TÜV TRUST IT GmbH TÜV AUSTRIA group gives eight tips for working safely from home.
As a result of the corona crisis, tens of thousands of jobs have been temporarily moved to their own four walls. But the new situation also increases crime on the global network. A closer look at your own IT structure or the creation of suitable security measures is therefore a worthwhile investment in the current situation.
The IT experts at TÜV TRUST IT have developed useful tips for companies that help them work safely in their home office.
1. Set up, optimise and secure VPN access for employees
VPN access enables secure access to the company network. Employees can call up data here that would otherwise only be available in the local company network. Access should be secured. Here it is recommended to set up personal certificates and multi-factor authentication. Furthermore, all traffic should be managed via the VPN access. This ensures that nothing gets outside via the personal internet line.
2. Manage cloud services securely
Cloud services are increasingly used for data exchange in the home office. They are a useful alternative to transferring sensitive data if there is no VPN access. It should be ensured that the data is only stored in encrypted form in the cloud, http- connections are always encrypted and that all components have a current patch status to prevent the exploitation of publicly known vulnerabilities. It is also important that the cloud service is only used via the company laptop.
3. Agree on behavioral guidelines for home office
Companies should agree on clear security guidelines for working in the home office. If these are already listed in the company policy or similar, they should be supplemented by the current threat situation.
4. Handling of confidential data in paper form
There should also be precise specifications for working with confidential data in non-digital form. This includes that the clean desk policy is also followed at home. That means, do not keep open any information that is not intended for third parties, for example sticky notes with confidential information such as passwords.
If working with paper documents cannot be avoided, it must be ensured that employees can safely dispose of information on paper. A specification for deleting data carriers is also important.
5. Use of private phones
In theory, employees who do not have a company mobile phone have the option of forwarding their company number to their private telephone. However, caution is required here, as data protection law and information security problems can arise.
Particular attention should be paid to the way in which the phone communicates. While a classic phone call is not very worrying, other ways of using smartphones, such as WhatsApp messenger and other messaging services, are not recommended from a security point of view.
6. Physical access and access protection
The general protection of the home is defined under access protection; e.g. no doors and windows are left open. Access protection means that confidential data has to be locked away in paper form and the laptop is locked when leaving the workplace.
7. Technical access protection
In order to guarantee technical access protection, the IT systems used (telephone, laptop, tablet etc.) should be hardened and all storage media and data carriers should be encrypted.
In addition, it should be ensured that updates for the end devices are always installed as quickly as possible in order to guarantee the best possible security.
8. Create / improve awareness
The conception and implementation of awareness measures, especially in the context of phishing, is particularly important now. Respiratory masks and similar articles are currently advertised in phishing e-mails in order to access data or guide potential customers to fake online shops or to get customers to open malicious email attachments. Therefore always applies:
- Check the sender of an email
- Check links in emails carefully
- Report fake emails to the IT department
- Check all payment requests carefully
- Never enter your own password on an unknown website