Phishing / Uncategorized

Emerging Home Office Risks

Emerging Home Office Risks

Home office is becoming more and more popular due to current events revolving around COVID-19. Around the world, companies and governments are rapidly taking responsible measures to protect the health of their employees and citizens while remaining operational – including encouraging people to work from home.

In the digital world, it’s not enough to simply sit at your computer at home to start work – what do you, as a user or a responsible person, need to do to secure your business in the digital space?

Current risks in home office settings

It is regrettable that in times of humanitarian, social and economic crisis we have to talk about cyber security even more than usual. Already in January domain names around COVID-19 websites were acquired. Cybercriminals use these domains to impersonate legitimate COVID-19 information sites or fake shops around breathing masks and protective equipment. They also send phishing emails that appear to be from legitimate organizations such as the World Health Organization, but actually contain malicious links or attachments.

In one case, recipients were offered a link to a legitimate university website with information about COVID-19. When the software required to view the dashboard was installed, malware was loaded in the background and the computer was compromised. As part of this takeover of the computer, personal and company data such as passwords were collected and transferred to cybercriminals.

See the impact of employees* clicking on an ad promising a COVID 19 miracle cure or opening an email attachment. This was sent by an apparently legitimate health authority and contains a pandemic update with malware embedded in it. These cyber attacks not only endanger the home network of your staff, but also your company infrastructure if the employee is connected via VPN.

What happens if an employee is manipulated by social engineering techniques to follow the instructions of a cybercriminal who claims to be from the helpdesk or the IT department of the employer? Does your company have reasonable precautions to prevent the

  • Download malware for employees
  • Passwords can be leaked
  • unauthorised access to payment systems occurs
  • personal files and personal customer data are not stolen and
  • intellectual property and other important assets not destroyed

will? Can you detect such access and attack at the moment and quickly steer it into regulated channels? In most cases probably not, therefore we want to show you what you should definitely implement when you send your employees to the home office.

How to protect your employees?

In your offices, a large percentage of your workforce uses desktop computers connected to the company’s servers and internally available endpoints via Ethernet cables or a wireless network. These servers and endpoints are dependent on the physical security of the building, among other things. To work remotely, employees are typically provided with laptops by the company. In an emergency, an agreement can be made for the use of private devices. The use of private devices for professional purposes entails an even higher risk.

Instead of talking to the IT and cyber security helpdesks via an internal telephone system, employees will use their mobile phones or landlines. The transition to the home office is currently taking place in a disruptive way. Your infrastructure must be tested. The focus is particularly on the high load that is now being placed on the infrastructure. But this sudden wave must also be managed in terms of IT security.

As the person in charge*r, you now urgently need to assess three categories of your infrastructure: endpoints, connectivity and enterprise architecture and infrastructure:

  • End points: If you give your employees* devices to work with in the home office, you need to ensure that they have only approved applications and software installed to ensure IT security. You can configure this using Microsoft Group Policy, for example. Be sure to inventory your devices and keep track of which devices are authorized to connect to your corporate network.
  • Connectivity: If your infrastructure is not in the cloud but in the enterprise, you need to ensure that your employees* can access the corporate network via a VPN. It’s best to enforce two-factor authentication for the connection, so that an attack on your VPN is not dependent on passwords.
  • Enterprise architecture and infrastructure: If you didn’t previously offer a home office, you now need to configure firewalls, networks, collaboration tools and servers to enable and secure remote connections. You may also need new local systems to handle the increased load or move to a cloud provider.

In addition to these three categories, you should also deal with the following essential points. Two of these points are less technical and address your skills as a responsible person*r. You must keep a cool head and lead your company through this crisis. You should therefore pay attention to clear communication and flexibility. In times of crisis, admit mistakes in the right places and communicate clearly and transparently.

  • Backups: Where are they stored now? Do you offer a cloud solution or do you require your employees* to make offline backups at home? Here you should use the solution that can be implemented most quickly for you. If you offer a backup via cloud, remember to store important data offline, so that in case of an attack it will be stored somewhere separated from your cloud infrastructure.
  • Communication: Be even clearer and clearer in your communication. Employees* need alternative communication channels than easily forged emails when it comes to business critical processes. How can your employees reach the helpdesk or the IT department and responsible persons? This is a question you need to clarify and communicate clearly.
  • Flexibility: If the last few weeks have made one thing clear, it is that the Corona crisis places high demands on flexibility and adaptability. Follow the crisis and evaluate at regular intervals which measures you have implemented. Keep in mind that mistakes inevitably happen in new situations and environments. Increase your tolerance for potential misconduct, instead show proactively and positively how things can be improved.

