The home office is more than just the company computer in the living room or bedroom at home. Companies must take special security measures since the systems are not located within the secure office infrastructure.
Home offices are now part of everyday life in numerous companies. They will probably remain so since many employees and employers would like to continue working from home in one form or another even after Corona. High time to take care of security after the first lockdown was often only about making work from home possible in the first place.
Computers in the home office are more at risk than in the well-protected company network – cybercriminals quickly recognized this and intensified their attack efforts in the first days of the pandemic. However, companies are not powerless in the face of this but can implement a few basic measures to better secure systems outside of their own IT infrastructure.
Table of Contents
No Private Devices
Because many employees had to move to the home office at short notice in the early days of Corona and many companies lacked mobile devices, some employees worked at home on their private PCs – and some still do. However, companies cannot enforce security policies on these devices and must rely on the employee’s protective measures. Therefore, such “pragmatic” solutions are a risk and should be replaced as urgent.
Regular Patching
Today’s main gateway for cybercriminals is software vulnerabilities – almost all malware tries to exploit security holes in operating systems or applications to infect a system. Therefore, the quick installation of all available security updates and patches is the essential requirement for secure work in the home office and allows many attacks to come to nothing.
Up-To-Date Endpoint Protection
Modern endpoint protection, which combines various detection mechanisms to ward off advanced malware, belongs on all homework computers. Of course, companies must also update this security software regularly to offer the best possible protection.
Two-Factor Authentication
The classic login to systems, applications and online services with a username and password is no longer up to date because cybercriminals are now pretty good at guessing even long passwords – or they are used in malware and phishing attacks capture. More complex passwords hardly increase the level of protection and only tempt employees to use the same password for several accesses. Two-factor authentication is more secure, requiring another factor besides the password, such as a smart card, a security token or a PIN sent to a mobile phone. The password alone is then worthless to an attacker.
VPN Connection To The Company Network
Employees need access to data or applications in the company network for many tasks. They establish this via a VPN – an encrypted communication tunnel between the work device and the company infrastructure. In this way, companies prevent outsiders from tapping or manipulating data on the transmission path. In addition, they find it easier to adjust security policies and install updates than on systems that are not connected to the company network.
Control of USB Devices
To reduce the risk of malware infection and prevent company data from ending up on private storage, companies can at least block the USB ports of homework computers for external storage media such as USB sticks and hard drives.
Encrypted WLAN
Many employees use a wireless network at home. So that company data is protected, you should activate secure WLAN encryption with WPA2 or WPA3 – the older encryption standards WEP and WPA no longer offer sufficient protection. The WLAN encryption ensures that attackers cannot intercept the transmitted data, which is particularly important when employees are not using a VPN, or only certain connections are routed through the VPN tunnel.
Secure Router Password
The router itself must also be protected against unauthorized access so that cybercriminals cannot hijack it and read all data transmissions. Therefore, a secure password for access to the router configuration is mandatory, mainly because the simple default passwords of many router models are widely known. The more complex default passwords that some manufacturers assign to each device individually, while more secure, aren’t ideal either, as they’re usually printed on the device. Guests, artisans or other visitors could write them down in an unobserved moment.
Careful Selection of Cloud Services
Companies have often introduced new cloud services and online services for data exchange and communication with the home office. Here they should now evaluate whether they meet their security and data protection requirements, for example, whether they use secure encryption, where they store data or how they can be integrated into the company’s existing security infrastructure.
Clear Guidelines For Employees
With clear and binding guidelines for handling data, applications and devices in the home office, companies prevent employees from endangering IT security or violating data protection out of ignorance. You should also coordinate communication channels and contact persons to regulate processes, and employees do not fall for fraudulent attempts such as scam calls from supposed support employees. Special awareness training courses can also help further raise awareness of cyber threats.