Home office - what IT dangers lurk?

Not only do special hygiene rules have to be observed these days, but also cyber security rules. This applies even more to those who work from home.

With a few measures, you can significantly minimize cyber risk and make your home office a safe place to work. Infoguard's tips are:

• In order to establish a secure connection to the corporate network, the use of VPN (Virtual Private Network) is essential. Make provisions so that the remote access solution can also cover the additional bandwidth requirements.
• Remote Access in combination with an MFA (Multi-factor authentication) is a must. Make sure that sufficient licenses are available for remote access with the MFA and that the rollout is prepared. It would be annoying if employees could not work productively due to a lack of authentication.
• If mobile workstations do not exist for employees, they are likely to be provided via private devices (BYOD, Bring Your Own Device, Safety tips here) access the corporate network. The devices should meet the relevant minimum security requirements and be equipped with appropriate protection software.
• Operating systems, applications, malware scanners, etc. should always have the latest Updates installed (also applies to private devices). Use compensatory measures if vendor updates are not available. Possibilities are Endpoint Protection (EPP), Endpoint Hardening, Endpoint monitoring by a SOC, etc.
• Among other things, rely on Awareness measures (Security Awareness) and information to make employees aware of the dangers. Currently, for example, phishing e-mails (cf. here) sent that are related to the coronavirus. Use advanced security functionalities on the email gateways to protect against malware and APT attacks.

Hands off public cloud services

Groupware functions such as e-mail or calendaring are usually not the big security issue when working remotely, as these applications are already mostly available via web clients and mobile apps regardless of location anyway.

Content collaboration solutions offer a modern alternative to VPN solutions for in-house access. They enable files to be accessed and exchanged quickly, easily and independently of end devices via central online storage.

The temptation to simply use one of the numerous public cloud storage services is great. However, companies should keep their hands off them, advises the open source provider ownCloud. These services are generally of US origin and are therefore subject to the US Cloud Act. The relatively new law legitimizes American authorities to demand that operators hand over all the data of a person or a company. However, this is not compatible with data protection regulations such as the GDPR and de facto forces companies to give up control over their often sensitive data.

Sources: Infoguard, ownCloud

see also article "High data security in the cloud„

What else to consider

If the employee can only do his work with access to server XY, then this must also be guaranteed in the home office. Ideally, this has already been effectively tested BEFORE the emergency.

Not all work processes in the company also work in the home office, whether for security reasons, legal hurdles or company rules. This should be communicated clearly and in good time to avoid frustration and missing work steps. On the other hand, as a home office employee, you should also be aware of this and not try to creatively circumvent these limits.

A mailbox for security problems

It is helpful to set up a company e-mail address to which employees can send security problems quickly and unbureaucratically.

Against the backdrop that many cyberattacks are successful because the scammers try again and again and exactly until there is a thoughtless click, a security e-mail box also serves prevention: conspicuous features can be registered quickly and warnings can follow. All tips from users, even superfluous ones, should definitely be acknowledged. Information about the security service, on the other hand, should not be sent to the e-mail account as a link, but rather offline via letter, info card or similar at home, in order to make it difficult for fraudsters in this area as well.

Source: Alert Sophos