Sicheres Home-Office

Secure home office - how cyber security also works at home

Home office offers the opportunity to carry out professional activities from home and has become significantly more popular in recent years. This form of work enables employees to work flexibly without having to rely on their own car or public transport. The COVID-19 pandemic has also significantly increased the popularity of the New Work working model. Companies have to adapt their processes and systems in order to maintain regular operations and productivity.

Working outside the secure company network harbours a number of risks for your company's IT security in addition to the many benefits. Using private internet connections and devices that do not have the same security standards as in the office opens new doors for cyber criminals. In addition, phishing attacks and malware distributions are becoming more targeted and sophisticated. This poses a significant challenge, as the security infrastructure at home is usually less robust and employees do not have immediate access to IT support.

Differentiation: home office, teleworking, mobile working and remote working

Before we look at cyber security in the home office, here are the meanings of common terms associated with working from home. In our article, we mainly use the term home office. However, the article, especially the tips it contains, can be applied to all of the working models listed.

swipe
HOME OFFICETELEWORKING MOBILE WORKINGREMOTE WORK
Working from homeWorking from a fixed location outside the traditional office. However, this can also include locations other than the homeWork from different locations, be it on the road, in a café or at another location outside the officeWork from any location
swipe

The basics of home office security

The importance of IT security at home cannot be overemphasised, as the integrity and confidentiality of company data is more at risk outside the traditional office environment. In the office, employees (and organisations) benefit from a professional IT security infrastructure that is regularly maintained and updated to withstand current threats. In contrast, the home office is often equipped with personal devices and private networks that are not subject to the same strict security guidelines.

A combination of outdated security technology and careless handling of passwords increases the attack surface for cyber criminals in the home office.

This discrepancy in the security infrastructure leads to an increased attack surface for cyber criminals. Personal devices and networks are often more vulnerable to attacks as they are less likely to be kept up to date with the latest security technology. In addition, people at home tend to be more careless with passwords and delay necessary security updates, further increasing the risk of security breaches. These factors make it clear why a robust IT security strategy for the home office is crucial to protect both the organisation's data and employee privacy.

Challenges of the home office regulation

While working from home offers flexibility and convenience, it also poses particular challenges in terms of cyber security. The boundaries between professional and private environments are becoming blurred, which expands the attack surface for cyber threats.

Phishing
Phishing is a common method used by cyber criminals, where fake emails or messages are used to trick you into revealing sensitive information such as passwords or credit card details. These deceptive attempts are often difficult to distinguish from legitimate requests as they mimic the appearance of trusted organisations (such as the tax office, post office, etc.). Phishing has evolved over time to such an extent that subtypes such as spear phishing now also exist. Spear phishing poses an even greater security problem, as attackers in this form specifically collect information such as names or addresses from their victims, making the phishing mail appear credible and deceptively genuine.

Malware
Malware means "malicious software" and refers to various types of harmful programmes that aim to infect your devices, steal data or cause damage. From viruses to Trojans to spyware malware can get onto your devices through inconspicuous downloads or by opening infected email attachments.

Insecure networks
Insecure networks pose a significant risk in the home office as they make it easier for attackers to access your data or spy on your online activities. The use of public or poorly secured private Wi-Fi networks opens the door to cyber attacks.

Use of personal devices for work
BYOD (Bring Your Own Device) means using personal devices for work. With the rise of the home office in recent years, BYOD has also become increasingly important. While it offers several advantages for employees and employers, private computers or smartphones often cannot fulfil the same security standards as company-owned devices. They may be outdated in terms of software and security patches, or lack adequate antivirus software. This increases the risk of sensitive company data being accessed or stolen.

Loss of devices
The loss of devices, whether through theft or simple misplacement, harbours a security risk in the home office that should not be underestimated. Important work data can fall into the wrong hands and jeopardise privacy and company security.

Non-compliance with data protection guidelines
Failure to comply with data protection guidelines in the home office can have serious consequences, both for the security of company data and for compliance with legal requirements. Without the direct supervision and structured security protocols of the office environment, there is a risk that employees may violate these guidelines inadvertently or out of ignorance. This includes the improper handling of sensitive data, the use of unauthorised applications or the neglect of security updates. Such breaches can not only jeopardise your data security, but also lead to legal consequences and financial losses and penalties.

