- On 5. Apr 2020
You have certainly read some articles with very good recommendations on IT security in the home office over the last few days. We have also looked at these articles and would like to add a few more helpful points.
Tips for employees: HOW CAN EACH OF US INCREASE THE SECURITY IN THE HOME OFFICE?
Employees should actively seek guidance to ensure their own IT security while working and that of the company. Here are a few essential tips to follow:
Ask whether there is a company-wide security policy for teleworking and whether it is up to date.
Inform Supervisor and IT department about devices taken from the workplace to be used in the home office and how they should be handled.
Check for updates (OS and installed software) every day and install them before starting any work.
4. Internet connection
The following setup should be used if you deal with sensitive information via internet and/or can’t ensure a secure connection at home e.g. using VPN or the devices connected. Check with your IT department.
If a data card is provided by your company, use the following connection order for best security:
data card => private WLAN => hotspot of mobile phone
Switch off other devices in your WLAN if possible.
Otherwise you can use the following setup for security-aware employees:
private WLAN => data card => hotspot of mobile phone
In the case that an information classification policy is internally available and enforced, documents with a certain classification e.g. internal, confidential and strictly confidential, should only be sent through encrypted emails or encrypted zip files using a second channel e.g. SMS for the password. This method also requires prior arrangement by phone.
Secure email communication can be achieved using S/MIME or PGP encryption.
If no information classification policy is available, the supervisor should be asked to define how GDPR adherence can be included in the telework.
6. Physical protection
Clear communication is key, especially with the people living in the same house/flat. They should be informed on the importance of information privacy, GDPR and your obligation to the company. One can also actively decrease the risk by locking the screen each time the device is left unattended.
Protect any documents from third parties and lock them away in a secure place when you leave the seat/workplace.
Only connect external media and devices to your work computer that have previously been approved by IT, including USB drives of any form.
7. VPN vs. No-VPN
There are several sources on VPNs and our last article shows, among other vulnerabilities, the possible gaps of introducing a VPN service into teleworking.
If there is a possibility of an internet outage or the absence of any VPN service, data can be kept locally, after prior consultation with the supervisor and IT department. Regular backups should be done. After the work is finished the data should be securely transferred to the company network and securely deleted locally, again with the help of the IT department. The process should comply to GDPR where necessary.
8. Telework software
The required software for telework should be approved by the IT department (especially check the IT security track record of the software being used) and offer links to the sources, to ensure no malicious middleman.
9. Secure channel
During this time fraudsters are impersonating the highest authorities of a company, to avoid employees questioning their demands. Examples of these are CEO frauds and deepfake voice frauds. Important transactions and information transfers should therefore be confirmed via a secure channel. This channel should be known to all necessary employees and be used for verification purposes.
10. Anti-Virus Protection
Ensure protection against malware, in consultation with IT, e.g. current version of anti-virus software.
11. Private Usage
No private use of company devices and media without written permission. Better switch to a private device for these tasks.
Tips for managers: WHAT DO EMPLOYEES NEED TO INCREASE IT SECURITY WHILE WORKING FROM HOME?
Leading the company in these difficult times requires a clear action plan, backed by a good strategy. Here are a few tips for the managers:
- Improve employee security awareness using a secure channel. Use security best practices and e.g. don’t include information where users need to click a link to reduce risk of phishing.
- Keep records of devices that are used externally and determine the period for external use based on the criticality, reviewing them regularly.
- Devices of a certain criticality should be encrypted by default.
- Offline use should exclude highly sensitive information where possible and written consent from the supervisor should be mandatory.
- Inform employees about the incident handling procedures and ensure their cooperation, as the risk is shifted outside the company.
The German BSI offers a great overview of the topics that need further attention, when employers plan on introducing teleworking.
- Regulations for teleworkers / Security policies for teleworking
- Raising awareness of teleworkers
- Access and access protection
- Security requirements for the IT systems used for teleworking / hardening of the IT systems used
- Encryption of portable IT systems and storage devices
- Use of screen protectors
- Secure remote access to the institution’s network
- Data backup
- Timely notification of loss
- Support for teleworkers
- Working with external IT systems / networks
- Disposal of confidential information
- Dealing with official documents when there is an increased need for protection at the telework station
- Unambiguous verification
- Beware of phishing
Important update regarding the current Corona / Covid-19 pandemic
All our Teleworking Security Assessments can be carried out remotely by our security experts to protect the customer’s employees and themselves.