In addition to all technical considerations and measures, your employees must also be strengthened. This can be done through cyber security training and awareness raising initiatives. This is critical to minimising the risk of threats from the digital space. Here are some of the steps you should take

  • Train your employees: Many employees are overwhelmed by the situation and have to adjust to this new way of working. Make sure that your employees know how to use the new tools and technologies. Your employees also need to be trained that there are currently threats related to COVID-19 (e.g. phishing mails, phone calls or fake websites). You can’t just rely on ready-made e-learnings, as these usually do not take the current situation into account. A live presentation, for example through live hacking or awareness training, can address current topics well.
  • Protocols for the authentication of home office employees: Your home office employees should only use methods that guarantee secure authentication. Especially when contacting the helpdesk or other unknown entities working with the company. The date of birth or other personal data points are not part of this, attacks are also possible here and have already happened. By adhering to protocols, it is prevented that employees* inadvertently disclose information in the wrong places, which can later be used for a successful social engineering attack.
  • Prepare a library of instructions, videos and other materials: Managing knowledge is essential for home office work. Once work is done, it should not be duplicated, but above all, it should be done so that all employees have the same level of knowledge or at least can update their knowledge after a short research. An internal Wiki can help you here. Ready-made videos can facilitate access to knowledge. If possible, you should also get decision-makers in front of the camera to motivate your employees and appeal to IT security.

In addition to this, you should take care of your home office staff and ensure good and regular communication. The UK HSE points out that working in isolation with employees can have different effects on your employees. Home office can cause work-related stress and affect people’s mental health.

How can your employees secure themselves?

While digital tools provide excellent support for remote workers, such a massive shift in work patterns can have serious unexpected effects on IT and cyber security. Is your organization adequately prepared for the changes in your cyber security risk?

While your business may have strict regulations, your home may be inclined to throw those rules overboard. At home, many employees* feel safe. Which computer do I use in the home office? If possible, a computer from work should also be used in the home office. There it is important to ensure that the applications and the operating system are kept up to date. Furthermore, it is important to ensure that professional and private documents are not mixed up and that no other family member pursues his hobbies on the work device. To ensure that nobody can gain access to the work computer involuntarily, it should be provided with a secure password.

As soon as the desk is left, the computer must be locked. This prevents third parties from gaining access to sensitive data. Always practice this locking of the computer, even if you are alone at home. This way you will develop a routine and forget it less often in important situations such as when you are driving a train.

If you have enough space at home, it makes sense to separate the home office area from the rest of the living space. This way, even spontaneous visitors do not have a direct view of your work and documents that you are currently working on. If the room is also lockable, you can also protect your documents and work well from unauthorized persons. Both as protection and for your own work, it is advisable not to let the workplace sink into a mountain of documents. This is where the rules of the Clean Desk Policy help.

Also remember not to post pictures of your home office on social networks. Especially not with your screen turned on and documents lying on your desk. This has already led to the publication of confidential material on social networks. The following screenshot (with blur filter), taken on a social media, shows a configuration on the right screen containing incriminating information.

Home Office_blur
Home Office as an information leak

Documents should be filed and moved in a timely manner. This prevents the loss of overview and sensitive data from being accessed by unauthorized persons. At the end of a working day, unimportant papers should be destroyed according to the company’s guidelines. Company documents do not belong in the household waste. You may need a shredder for this. Such purchases can be requested from the company. A security level necessary for the destruction of documents will then be provided for you. You should not forget documents from the printer or scanner. Experience has shown that this is a good place to leave things. Also make sure that guidelines such as the prohibition to put USB sticks in company laptops also apply in the home office.

An Internet connection is indispensable for working in the home office. But security rules must be observed here as well. Because if you leave your home network unsecured, attackers have a very easy way to access company data. First, set a new password for your wireless network and router. Do not use the automatically assigned password. In addition, the WLAN should be given an individual name that is not attributable to the manufacturer of the router. The computer should also be protected by a secure password.

Resume of home office risks

The outbreak of the global pandemic has not only exposed the weaknesses in the global health system, but also has disruptive processes in our working world. This presents many infrastructures with new, unexpected challenges – all around availability and applied security measures. From one day to the next, secured company networks and infrastructures have a completely different security and process chain that functions differently. Departments that were completely isolated yesterday need a connection from home to the infrastructure today. This opens up many new digital risk groups. Continuously check the external positioning of your company with RISKREX – Digital Risk Management. This will help you find resource-efficiently misconfigured systems that were responsible for most of the stolen data in 2019. Detect systems that are accessible from the Internet early on and eliminate social engineering risks.

Make sure your business is secure. Prevent disruptions in the digital space by preventing cyber attacks just like viruses. Distance as much infrastructure as possible from the freely available Internet. To do this, you need to record and measure your exposure. A functioning patch management is as essential as washing your hands to protect against the virus. Employees* who don’t click on phishing mails are as if they wouldn’t touch your face with their hands.

Photo of author

Chris Wojzechowski

Mein Name ist Chris Wojzechowski und ich habe vor wenigen Jahren meinen Master in Internet-Sicherheit in Gelsenkirchen studiert. Ich bin geschäftsführender Gesellschafter der AWARE7 GmbH und ausgebildeter IT-Risk Manager, IT-Grundschutz Praktiker (TÜV) und besitze die Prüfverfahrenskompetenz für § 8a BSIG. Unser Brot und Buttergeschäft ist die Durchführung von Penetrationstests. Wir setzen uns darüber hinaus für ein breites Verständnis für IT-Sicherheit in Europa ein und bieten aus diesem Grund den Großteil unserer Produkte kostenfrei an.