An interview with André Zingsheim, Principal Consultant at TÜV TRUST IT GmbH TÜV AUSTRIA group.
Due to the corona crisis, more people than ever are working out of the home office. With the increased number of home offices, the hacking attempts in this context are demonstrably increasing and with it the risks.
André Zingsheim has been with TÜV TRUST IT as an experienced security expert and as a BSI-certified penetration tester for many years and regularly carries out comprehensive and complex security analysis for companies of different industries and sizes.
We interviewed him about the current situation of increased home office volume in companies and the associated risks.
André, what technical requirements should be in place to work safely in the home office?
“A working VPN connection is essential for working in the home office if the company is not completely in the cloud. This allows me to dial into the company network as if I were in the office. In order to make the whole thing secure, this registration process should also be secured, for example by certificates or multi-factor authentication.
For the VPN itself, only cryptographic methods according to the state of the art, e.g. BSI TR-02102 can be applied. If companies are not sure whether your VPN solution is secure, they should get advice from security experts and have a security check carried out if necessary.”
What else needs to be considered?
“The focus should also be on all means of communication and channels used by employees for working in the home office. First of all, it is essential to have a secure way to conduct remote meetings. There are a number of solutions on the market here that should be looked at more carefully and then selected with care.
Another important topic that should not be forgotten is cloud services, because they are now used by almost all companies. Of course, these should also be designed to be demonstrably secure, especially in the current situation, in which cloud services are often “quickly” established due to lack of time and lack of human resources.
In addition, the safe use of mobile phones should be considered. Especially if the employees are not equipped with company cell phones, caution is advised. For example, if employees divert their landline phone from the office to their private cell phone in order to be reachable, data protection law and information security-related problems are at risk. The implementation of 2-factor authentication requires another secure device, e.g. a company cell phone. ”
What other organisational measures should I take as a company?
“First of all there are general rules of conduct for working in the home office. In many companies, whose employees have been working from their home office for a long time, such rules already exist in an existing user guideline or similar.
However, if there are no such rules of conduct, you should create them as soon as possible. Above all, these rules should include how I handle confidential and sensitive information and data. This includes, for example, locking the laptop at home when leaving the workplace.
In addition, the corona crisis generally creates great uncertainty for many people. Of course, this is a favorable situation for hackers, so that a particularly large number of phishing emails are currently on the move and the number of malicious websites is also increasing. Therefore, a special focus should be placed on employee awareness. Employees must be regularly informed about possible attacks and the constantly changing threat situation. In this context, it is also important that IT is easily accessible for queries. ”
What precautions can an employee take to work safely from the home office?
“Basically, I should behave in the home office the same way as in the office. If employees work with sensitive information and / or data in paper form, they should be kept safe, for example in a lockable cabinet. Also for safe disposal, e.g. The use of a shredder should be noted. If this option is not available, the employer should provide one here or consider alternative work processes.
Physical access protection should also be a priority; when leaving the apartment, windows should be closed and, if necessary, doors inside the apartment, but of course it also depends on the individual living situation (e.g. shared apartment). Incidentally, these aspects should also be reflected in a code of conduct.”
How would you rate the current overall situation regarding home office vs. describe information security? Do many companies still have some catching up to do?
“In many companies, working from home has been normal for a long time and is also well organised, both in terms of staffing and information security. Nevertheless, there are just as many companies that cannot respond adequately to the new challenge of “home office” at the present time. In particular, the massive increase in home office users has already caused disruptions in some companies due to the increasing load.
For some it will certainly be the case right now that home office options had to be created quickly in order to enable “social distancing” during the Corona crisis. In this case, an attempt should be made to concentrate on the essentials: finding a secure VPN connection and alternatives for work processes that cannot be carried out securely by the home office. ”