Working from home – a guide for IT security officers

Home office has been a topic for years, which many employees wish to do in order to be able to work flexibly. For this reason, some companies and public authorities have already set up a technical infrastructure for this and let their employees work from home. But what do you need to pay attention to in terms of IT security? We enlighten!

Working outside of the office involves several dangers that must be taken into account when transferring to working from home. Basically the same safety rules and therefore the same requirements for information security should apply as in the company itself. However, the limited control on the part of the employer makes it easier for third parties to gain unauthorized access and e.g. misuse data.

Working from home - unknown territory for many employees and employers

In addition, during corona crisis there is another factor that has even greater influence: The often hectic pace when switching working environments. Explains Manuel Atug from HISolution in ZEIT ONLINE. The colleagues who have now moved into their “office” at home must first get used to the new communication channels and processes. It is therefore understandable that they open e-mails and click on links and files that seem legitimate at first glance.

In addition, since the colleagues no longer sit next to each other, fraudsters with social engineering tactics have an easy job. The increased digital and telephonic communication among employees, which is necessary due to the work-from-home-situation, increases the danger even more. But at the same time, since IT security officers in many companies and government agencies work under enormous pressure, they often lack the opportunity to support their colleagues and explain how to secure communication.

Special protective measures are therefore needed to make working from home secure. In the case of particularly sensitive data, additional measures are also advisable, and even indispensable when processing personal data, in order to not endanger the personal rights of third parties.

Work from home – topics you should pay attention to

Accordingly, it is important for companies and public authorities to protect their employees who are working from home and also themselves. Besides the necessary technical infrastructure, organizational steps are also essential. This naturally includes securing workflows: 'How do we protect information? How do we communicate with each other? How can we ensure that employees can be contacted by phone? 'In the same way, employees should be instructed about information security and data protection at home and be committed to act compliant to rules. They should also receive security awareness training to identify, prevent and subsequently report cases of social engineering or fraud if they are being confronted with it via phone or email. In this way, every employee can actively contribute to the security of the company and its data.

An agreement under labour law should be made

  1. Setting up technical infrastructure
    A virtual private network (VPN), up-to-date security software, centrally controllable updates and hard drive encryption are indispensable.
  2. Restrict access rights
    Who needs access to which data while working from home?
  3. Make labour law agreement
    This agreement is not only important for the IT security, but also because of labour law and data protection law. In the interest of a speedy introduction, it is advisable to create a regulation for 'mobile working' instead of 'working from home'. Through this, requirements for the workplace (e.g. ergonomics) can be reduced at first. (In case of regular / permanent work from home however, a correlating regulation should be implemented). The agreement should contain at least the following points:a) Private use of company work equipment is prohibited.
    b) Confidential information and work equipment must be locked away.
    c) Equipment shall be locked when leaving the workplace unattended (e. g. use lock screen function).
    d) Secure data transmission procedures must be used - this usually includes the use of VPN and other data transmission procedures specified by the company.
    e) Employees are obliged to report irregular occurrences.
    f) Rights of supervision for the data protection officer
    Other issues such as a policy for passwords or a policy for data destruction should be regulated independently from the topic of working from home.
  4. Sensitise employees
    Employees should be trained on the importance of information security and made aware of their special responsibility during the time in the home office, with the following topics being of particular relevance
    a) Private use of company work equipment must be avoided.
    b) Confidential information must be protected from access by unauthorised persons (including family members). If possible, the working environment at home should be paper-free. Documents should be locked away.
    c) Devices must be protected by a password and should be locked every time when leaving the workplace, even if it’s just for a short time (key combination for screen lock: Windows+L or for Mac users ctrl+shift+eject, among others). Devices should be locked away in case of longer absence.
    d) Confidential work-related discussions should take place separated from third parties in the household.
    e) Data exchange and storage of data have to be encrypted (VPN, possibly also e-mail encryption, hard disk encryption).

Sensitize your employees with our E-Learning

You don’t have to put a lot of effort into the task of teaching your employees about the dangers of working from home. Here you can sign-up for our e-learning and we will send it to you. Passing it on to your colleagues won’t take more than 5 minutes. We prepared the most important topics there in a clear and demand-oriented way for employees.

Disclaimer: No legal advice intended. The contents of this article are intended to convey general information only and not to provide legal advice or opinions. This article serves IT security officers to expand their basic knowledge on the topic 'working from home'.