Some IT environments are designed to cope with that kind of scenario, are very secure, with two-stage authentication including passwords that require change regularly, encryption and 24/7 monitoring. But that is not the norm. Where your service providers are handling your sensitive information, it is certainly prudent to check whether that information is secure both within that service provider’s ordinary environment but particularly where people are accessing and processing your information remotely. With IT structures facing unexpected pressure, your enquiries should also include the backup arrangements employed by the service provider.
Where you are the service provider, it is self-evident that you must comply with your contractual obligations. Moreover when handling electronic information (especially personal information) and communicating electronically, you must act reasonably. Allowing external access to your systems without sufficient security by employees working from home is probably not what a reasonable business person would do and that could create an opportunity for cyber criminals. Where you act unreasonably and third parties suffer a loss as a result, you will be exposed to claims for damages.