing (too slow for work)
Journalist / Activist
Very HighMain ThreatsState surveillance, targeted hacking, device seizure at borders, source protection
Recommended StackVPN (Proton VPN/Proton), Tor Browser, Signal, full-disk encryption, hardware keys, Tails OS for sensitive work, travel devices
Probably OverkillNothing is overkill at this threat level
Developer with Production Access
HighMain ThreatsSupply chain attacks, credential theft, compromised CI/CD, insider threats
Recommended StackVPN, hardware security keys, signed commits, secrets manager, least-privilege IAM, endpoint detection
Probably OverkillDisconnecting from internet entirely
The Universal Baseline (Everyone)
Regardless of your threat level, everyone should have:
1. Password manager with unique passwords
2. 2FA on email and critical accounts
3. VPN on all devices
4. Full-disk encryption enabled
5. Automatic software updates
6. Regular backups (3-2-1 rule)
Frequently asked
Frequently Asked Questions
Threat modeling is the process of identifying what you're protecting, who might attack you, how they might attack, and what defenses are proportionate. It prevents both under-protection (leaving real risks unaddressed) and over-protection (wasting time and money on unlikely threats).
If you're a standard remote worker using a VPN, password manager, and 2FA — you've covered 95% of realistic threats. You don't need Tor for checking email. Match your security to your actual risk level, not your anxiety level.
Ask yourself: (1) What data do I handle? (personal, client, financial, classified), (2) Who would want to access it? (opportunistic hackers, competitors, governments), (3) What would happen if it was exposed? (embarrassment, financial loss, legal liability, physical danger). Higher stakes = higher threat level.
Keep reading