These six tips will help you achieve maximum home office safety for your employees for good measure!
by Svenja Koch
Working from the home office has created a host of new IT security risks. The now more complex network structures and the human risk factor provide threats. With the following six tips, companies increase IT security in the home office and thus reduce the dangers posed by such a network structure.
Tip 1: Use two-factor authentication
Home office employees log into internal systems on the network every day. Control is challenging because the connection originates from outside the company. This creates IT security risks, primarily when only the combination of email or username and password is used for logging in.
Two- or multi-factor authentication (2FA/MFA) is an excellent way to provide IT security in the home office. An additional identity check ensures that this is indeed the correct user. The second authentication method uses a property that only this user possesses. Widely used is the control of biometric data, for example, authentication by fingerprint or the own voice. It is also possible to couple the login process with a personal smartphone. The employee then confirms the login with a one-time TAN, which is sent to the smartphone when logging in and is only valid for a short time.
In this way, multi-factor authentication ensures that no unauthorized person logs on to the internal network if they have obtained the employee's password by any means. Without access to the employee's smartphone, logon is not possible. Biometric control provides an exceptionally high level of security, as these properties are unique, and it is not possible to log in without the employee's knowledge.
Some platforms, such as Microsoft Azure, bring their system for MFA. The IT department only needs to activate it. With other login systems, there is the option of relying on external solutions. This identity and access management systems (IAM) or identity providers (IdP) provide an access management tool. This then carries out a further identity check each time the user logs on to the network. This eliminates IT security risks associated with stolen credentials.
Tip 2: Virtual Private Network
The connection between the home office and the corporate network via the public Internet. This brings with it numerous IT security risks. Data communication takes place unencrypted without special measures. A Virtual Private Network (VPN) closes this security gap. A VPN establishes a virtual network between two points via a public connection. Thus, the data traffic between these two points is secured and encrypted. When vital and personal data flows over the connection, it is important to provide additional IT security in the home office during data transmission.
There are both software and hardware-based solutions for setting up a VPN. A hardware VPN is remarkably secure and easy to set up. By physically connecting the network cable to the hardware VPN, data transfer over the private network is guaranteed. With a software VPN, the login can be coupled with multi-factor authentication. This way, the VPN can be protected even better, and IT security in the home office increases further.
Tip 3: Technical equipment in the home office
Many companies do not take this point seriously enough. This is also because the alternative to using personal devices in the home office means additional investments, for example, for laptops. However, private systems in the home office generate such high IT security risks that, in reality, there is no way around uniform systems used purely for business purposes.
Only computers set up by the company's IT department can guarantee IT security in the home office. This starts with standardized software. Privately used computers contain many programs, and IT has no control over them. If zero-day gaps occur there, there is not even the possibility of identifying them. IT installs uniform software for all tasks on business laptops, from the operating system to the communications platform to the browser. Updates can be easily applied via remote maintenance. This is the only way to ensure that the computers used are constantly updated and not pose any IT security risks.
In many cases, family members also have access to private computers. This threatens IT security in the home office in several ways. First, the children or partners may not be familiar with phishing and other cyberattacks. If so, they compromise the system during use without being noticed. For another, the security of company data is not guaranteed. Family members see personal or internal information. Due to improper handling, these may also become public. This even represents a violation of the European General Data Protection Regulation, which has severe consequences for the company.
Tip 4: Implement Zero Trust
Zero Trust is an IT security concept used more and more recently. At its core, the idea is based on the fact that no user, service, or new request is considered trustworthy, even if authentication has already taken place previously. Thus, employees start by logging on to the network, then to their desktop, and when they open the customer relationship management platform, they are re-authenticated.
This may be inconvenient for users, as they have to confirm every action with a login. However, in combination with MFA, Zero Trust provides an enormously high level of security. Even if an employee accidentally leaves his computer unattended in the home office and is logged into the company's network, the possibility of causing damage or spying on data is minimal.
Controlling computers and employees who log in from outside the corporate network proves complicated to impossible by normal means. For example, it is not possible to quickly go to the employee's office in question and verify that they are currently active on the network in person. It is equally challenging to assign IP addresses precisely. In the case of a purely internal network, it is easy to see whether accesses are taking place from outside, as these are external, public IPs.
The solution is services that monitor all actions on the network in real-time. In the meantime, software with artificial intelligence is used for early anomaly detection. This can detect unusual activity and immediately send a message. Such extraordinary actions include, for example, accesses at a time outside business hours or logins from an unknown IP. Because these services monitor network traffic in real-time and report suspicious actions immediately, an immediate response is possible. IT security thus has the opportunity to check the operation and intervene. In particular, IT security in the home office is significantly improved in this way.
Tip 6: Optimize organization
An important factor in containing IT security risks in the home office is organizational measures. Many of these are preventive and thus require only the specification of best practices and implementation of rules by decision-makers. This starts with documenting the computers and accounts in the home office. A network plan helps keep track of the structures and precisely assign locations and employees. This is particularly important in the home office because as the number of systems outside the company's network increases, the structures also become more complicated. There are software solutions that centrally manage IT for creating a network plan.
At the same time, an exact assignment of accounts and computers increases transparency. Individual actions or data misuse can be appropriately documented and proven if necessary. There is also an overview of which company hardware is in the care of which employee. This is important in employee fluctuations or if the hardware is lost.
Part of the organization is also to train the employees on the particular behaviors in the home office. This starts with communication with the office. Criminals have also recognized the home office trend. One of the known IT security risks in the home office is social engineering. Criminals pretend to be a colleague on the phone and ask for information. Particularly in larger companies, not all employees know each other or can identify the voice immediately. The criminals also research the names of other employees beforehand or have already found out such information through previous social engineering attacks. In this way, the attackers extract internal or personal data from the employee in the home office. The criminals have also managed to initiate payments on a wide scale and thus defraud companies.
One protective measure is to establish clear rules for communication. One variant is to assign personnel numbers that serve as identification. Each employee then receives a list or checks whether the caller identifies himself with the correct personnel number in the system. Another option is to move all internal communications to a secure platform. Microsoft Teams is one option here. Teams provide VoIP and video calling capabilities. Additionally, there is the option to communicate via text messaging. Calls from alleged employees can then be completely ignored, and IT security in the home office is once again improved.
Conclusion
The home office has become an integral part of many companies in the last two years. One elementary reason for this is the Corona pandemic. However, IT security in the home office has not kept pace with this rapid development. This opens all doors to criminals, and attackers are increasingly exploiting the weaknesses. In many scenarios, the entire corporate network is open to hackers via the computer in the home office. This threatens the whole of corporate IT infrastructure, and decision-makers need to take this situation seriously.
The IT security risks posed by the home office can be controlled with the right IT security strategy. Planning and using preventative measures are essential. Companies that take IT security in the home office seriously purchase company-owned hardware, secure data traffic, and actively scan the network in real-time create a safe environment that is difficult for attackers to overcome.