I supported workers both at home and in the field at a mfg'ing company for over a year. Mostly sales reps, some engineers. They were primarily using company-issued computers, mostly laptops, some desktops, though many workers used their own PC's to work from home afterhours. The company had PPTP set up with Active Directory. That was pretty much the extent of our security, other than antivirus. No radius server.

There were numerous weaknesses with that setup. One was PPTP, often considered a less-than-ideal VPN setup. And then a lot of these guys were bringing in their company-owned PC or laptops chocked full of spyware. Spybot picked up 1900+ pieces of spyware on one sales reps computer. The guy acted like it was no big deal, but I thought it was a personnel issue and suggested so. I was PO'ed with the user's nonchalance. Another user, a field engineer, was having problems left and right with his laptop, I got it in and found it full of warez. Again, a personnel issue. And of real concern, to me anyway, was the amount of users who were onsite in China and to what extent they were subject to packet sniffing there. But that wasn't my dep't.

The crux of the problem from my point of view was the company had been rolled over several times into new ownership and IT had gone from a state-of-the-art Microsoft shop to a hodge-podge old hardware and software in just 4 years time. IT had been cut from 30 employees to maybe 5 people before being outsourced to my employer. Even though we had a AUP in place, there was no teeth in enforcing the thing. But having said that, IT was very much in transition while I was there. Spending, or the lack of it, was a serious issue.

The mfg'er was privately-held and not subject to Sarbanes-Oxley, but it was an ITAR (defense-related) facility. It certainly costs more to secure and support home workers than workers onsite. If you're going to do it right, anyway. So I'm not so sure it's win/win in that respect. Frankly I was shocked at some of the security issues onsite as well, but I won't go into that. Generally, our remote users didn't feel any responsibility for security, which may be a training issue as well as a policy issue too. I don't know how you train users who don't give a feck, except to throw the book at them.