IT Security In The Home Office – What Should Be Considered?

news

You have certainly read some articles with very good recommendations on IT security in the home office over the last few days. We have also looked at these articles and would like to add a few more helpful points.

Home office equipment header image - SEC Consult

Tips For Employees: How Can Each Of Us Increase The Security In The Home Office?

Employees should actively seek guidance to ensure their own IT security while working and that of the company. Here are a few essential tips to follow:

 

1. Policies

Ask whether there is a company-wide security policy for teleworking and whether it is up to date.

 

2. Devices

Inform Supervisor and IT department about devices taken from the workplace to be used in the home office and how they should be handled.

 

3. Updates

Check for updates (OS and installed software) every day and install them before starting any work.

 

4. Internet connection

The following setup should be used if you deal with sensitive information via internet and/or can’t ensure a secure connection at home e.g. using VPN or the devices connected. Check with your IT department.
If a data card is provided by your company, use the following connection order for best security:

data card => private WLAN => hotspot of mobile phone

Switch off other devices in your WLAN if possible.
Otherwise you can use the following setup for security-aware employees:

private WLAN => data card => hotspot of mobile phone

 

5. Communication

In the case that an information classification policy is internally available and enforced, documents with a certain classification e.g. internal, confidential and strictly confidential, should only be sent through encrypted emails or encrypted zip files using a second channel e.g. SMS for the password. This method also requires prior arrangement by phone.

Secure email communication can be achieved using S/MIME or PGP encryption.

If no information classification policy is available, the supervisor should be asked to define how GDPR adherence can be included in the telework.

 

6. Physical protection

Clear communication is key, especially with the people living in the same house/flat. They should be informed on the importance of information privacy, GDPR and your obligation to the company. One can also actively decrease the risk by locking the screen each time the device is left unattended.

Protect any documents from third parties and lock them away in a secure place when you leave the seat/workplace.

Only connect external media and devices to your work computer that have previously been approved by IT, including USB drives of any form.

People living in your flat should be informed on the importance of information privacy, GDPR and your obligation to the company.
Ulrich Fleck, SEC Consult Group

7. VPN vs. No-VPN

There are several sources on VPNs and our last article shows, among other vulnerabilities, the possible gaps of introducing a VPN service into teleworking.

If there is a possibility of an internet outage or the absence of any VPN service, data can be kept locally, after prior consultation with the supervisor and IT department. Regular backups should be done. After the work is finished the data should be securely transferred to the company network and securely deleted locally, again with the help of the IT department. The process should comply to GDPR where necessary.

 

8. Telework software

The required software for telework should be approved by the IT department (especially check the IT security track record of the software being used) and offer links to the sources, to ensure no malicious middleman.

Home office software gearwheels banner - SEC Consult

9. Secure channel

During this time fraudsters are impersonating the highest authorities of a company, to avoid employees questioning their demands. Examples of these are CEO frauds and deepfake voice frauds. Important transactions and information transfers should therefore be confirmed via a secure channel. This channel should be known to all necessary employees and be used for verification purposes.

 

10. Anti-Virus Protection

Ensure protection against malware, in consultation with IT, e.g. current version of anti-virus software.

 

11. Private Usage

No private use of company devices and media without written permission. Better switch to a private device for these tasks.

Home office private image banner -SEC Consult

Tips For Managers: What Do Employees Need To Increase It Security While Working From Home?

Leading the company in these difficult times requires a clear action plan, backed by a good strategy. Here are a few tips for the managers:

  1. Improve employee security awareness using a secure channel. Use security best practices and e.g. don’t include information where users need to click a link to reduce risk of phishing.
  2. Keep records of devices that are used externally and determine the period for external use based on the criticality, reviewing them regularly.
  3. Devices of a certain criticality should be encrypted by default.
  4. Offline use should exclude highly sensitive information where possible and written consent from the supervisor should be mandatory.
  5. Inform employees about the incident handling procedures and ensure their cooperation, as the risk is shifted outside the company.

 

The German BSI offers a great overview of the topics that need further attention, when employers plan on introducing teleworking.

  1. Regulations for teleworkers / Security policies for teleworking
  2. Raising awareness of teleworkers
  3. Access and access protection
  4. Security requirements for the IT systems used for teleworking / hardening of the IT systems used
  5. Encryption of portable IT systems and storage devices
  6. Use of screen protectors
  7. Secure remote access to the institution’s network
  8. Data backup
  9. Timely notification of loss
  10. Support for teleworkers
  11. Working with external IT systems / networks
  12. Disposal of confidential information
  13. Dealing with official documents when there is an increased need for protection at the telework station
  14. Unambiguous verification
  15. Beware of phishing

Important update regarding the current Corona / Covid-19 pandemic

All our Teleworking Security Assessments can be carried out remotely by our security experts to protect the customer’s employees and themselves.

Would you like to improve your homeoffice-cybersecurity with the experts from SEC Consult?