With the Corona pandemic, many people went to home offices to avoid contagions at work. Even after the pandemic, a significant portion of workers continue to do home office at least a few days a week. According to figures from the Federal Statistics Office, the number of people working in a home office nearly doubled from 12.8% in 2019 to 25% in December 2022. Meanwhile, home office as a part of flexible working models has increased a lot in popularity. With the increased number of those working in home offices, cyberattacks on them have also increased. Cybercriminals are betting that home office workers are less protected. Less secure passwords are used and the vulnerability to phishing attacks is higher, warns Claudia von Pawel of specialist insurer Hiscox.
It is common to connect to the company network from home via VPN (Virtual Private Network). Many people think that this would allow them to work digitally in complete security, von Pawel continues. But a secure technical infrastructure alone is not enough. It is at least as important that each individual also observes certain behaviors. Strong passwords must be used consistently or the knowledge must be acquired to thwart even very professionally made phishing attacks or hacking attempts carried out by telephone. Here, it is imperative to train employees on a regular basis and simulating phishing attacks can also be very helpful in increasing employee understanding.
When working from a home office, there is an increased risk to a company’s confidential information, “companies must impose increased duties of care on their employees as reasonable confidentiality measures,” says lawyer Alexander Leister of the commercial law firm CMS. “These include, for example, using an up-to-date virus scanner, keeping documents safe and logging off when leaving the computer,” Leister added. The increased duty of care should be specifically regulated in a separate home office agreement.
Something else that should not be ignored when working in a home office is the GDPR. It can be assumed that almost every employee handles personal data. In addition to names, this also includes telephone numbers, e-mail addresses, account data, personnel numbers or IP addresses, for example, according to Haye Hösel, Managing Director and founder of the data protection and IT security specialist HUBIT Datenschutz. The first rule then is that the study must be lockable and documents must be stored in a lockable cabinet. “Laptops, PCs as well as external data carriers such as USB sticks must also be encrypted or locked up,” says Hösel.
If employees use private devices in the home office, the extent to which this is done must be defined. It must be ensured, for example, that the operating system and virus protection are up to date, i.e. that the security updates are still supplied by the manufacturer.
Other rules that apply are that the company network may only be accessible to employees via a secure password and that communication via e-mail may only take place via the company’s server and thus in encrypted form. In order to ensure the security of the company network through access from outside, there is now, in addition to the common use of VPN, a further development, the Zero Trust Network Access or ZTNA. Here, access is not granted to the entire company network, as with a VPN, but only to specific applications or resources. Access is granted only after users have been authenticated by the ZTNA service. Once authenticated, users can access the respective applications through a secure, encrypted tunnel. Of course, if video conferencing is done instead of traditional meetings, it is important to provide professional encryption to prevent confidential information from leaking out.