When I am doing a penetration testing, using social engineering, everyone is expecting that I will attack the company at their headquarters. I don't really understand why everyone assumes that. It looks to me that everyone thinks that location that usually holds most servers and all the data and is most populated would be the most likely target.
From perspective of hired attacker, headquarters are usually last location where I would try to break in. Companies usually spend a lot of money securing the headquarters (e.g. technical security, guards or receptionists in the lobby etc.)
On the other hand, remote locations are usually not so heavily guarded if at all. I often find servers (including domain controllers) unprotected and easily accessible to just about anyone. Employees at remote locations are usually also less security aware.
But once inside remote location it is in general pretty easy to get access to corporate data just as if I would be sitting at the headquarters. These days I find that most of the networks are flat with no firewalls or access rules that would prevent access even to resources that are not needed from remote locations.
When thinking about security of your network, don’t forget about remote locations! If remote locations have access to data and services at the headquarters, security of any such remote location is just as important as security of headquarters. Remember, "hackers" are in general not really known for "playing by the rules". They will not attack you only at your headquarters either...