With the dramatic increase in the number of people infected with Corona, many employees in Germany have switched to working from home at very short notice, some almost hastily. As a result, criminal hackers sense their opportunity: insecure Internet connections, vulnerable IT hardware and unstructured communication between colleagues pose dangers. Cybercriminals use tactics such as phishing attacks, CEO fraud, man-in-the-middle attacks, and others to try to harm your business.
In our guide Cyber Security in the Home Office, we have compiled the most important Rules of conduct and precautions are listed and explained so that you can protect yourself properly.
Larger companies typically employ IT specialists who are responsible for the company’s cybersecurity. This includes protecting your internet access and corporate cloud against external attacks. But as soon as you leave the office, you leave a bit of safe ground in this regard.
If you work outside the office, caution is advised, especially with foreign Wi-Fi networks and computers. Hackers could place themselves between you and the corresponding server using special software or insufficiently secured applications in order to read or manipulate your communication. This gives them access to the company’s IT and sensitive data. Such incidents are referred to as a man-in-the-middle attack.
Enable your firewall in your computer’s security settings. Beware of unsecured Wi-Fi networks! Turn off the function to automatically connect to open Wi-Fi networks. Instead, use mobile data and surf with your laptop via mobile phone hotspot or via a virtual private network (VPN) if your company provides one.
A firewall monitors incoming and outgoing network traffic and allows or blocks data packets based on security rules. It provides a barrier between your internal network and incoming traffic from external sources (such as the Internet). In this way, the built-in filtering mechanism manages network traffic and fends off external attacks.
Open the Start menu and type the term “Windows Defender Security Center” in the search bar. Click on the tab/tab “Firewall & Network Protection.” You can choose between “Domain Network”, “Private Network” and “Public Network”. Select all of them one after the other and activate the firewall by flipping the button.
Select “System Preferences” from the Apple menu and click on the “Security” tab/tab. Click the Firewall tab and select the mode you want to use for the firewall. Important note: The activation of the firewall must be done manually on Apple devices, it is not part of the basic settings.
Shadow IT refers to programs, services or private devices that employees use in connection with company data without prior agreement.
In the current situation, in which many employees have been released into the home office without long advance planning, there is a great risk that employees who, for example, cannot take their desktop PC home from their workplace, will access the corporate cloud from their private computer in order to be able to continue their work.
Any unknown device or program poses a potential security risk to corporate data. If those responsible do not know of their existence, they cannot take the necessary security or data protection precautions. Do not process company data on private devices. If it cannot be avoided in view of the current situation, get approval for this use in advance or equip the device with the necessary software for safe working.
If possible, avoid: Yes, you have a work computer, but the monitor of your private notebook is larger, the processor is faster, and you have installed a graphics program that you like to use, so you prefer to work on your own device? Stop! Even if it’s tempting, if you have appropriate company devices or access gates (e.g., Citrix, Microsoft Terminal Server), always use them for business activities, not your private ones.
Get permission: Never use your own devices without permission from your manager and your company’s IT managers. Otherwise, you could not only violate your employment contract, but may even be liable for any damage caused.
Have end devices tested and equipped: Even if your company allows you to use your own end devices, they should be tested beforehand and, if necessary, “retrofitted”. Firstly, it should be ensured that there is no malware on your devices that would allow attackers to gain access to your corporate network. Up-to-date antivirus software, firewall, disk encryption, and other cybersecurity measures should be in place.
On the other hand, you may need certain software solutions, such as a VPN client, to securely access your email or the corporate cloud, or proprietary software solutions that your company uses. Your IT specialists can set all this up for you, so you can continue to work safely and without restrictions, even if your computer has to stay in the office.
Even if you don’t work in your office, data protection remains an important issue. The General Data Protection Regulation (GDPR) does not contain any specific regulations on working from home, but your obligations remain in place. It is therefore important to avoid possible risks to the confidentiality, integrity and availability of personal data processed from home by means of suitable technical and organisational measures (so-called TOMs).
In addition to the measures already mentioned, it is advisable to issue a so-called additional guideline for working from home – but this is not mandatory. Existing (IT) works agreements are also valid in the home office!
Criminal hackers cleverly exploit special situations to trick their victims and get their data. Therefore, be particularly attentive if you receive e-mails from strangers about current events or are asked to take a specific action. Criminals often also pretend to be colleagues and superiors (CEO fraud). Consequently, pay attention to warnings for writing style and type of communication. Contact the colleague via a second communication channel to check the authenticity of his message.
Install updates, cross-check suspicious content and prompts! Phishing, and CEO fraud in particular, is not necessarily a technical attack. Be suspicious of e-mails from strangers if you are asked to take a certain action, such as installing a program, handing over information or transferring a sum of money. Take note of your internal communication processes, which also apply to the home office!
For CEO fraud attacks, you should always pay attention to the writing style and communication style of your supposed superiors. Does your boss suddenly address you on a first-name basis, even though you are usually on a first-name basis? Is he using an unusual greeting? Does he usually write excessively, but now only very briefly? All of these can be warning signs. And if in doubt, contact your colleague via another communication channel to check the authenticity of the message – it’s better to have one too many than too few.
Writing style: Everyone has their own writing style. If there are any discrepancies here, you should pay attention. Does your boss greet you by you or you? Does he always use certain idioms or phrases? Does it have an individual signature? Maybe the messages usually say “sent from my mobile phone” but now “sent from my iPhone” even though your boss is a big Android fan?
Communication channels: If your boss always communicates by e-mail, but now suddenly sends you important instructions via Whatsapp, his mobile phone could have been hijacked by SIM swapping. Especially in emergency situations, one should agree on binding communication channels and processes. If these are not adhered to, you should ask.
Not possible to ask questions: If the boss sends you an important instruction and directly points out that he is not available for questions, this puts you in a difficult situation. Due to working from home, it is often not clear what appointments and obligations are pending or what decisions have been made. Especially in the current situation, there should be transparency about who is not available and when. Managers also have a duty here: Ensure transparency, clear processes and secure communication channels so that employees can always reassure themselves, especially when it comes to important, far-reaching decisions.
