Working from anywhere is the latest trend and is experiencing an additional upswing as a result of the Corona crisis. But many risks lurk in the home office. What do companies need to watch out for and how can remote work be properly secured?
IT security even from the home office
During the acute Corona phase, many companies were forced to send their employees to the home office. Even companies where the concept was previously the exception have discovered the advantages of location-independent, flexible work for themselves.
According to a study by the Fraunhofer Institute for Industrial Engineering, 42 percent of respondents intend to further expand their home office offerings in the future. But when employees work beyond the well-protected corporate infrastructure, this raises numerous security issues.
It starts with basic things like physical security. Whereas in the office there is usually an area where there is no public traffic, at home or on the road an unauthorized person can quickly catch a glimpse of the screen.
What if sensitive information is on display? What if the laptop is lost or stolen? According to a study by the security provider Eset, one in five Germans has already suffered the loss of a mobile device. If confidential data falls into the wrong hands, the damage is great.
In addition, there are often confidentiality agreements or guidelines regarding the secure storage of documents that must also be adhered to when working remotely and in the home office (e.g., according to ISO 9001 or ISO 27001 with auditing of workplace security).
This means, for example, ensuring secure printouts on a shared network printer, documents containing sensitive information should not be left lying around in the open, should end up in waste paper, and should not be stored on devices such as private multifunction printers. ISO 270001 specifies the proper deletion of data and disposal of data media.
A fundamental problem in the home office is that employees use networks that are not under the control of the company. These must initially always be considered insecure. It is therefore important to ensure that connections to the corporate network and access to corporate data from these networks are secure.
At the same time, it must be ensured that the user’s Internet connection is stable and provides sufficient bandwidth to enable them to perform adequately – especially if service level agreements (SLAs) must be met with customers. This, too, is an information security issue. Because otherwise, one of the three protection goals, namely ensuring the availability of data, will not be achieved. The other two protection goals are to ensure confidentiality and integrity of information.
Risks from cyber attacks
Attack scenarios in the home office are not much different from those in corporate environments. Malware and phishing attacks are particularly common. Spear phishing, in particular, has seen strong growth recently: cybercriminals specifically select victims or victim groups and try to deceive them with customized content.
Employees in the home office are more susceptible to such attacks because at home they cannot quickly ask a colleague for advice when they receive a suspicious e-mail. Instead of going to the trouble of creating a customer support request, they then make what may be the wrong decision themselves.
Important client-side protection measures
To minimize risks in the home office, companies should protect endpoints with standard cyber security techniques. These include, for example, an anti-virus solution, a firewall as well as port control, and media encryption, so that no random USB stick can be plugged in that could be infected with malware. Hard disk encryption protects against unauthorized access if a laptop is ever lost.
Also helpful is a URL filter that ensures users don’t visit dangerous websites, a cloud access security broker (CASB) that controls the use of cloud services, and a data loss protection solution that protects against unwanted data leakage. Additionally, an endpoint detection and response solution can enhance security. It detects suspicious behavior and can terminate processes remotely.
VPN gateways and two-factor authentication
Connection to the corporate network should be encrypted through a secure virtual private network (VPN) gateway. This can be hardware or software implemented. For example, there are devices that users can simply plug in behind their home DSL router and that simultaneously provide a