Physical security
A major challenge in the home office is ensuring physical security, especially the privacy of screens and documents. It is vital that confidential information cannot be viewed by visitors or family members to minimise the risk of unwanted sharing of sensitive data and visual hacking. Time outside of working hours also requires careful storage of devices and documents to prevent theft or loss, thus maintaining the security of company information at all times.

Home office: Tips for employers

It takes a variety of measures to ensure the safety of your employees and your company in the home office. There is no single solution that covers all risks. Instead, a holistic approach based on several planned and well thought-out security measures is required. In addition to technical measures, it is important that you also integrate internal measures to sensitise employees.

Here's what you can do as an employer to enable your employees to work safely from home:

MFA

Implementing multi-factor authentication (MFA) is one of the most effective measures you can take as an employer to increase security in the home office. MFA adds an extra layer of security by requiring users to provide two or more proofs of identity before gaining access to company systems or data. This can be done through a variety of methods, including:

  • SMS codes
  • Authentication apps
  • Biometric data (for example fingerpring, face ID)
  • Push notifications

Multi-factor authentication is an easy-to-implement yet highly effective security measure that significantly improves the protection of critical resources.

Train employees

One of the most important measures for a secure home office is training employees in cyber security. Only through regular and targeted training can employers ensure that their teams have the necessary knowledge to recognise potential threats and respond appropriately. This training should not only teach basic security practices, but also address the specific risks of working from home. These include phishing attacks, secure password practices and dealing with insecure networks. Employees are the first line of defence against cyber attacks, but they can only do so if they understand and know how to mitigate security risks.

Even the best technical measures are ineffective if employees are not trained to use them effectively and recognise potential security risks.

Secure endpoint devices

Securing endpoint devices (endpoint security) is an essential part of strengthening cyber security in the home office. Endpoint devices such as notebooks, smartphones or tablets are often the gateway for cyber attacks, which is why these devices should definitely be protected with the latest security software solutions. As an employer, make sure that all devices used for work are regularly updated. Additionally, installing antivirus software and utilising firewall settings is recommended to provide robust protection against malware and other online threats.

VPN

By using a virtual private network (VPN), you can further improve data security in the home office. A VPN encrypts the data traffic between the employee's end device and the company network, making it virtually impossible for outsiders to access or intercept this data. This is particularly important when employees access internal company resources via public or insecure networks. By enabling your employees to use a VPN, you create a secure environment for the transmission of sensitive information and minimise the risk of cyber attacks.

Regular updates

Regular updates are necessary to maintain cyber security in the home office. Software and operating system updates often contain important security patches that close vulnerabilities that can be exploited by cyber criminals. Ideally, you should have your IT system monitored and supervised by professionals to ensure that all devices and programmes used are updated automatically or according to a fixed schedule.

Setting up a firewall

A firewall acts as a barrier between a company's internal network and external threats by monitoring and regulating data traffic. It can filter unwanted or dangerous data packets before they reach the network or end devices. Make sure that both the company networks and your employees' end devices are equipped with a reliable firewall to ensure the highest level of security in the home office.

DaaS

The DaaS model (Devices-as-a-Service) gives companies the opportunity to obtain high-performance IT devices such as PCs, notebooks or tablets at a monthly service price without having to pay high acquisition costs. It converts one-off investment costs into predictable ongoing service costs and enables IT equipment to be continuously adapted to the latest technological developments and needs of your company. The devices are already equipped with the appropriate security software when they are implemented. In the event of an unexpected problem with a device, you will immediately receive a replacement or exchange device.

Email security

It is common knowledge that emails are a major target for cyber criminals. To ensure the email security of your employees, even when working from home, you should invest in advanced email security solutions. These can include features such as spam filters, phishing detection and encryption to protect sensitive information. Sensitising your employees to the correct handling of spam or phishing emails also contributes to cyber security. Only through a combination of technical solutions and conscious behaviour can the risk of email-based security breaches be significantly reduced.

