Home office as a security risk
What companies can do
COVID-19 not only confronts many companies with enormous economic challenges. In order to minimize the risk of infection and to take into account the exit restrictions, closed schools and childcare facilities, many companies have started to send their employees to their home offices.
This requires the short-term development of solutions for mobile working, e.g. by installing new software to enable participation in video conferences or access to certain company systems, but at the same time brings new challenges for IT security.
The problem: Not only employees want to access the company networks from outside, but also hackers. In the current situation, hackers are increasingly exploiting the fear of the public and see their chance in exploiting weak points resulting from home office activities and possibly not fully implemented IT security measures.
The most common method of attacking corporate networks are phishing attack. Recently, there has been a large increase in the number of such attacks, which have taken advantage of the situation around COVID-19 (the so-called "Corona Phishing").
Phishing is a made-up word that is made up of the words “password” and “fishing”. Criminals disguise themselves as a reputable company, e.g. a bank, and use fake e-mails to ask, for example, the recipients to update their personal data. As a pretext for the confirmation of account information, they cite, for example, the imminent expiry of a credit card or state that the transmission of personal data is necessary in order to be able to stay in contact with the bank via chat in times of the Corona crisis. Via a link, the users are directed to an authentic-looking input mask, which sends the data directly to fraudsters after they have entered it.
The mail can also be designed as a mail from the company's own IT department, which informs employees, for example, that there is a new portal that they should use in their home office, or as information from government agencies or doctors about COVID-19.
The acquisition of critical business data and information by criminals can have serious and sometimes very expensive consequences for companies that are difficult to assess, as prominent examples from the past have shown. For example, the Marriott Group was fined £110 million after hackers succeeded in obtaining sensitive customer data such as credit card and passport numbers, birth dates, etc. without authorisation over a period of several years3. In addition, there was non-quantifiable damage to the company's reputation, as the incident made it into the current daily press. Potential risks for companies can be in particular:
- Loss of customers due to damage to reputation
- Company data can fall into the wrong hands; e.g. competitors or industrial espionage
- Blackmailing by paralysing IT systems
- High fines imposed by the supervisory authorities
- High additional costs due to the need for new IT security measures, such as social network hugging after a hacker attack.
Despite all the challenges that COVID-19 brings with it, it is therefore essential for companies, especially in these times, to keep an eye on IT security and to take adequate measures to protect the company's IT. These can be, for example, with regard to home office activities:
- Prohibition to use private computers to dial into the company network. In addition to IT security risks, legal problems can also arise when private devices are used for business purposes and personal data such as names or e-mail addresses are processed.
- Creating awareness, e.g. by training and informing employees in dealing with phishing mails and malware (especially in connection with COVID-19), as well as by clear, unmistakable and binding regulations on IT security.
- Creation of a home office policy and processes that regulate working from home and thus for the correct protection of company infrastructure and data.
- VPN access to the company network; access to the company network should be via secured Virtual Private Networks, in short: VPN or another protected access.
- Intensive integration of the data protection officer and (if available) the IT security officer or the IT security department; the IT security and the data protection officer of these positions should be integrated in the COVID 19 crisis team.
From a legal point of view, in addition to the requirements resulting from the IT Security Act, the BSI Kritis Ordinance or the Business Secrets Act, the requirements of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG) must be taken into account.
These provide for various obligations for companies as controllers within the meaning of the GDPR for the processing of personal data. In addition to the basic obligation to implement an adequate data protection management system, these include above all the implementation and documentation of technical and organisational measures (TOMs) to ensure that data cannot be compromised, e.g. by a hacker attack.
In order to ensure that your company meets all legal and technical requirements with regard to IT security and data protection, it is therefore advisable to regularly review your company and establish processes in which every important party involved, including IT security and the data protection officer, partakes.