Working from home could become the new norm in many companies even after the end of the corona pandemic. However, the migration of many employees to home offices places high demands on security and data protection. Companies can significantly reduce the risks of working from home by means of clear rules and training as well as technical measures for network and end devices.
The corona virus is changing the world of work. Many companies have now arranged for their employees to work from home. Before corona, working from home was a privilege reserved for a small group of people or allowed in exceptional cases. Flexible working conditions in home offices will probably become a normal part of everyday business in the future. This is also what many employees want. They want to be able to access company applications and data from home or while en route, or participate in video conferences.
More attacks – insufficient protection
However, remote working harbours several security risks. A major factor is the increasing number of digital attacks on the new work models. Attacks on Microsoft’s Remote Desktop Protocol (RDP), for example, which allow remote access to corporate networks, have increased dramatically. This is made apparent by the figures provided by ESET’s security experts. Before the outbreak of the corona pandemic, ESET identified about 260,000 attempted attacks in Germany per day. With the start of the lockdown, the number increased rapidly. In April, there were about 1.7 million attacks every day. By June, these attacks had climbed to around three million attempts per day! In addition, phishing emails kept circulating, which used information about the corona virus as bait to spy out access data.
Attackers often discover companies that do not secure access to their networks sufficiently. This is shown in the study “Quo Vadis, companies?”, which ESET conducted from May to July 2020. In this study, 30 percent of the companies surveyed stated that their employees only need one password for verification, also when accessing via RDP. In only 44 percent of the companies do employees access the system via a secure VPN connection, and only 29 percent use two-factor authentication to secure access. There is still a lot of catching up to do in this area.
A further problem: workstations that are set up in a home office or home network are not as secure as the computers in a company office. When employees use their private end devices, which happens frequently, companies lose control over the protection of their data. The security level of private devices is lower than that of a company’s IT system because the software and hardware of the devices are not standardised, and update gaps occur frequently. Since employees often use private data and services in parallel to their professional applications, the two worlds are becoming increasingly intertwined. Due to the multitude of digital applications, data accesses and end devices, there are also more sources of danger when it comes to security gaps.
Clear rules and employee training
So how can companies secure workstations and data in home offices? Ideally, employees should use company-owned and prepared equipment. They also need clear rules regarding where and how to store important data. Companies should therefore define binding compliance and governance rules, and communicate these in writing so that employees adhere to the necessary rules and do not use data outside secure environments.
In addition, security awareness training should be provided to create awareness among employees of the numerous risks within the IT security environment. The goal is to educate employees through training courses on policies, current threats and how to deal with these threats. They need to know about the risks of ransomware, phishing emails and other targeted attacks and should know how to react to such content. The best security concept and all the technical measures implemented will be useless if employees are not sensitised and trained with regard to IT security.
Technical measures and tips
In addition, companies must of course implement technical measures to ensure that data is secure and that EU-GDPR is not violated. Below are some possible measures and tips:
- The principle of zero trust: No one is to be trusted. Every user, every application, every device that wishes to access data in the company must authenticate itself (preferably with multi-factor authentication) and must be checked constantly.
- Restriction of access rights: Companies should restrict the access rights of people who access the corporate network, for example, in the case of confidential documents or options for changing settings.
- Endpoint protection: It is crucial that all end devices (PCs, notebooks, smartphones) are well secured through the installation of security software. In addition to classic anti-virus protection, this should also offer functions for separating professional and private data, restricting functions or deleting data from devices that are reported as lost or stolen.
- Updates and patches: Install the latest updates for operating systems and apps.
- Use VPN access: Companies should set up a VPN (Virtual Private Network) connection for their employees so that they can establish a secure and encrypted connection to the company network. Our partners Fortinet, Juniper and Cisco, for example, offer VPN solutions.
- Encrypt hard disks: Companies should encrypt the hard disk of their employees’ notebooks. Only authorised users can then use their data and applications via multi-factor authentication. If the device is lost or stolen, it is not possible for third parties to access the data.
- Virtualised desktops: An alternative to locally installed software is the use of virtualised desktops, which are provided by a data centre via a central server. Users then access their digital desktop via the Internet. If all data and applications are installed centrally in a data centre, the availability and security of the data also increases. The administrator retains control of the data, can provide patches for all virtual desktops, change configurations, enforce policies, and provide uniform desktops that meet all compliance requirements. Companies can either set up this VDI environment (Virtual Desktop Infrastructure) themselves or acquire it as a Desktop as a Service (DaaS) from the cloud.
Conclusion: Companies can significantly reduce the risks of working from home by means of clear rules and training as well as technical measures for network and end devices.