Working in home office & Cyber and Information Security: What to watch out for
- Created by TUEV AUSTRIA
Due to the Corona crisis, more people than ever before are currently working from their home office. With the increased volume of home offices, hacking attempts in this context are increasing and so are the risks.
André Zingsheim has been working for TÜV TRUST IT TÜV AUSTRIA for many years as an experienced security expert and as a BSI-certified penetration tester. He regularly conducts comprehensive and complex security analyses for companies of different industries and sizes.
We interviewed him about the current situation of the increased home office volume in companies and the associated risks.
André, which technical requirements should be met in order to be able to work securely in the home office?
"Essential for working in the home office is the existence of a functioning VPN connection, unless the company is completely in the cloud. This allows me to dial into the corporate network as if I were in the office. To make it secure, this login process should be additionally secured, for example with certificates or a multi-factor authentication.
For the VPN itself, only state-of-the-art cryptographic procedures should be used, e.g. BSI TR-02102. If companies are not sure whether their VPN solution is secure, they should seek advice from security experts and, if necessary, have a security check carried out".
What else needs to be considered?
"The focus of consideration should also be on all means and channels of communication used by employees for work in the home office. First of all, a secure means of conducting remote meetings is essential. There are a whole range of solutions on the market here, which should be examined more closely and then selected with care.
Another important topic that should not be forgotten is cloud services, as these are now used by almost all companies. These should of course be designed to be just as demonstrably secure, especially in the current situation, in which cloud services are often established "on the fly" due to time constraints and lack of personnel resources.
In addition, the secure use of mobile phones should also be taken into account. Especially if employees are not equipped with company mobile phones, caution is advised. For example, if employees redirect their landline phone from the office to their private cell phone in order to be reachable, there is a risk of data protection and information security problems. Especially the implementation of a 2-factor authentication requires another secure terminal device such as a company mobile phone".
What other organizational measures should I take as a company?
First and foremost, general rules of conduct for work in the home office. Many companies whose employees have been working from the home office for a long time already have such rules in an existing user policy or similar.
However, if such rules of conduct do not yet exist, they should be created as soon as possible. Above all, these rules should include how I handle confidential and sensitive information and data. This includes, for example, locking my laptop at home when I leave the workplace (see Privacy & Compliance).
In addition, the corona crisis in general is causing a great deal of uncertainty among many people. For hackers this is of course a favourable situation, so that at the moment there are particularly many phishing mails on the road and the number of malicious websites is also increasing. Therefore, a special focus should be placed on employee awareness. Employees must be regularly informed about attack possibilities and the constantly changing threat situation. In this context, it is also important that IT is easily accessible for queries".
What other precautions can an employee take to work safely from the home office?
Basically, I should behave in the home office in the same way as in the office. If employees work with sensitive information and/or data in paper form, they should keep it safe, for example in a lockable cabinet. Safe disposal, e.g. using a shredder, should also be ensured. If this option is not available, the employer should provide it or consider alternative work processes at this point.
Physical access protection should also be a priority, windows should be closed when leaving the apartment, and if necessary doors should be closed inside the apartment, but this also depends on the individual living situation (e.g. shared apartment). By the way, these aspects should also be reflected in a code of conduct".
How would you describe the current overall situation on the topic of home office vs. information security? Do many companies still have some catching up to do in this area?
In many companies, working from the home office has long been the norm and is also well organized, both in terms of employee equipment and information security. Nevertheless, there are just as many companies that are not yet able to react adequately to the new challenge of the "home office" at the present time. In particular, the massive increase in home office users has already led to disruptions at some companies due to the increasing load.
For some of them, it will certainly be the case at the moment that home office facilities had to be created in order to enable "social distancing" during the Corona crisis. In this case, an attempt should be made to concentrate on the essentials: Finding a secure VPN connection and alternatives for work processes that cannot be safely executed from the home office.
TÜV TRUST IT TÜV AUSTRIAwww.it-tuv.com
TÜV TRUST IT GmbH
TÜV AUSTRIA Group
LESKANPark - Haus 1