The home office as a security risk: tips for protection20-04-2020 Author: Jan Tissler
Many organizations were taken by surprise when the Corona Virus crisis first hit and the “home office” suddenly became the only immediate solution. Unsurprisingly, shortcuts were often taken, which, especially in terms of IT security, can potentially cause hair-raising problems. Here are some tips on how to minimize these risks.
Quickly replace and secure provisional arrangements
During the initial hectic rush, solutions were haphazardly put together in any number of places, which should only be temporary. The Sharepoint server, which is otherwise only available internally, may have been connected to the internet without any further protection. Or, by their own initiative, employees might be using tools in the cloud that they're already familiar with, but which are not necessarily suitable for use with sensitive information. Or a chat app might be used for an exchange without sufficient encryption.
IT now needs to find suitable alternatives and at the same time ensure a higher level of security: two-factor authentication is the keyword. At the same time, IT must also evaluate new (cloud) services and set them up correctly – not an easy task and one that also takes time. Here the organization may have to invest in external expertise if necessary.
And if this isn't yet available: Employees need a password manager so that secure passwords become the norm.
Attacks don't only affect the infrastructure, but often a weaker link in the chain: humans. We already covered this topic in a separate article and today, it is more relevant than ever. Ultimately, employees find themselves in a very unusual situation, because there is now a lot of digital communication that would otherwise normally have taken place in a personal conversation.
As it turns out, that seemingly urgent email from a supervisor or a client's call for help was actually sent by an attacker. Research shows that the click rate on phishing emails in the home office is three times higher than in the actual office. Seemingly innocent calls might be able to take advantage of a general sense of uncertainty and confusion to learn more about internal information. Or employees might autonomously decide to use an insecure service because it's easier to use than the official one. It is important to provide not only suitable alternatives (see above), but also clear announcements regarding what can and can't be used.
In addition, criminals are aware of how much information is sought when it comes to the Corona Virus crisis. Back in January, security specialist Kaspersky had detected malware attachments that lured with information about the virus. And the eco association stated that between January and March 2020, over 16,000 domains related to the subject of Corona were registered. Studies show that these are 50 percent more fraudulent than others.
It is now more important than ever to sensitize your own employees to these types of attack scenarios. At the same time, common sense and special caution is required in this new and unfamiliar situation. Everyone involved must be sensitized to the fact that security and data protection take precedence over quick action and an immediate response. Remember: everyone in the organization is under enormous pressure and stress. Team leaders and managers need to keep this in mind and also accept that productivity will drop, at least temporarily.
At the same time, everyone involved will need new workflows and processes. These should be secure and at the same time easy to follow. Agreements and consultations are not always easy to implement when teams are spread out in different locations. Ideally, employees and groups should be aware of which decisions they can make for themselves.
Security measures in the home office
You should also give employees tips on how to secure their work at home. Many will never have dealt with this before, as this would normally be a task for IT. What's more, private installations are usually designed for convenience and not for security.
Ideally, private and service hardware should be kept strictly separate. Using one’s own devices might be a nightmare for some IT departments. But still, there are a few tips to improve security:
- A mobile internet connection via smartphone hotspot, surf stick or 4G router is considered to be more secure than home WiFi.
- If this is not possible, all admin and WiFi passwords must be updated and brought to a secure level.
- Ideally, smart home functions should be deactivated during working hours.
- In general, the firmware of all devices should always be up to date, this applies particularly to the home router.
- A VPN service is required to connect to the company network in order to encrypt the data traffic.
- All devices used for work must be secured in view of a potential break-in. This includes encrypting the data – not only on computers, but also for example USB sticks. See FileVault for Macs and BitLocker for Windows.
- A function to delete the smartphone, tablet or laptop by remote must also be available.
- If possible, the work room at home should be lockable and important documents, data carriers and devices should be locked away.
Many companies were initially concerned about the possibility of maintaining or restoring the ability to work. It is understandable that other aspects consequently fell by the wayside. However, the damage potentially inflicted by a successful hacker attack should not be underestimated. In this respect, now is the right time to once more prioritize IT security. It is particularly important to involve employees, sensitizing them to the dangers and helping them out with clear announcements.