Define home office regulations for employees

Create a guideline with clear internal guidelines for working from home. The home office policy should contain detailed instructions on the use of IT resources, the handling of sensitive data and compliance with security protocols. The guide acts as a central point of contact for all security issues. Don't forget to continuously update the home office policy to reflect the latest security knowledge and technology.

MSSP / SOC

A Security Operations Centre (SOC) plays a central role in a company's cyber security strategy by continuously monitoring the security of the IT infrastructure - an aspect that becomes particularly relevant in the home office context. As internal capacities for an in-house SOC are often lacking, a Managed Security Service Provider (MSSP) can serve as an outsourced SOC. This enables companies to ensure continuous security monitoring even when working from home without having to invest directly in internal resources. An MSSP thus offers the necessary expertise and support to strengthen cyber security across all working environments.

Inventory/overview of all end devices

To maintain an overview, you should take a thorough inventory of all end devices. All devices that have access to the company network should be recorded here. Document protective measures for the respective devices and update inventory changes. This is the only way to ensure that you have an overview of whether all devices comply with the relevant security guidelines. Potential security gaps can be closed quickly and your defence against cyber threats is consistently at a strong level.

Home office tips for emloyees

As an employer, you are not the only one who can maintain your company's cyber security: Employees need to do their part too.

Employees can take these measures to use the home office safely:

Securing the Wi-Fi

Employees should secure their home Wi-Fi with strong encryption methods and change the default network names and passwords. Regularly updating the router firmware is also necessary to ensure protection against external attacks. A well-secured connection forms the basis for secure working in the home office.

Avoidance of public networks

Public or unsecured networks should not be used for professional purposes. These are easy targets for cyber criminals as they often do not fulfil the relevant security criteria. Employees should use private, secure networks or VPN connections to ensure secure data transmission.

Awareness of phishing attempts & suspicious emails

A critical awareness of phishing attempts and suspicious emails is the be-all and end-all for IT security at home and in the office. Employees must be vigilant and critically scrutinise the authenticity of requests before disclosing personal or professional information. Links and images should also not simply be accessed blindly, but checked first.

Use of a password manager

Using a password manager helps employees to manage a variety of strong and unique passwords. This approach not only promotes security through the use of complex passwords, but also facilitates the daily use of different services and platforms.

Use of strong, different passwords

Using the same password for multiple accounts is extremely risky and can lead to serious security problems. Instead, strong, different passwords should be used for each account. This minimises the security risk many times over. By combining letters, numbers and special characters, employees can significantly increase the security of their online identity.

Protection of sensitive information in multi-person households

In multi-person households, it is important that sensitive work-related information is not visible to others. Employees should take measures to secure their workplace accordingly, for example by using screen savers or working in separate rooms. It is also advisable to treat sensitive information discreetly during work-related telephone calls and to ensure that no unauthorised persons can listen in.

Securing the devices during your absence

Short absences should also be used to secure devices by locking the screen. This prevents physical access by unauthorised persons and protects against potential data misuse or theft. Documents and records must also be stored in a secure place.

Exclusive use of professional devices

Devices used for work purposes should not be used for private purposes or by other household members. This reduces the risk of security breaches from external applications or games that are potentially insecure.

Sensitivity to social engineering

Social engineering attacks often utilise interpersonal manipulation to gain access to sensitive data. Employees should be sensitive to such attempts and always exercise caution when dealing with unusual requests.

No independent software installations of configuration changes

No software installations or configuration changes should be made without consulting the IT department. Even if it is well-intentioned, such independent interventions can unintentionally open security gaps or override existing protective measures.

Important

Effective protection in the home office can only be achieved through the interaction of various security measures by the company and employees. A high level of security can only be guaranteed through joint endeavours.

Legal issues

In the case of safety breaches in the home office, the question of liability is largely dependent on the degree of fault. An employee is fully liable in the event of intent, but only if the intent explicitly relates to both the breach of duty and the resulting damage. In the case of slight negligence, the employee is not liable, whereas in the case of medium negligence, liability is proportionate.

FAQs: Frequently asked questions

IT news straight to your inbox

Subscribe to the GRTNR newsletter now

Bodo Gärtner
ARE YOU NIS2-FIT?
PERFOM NIS2-CHECK.

We check whether your company falls under the NIS2 directive and help you implement the requirements on time.

Make an appointment