Measures for security
When working from home, it is important and necessary to ensure taking measures regarding technical and organizational security – for example in relation to hardware, software and secure connections.
- Sensitive data should always be stored in encrypted form so that it cannot be made public in the event of loss, for example through theft.
- State-of-the-art encryption should also be activated and used for domestic WiFi systems.
- A connection to the company infrastructure should only be made via secure data transmission paths such as a virtual private network (VPN).
- With regard to device security, it should be ensured that software, firewalls and virus scanners are up-to-date and that regular updates are installed.
- Memory sticks should also be encrypted if necessary and provided by the company.
Checklist: recommendations for employers
- All of the company’s business applications must only be accessible via encrypted communication channels (SSL VPN, IPSec VPN).
- It is important that the company’s VPN solution is scalable and capable of maintaining a large number of concurrent connections.
- Secure communication, videoconferencing and project management tools must be made available to employees and, where appropriate, customers.
- If possible, employees should be provided with company computers/equipment during teleworking. Companies must ensure that these computers and devices are equipped with up-to-date security software and patch levels and that users are regularly reminded to check patch levels. Keeping spare parts available for failed devices is a good idea as well.
- Business data should be stored via VPN in the company intranet, on (company) cloud storage or in software containers. Company e-mail should be accessed via a Web interface.
- BYOD (“Bring your own device” or in this case “Use your own device”) equipment such as personal laptops or mobile devices must be checked to ensure they are secure (e.g. patch check, configuration check, etc.). Devices may need to be set up or approved by the IT department with the consent of employees.
- If possible, software installed and set up by the company should be used. Communication and conferencing software should also be tested and approved by the IT department.
- Companies should ensure that adequate IT resources are available in case problems occur, employees have questions or need help.
- In addition, it should be ensured that guidelines are in place for responding to security incidents and data privacy violations (72-hour rule).
Checklist: recommendations for employees
- If possible, use company computers – unless BYOD equipment has been checked properly. Storage of private and business data should be strictly separated at all times.
- Employees should only connect to the Internet via secure networks; open/free networks should be avoided. While most WiFi access points at home are correctly secured these days, some older installations may not be. Encryption should be activated or a more recent implementation should be used if necessary.
- Exchanging sensitive company information over potentially insecure connections, for instance by using private e-mail accounts, should be avoided.
- As far as possible, company resources should be used to share work files (intranet via VPN, company cloud storage). This ensures that work files are kept up-to-date while avoiding the exchange of sensitive information across local devices.
- Incoming e-mails should be treated with special care, as they may contain phishing or fraudulent content. If there are any doubts about the legitimacy of an e-mail, the company’s information security officer should be contacted.
- Data at rest – such as local drives – should be encrypted (protection in case of theft/loss of the device).
- Antivirus or antimalware software must be installed and fully updated at all times.
- The operating system and the applications used must be up-to-date.
- The screen should be locked when working in a shared area. Password-protected screen savers should also be used.
(Source: Enisa – European Union Agency for CyberSecurity)
Conclusion and outlook
Special technical and organisational measures need to be observed when working from home. In order to securely protect personal data and company information, the obligations of employees with regard to data protection and data security must be defined and employees must be instructed and trained accordingly. The employer must also provide for control options (if possible). In a best-case scenario, employees should use devices provided by the company when working from home. If private devices (BYOD) are used, private data must be strictly separated from business data. Paper files should be stored in lockable cupboards and upon disposal be made unrecognisable by shredding them, if possible. Never dispose of them in private household waste! Employees who now work from home for a longer period should be obliged to comply with binding guidelines on data protection and data security.
Implementing the measures described here can go a long way towards minimising risks. Further measures, including the safe use of videoconferencing tools, would be useful in any case.
A good example of secure communication:
Dr. Stefanie Schneider
Electric mobility: charging infrastructure getting more extensive
The new decade is all about climate protection – and one of the major challenges we face is climate-friendly (electric) mobility. The new EU emissions target, which comes into force in 2021.
Cool title – no applicants? Sorting the good ads from the bad
Skills shortages, the talent war and demographic change – all excellent choices for a round of buzzword bingo as played by HR specialists. The job market’s not getting any easier for employers.