Home office as a risk for IT security?
Jul 09, 2022
The home office has become firmly established in the working world. It is therefore important to adapt the IT infrastructure in a timely and sustainable manner so that security is not neglected.
Home office - but safe
Whether due to renewed pandemic-related tightening or to remain attractive as an employer, working from home will remain the norm. If the security measures presented are observed, the risk seems acceptable. IT security incidents occur even without working from home. It is important to take the right security precautions in good time and to communicate this to employees. By the way, the functionality of security concepts can also be checked within the framework of an audit or penetration testing. Due to the Corona pandemic, working in a home office has become the norm in many industries. Even in areas where it previously seemed practically impossible. Whereas companies often had to improvise at the beginning of the first lockdown in order to maintain their own operations, work processes have now become established. It is not uncommon for home offices to be offered on a permanent basis or parallel to work in the company building. Therefore, it is now at the latest time to look at IT security at the outsourced workplaces. For those responsible, it is a challenging task to take into account the different requirements of the employees and to connect their IT infrastructure securely and comfortably to the company network. We would like to give you a brief overview of what you should pay attention to.
Home office and IT security: these are the problem areas
When working from your desk at home, sensitive data leaves the sphere of influence of your IT administration. It is difficult to understand what the situation is like for the individual employee at home with regard to data protection and unauthorised access by third parties.
**Concrete dangers are
- The loss of data carriers or mobile devices containing company data due to theft or accidental loss.
- Data protection conflicts due to a lack of separation of home offices from family members and third parties
- Compromise of the transport route when exchanging data between company computers and poorly secured home networks
- Spying on data through phishing and social engineering, for example by criminals posing as employees in the home office in phone calls or e-mails.
- Mixing business and private data by using employees' private computers and cloud storage or mail accounts for convenience.
- Increasing the points of attack for hackers if the company network has to be opened for access from the outside
- Introduction of malware when exchanging data between the company network and private networks
Security for the home office
The home office offers advantages for employers and employees. For example, resources such as office space can be permanently saved in this way. Employees, on the other hand, save time and money by not having to travel to and from work and enjoy more flexible working hours that can be reconciled with childcare. It can even become a criterion for choosing a job whether the boss allows home working. Therefore, it is time well spent to draft safety guidelines for this. These should be put in writing and made known to the employees.
The following points should be included:
1. encryption: Only end devices and data carriers with full encryption may be used. Attention should be paid to the use of technologies that are considered secure, such as Bitlocker when using Windows systems. It is essential to choose a secure password. The German Federal Office for Information Security (BSI) currently recommends a minimum length of eight characters. It should contain upper and lower case letters, numbers and special characters. It is particularly important that passwords are not stored in written form near the encrypted data carrier.
2. storage of end devices and data carriers: All IT devices containing company data must not be left unattended in parked vehicles. In employees' homes, data carriers and devices must be stored in secure locations. Access by third parties must be excluded as a matter of principle.
3. data protection requirements and use of own end devices: It is a fundamental question whether there is a need to allow the use of private devices. In many processes, data is temporarily stored on the computer and not necessarily deleted when the computer is restarted. There is always the danger of mixing official and private data. In addition, there is usually no possibility of controlling software installed on the device that is considered critical. If at all possible, it is advisable to only allow dedicated hardware from the employer. The use of private cloud storage and private mail accounts should generally be prohibited. The location of the private workplace should not be underestimated. This must be chosen in such a way that third parties cannot gain insight into processed data.
Secure connection to the company network: As a rule, there is a permanent need to exchange data between external employees and the company network. This is the most critical process in the entire construct. The following applies here: unencrypted data transport is taboo. As an absolute minimum, transport encryption must be active when accessing services or storage locations. Logon may only take place with a secure password and should, if possible, be protected by two-factor authentication. This refers to an additional security feature, such as the short-term PIN of an authenticator app. For permanent use of home office working models, it is usually worth setting up a virtual private network (VPN). This involves setting up a securely encrypted point-to-point connection between the external employee's computer and the company network. After the so-called tunnel has been set up, the computer is completely integrated into the company network and thus has access to all resources available there.
Updates and backups: The installation of updates and the creation of backups are regulated in many company networks by group policies. When using external devices, employees may have to ensure themselves that operating systems and software used are kept up to date. Manual backups may also be necessary. Especially if there is no integration through a VPN, this should be clearly regulated in corresponding agreements.
6. emergency plan for IT security incidents: It is advisable to determine in advance how to proceed in the event of security-critical incidents, such as a virus report. A contact person should be available for this purpose.
The BSI offers checklists for the secure design of home office workplaces on its website.
Home office - but secure
Whether due to renewed pandemic-related tightening or to remain attractive as an employer, home office work will remain the norm. If the security measures presented are observed, the risk seems acceptable. IT security incidents occur even without working from home. It is important to take the right security precautions in good time and to communicate this to employees. By the way, the functionality of security concepts can also be checked within the framework of an audit or penetration testing.