The growing number of home office workstations has given more than a few administrators in companies gray hairs, and rightly so. The implementation of the guarantee goals of data security, availability, confidentiality and integrity is already a challenge in the corporate network. Here, administrators at least have an overview of the devices used in the network. In the home office, especially when families with several dependents, including half-grown children, populate the network, this overview is lacking.
In addition, a whole range of smarthome devices are often used in the home network, at least some of which can have glaring security gaps due to a lack of software updates. Inexpensive smarthome solutions in particular are often not patched by the manufacturer for cost reasons. With all conceivable consequences and security gaps.
The first step: Risk analysis
- In the first step, we recommend a thorough risk analysis when introducing a new teleworkplace.
- What is the risk potential of the data to which the teleworker should and must have access?
- Can the risk potential be reduced by restricting access and usage rights?
- What does the environment of the home office look like? (Here, an open and trusting discussion with the employees about the home office infrastructure is useful).
Technical and organizational data security measures
Once the risk potential has been determined and an initial assessment has been completed with the future teleworker, the next step is to implement basic measures to secure the workplace. At this point, we refer to the information provided by the German Federal Office for Information Security (BSI) “Tips for secure, mobile working”. Therefore, here only in keywords, the measures recommended by the BSI:
- Regulations for teleworkers and security guideline
- Sensitization of employees
- Access protection
- Hardening of the IT systems used
- Encryption
- Screens
- Secure remote access
- Data backup
- Loss notification
- Working in external IT systems/networks
- Disposal
- Documents with increased protection requirements
- Verification
- Attack methods: Phishing
(Source: Tips for secure mobile working, BSI)
It depends on the employees
Sensitized and informed employees are your company’s most important asset when it comes to data security and data protection. It remains important to convey that measures to protect company information are not an expression of mistrust toward the employee, but are due to the increased risks in the field of cyber security.
With the measures addressed by the BSI, many risks can be significantly reduced, if not completely avoided.
If a data breach occurs nevertheless: Observe reporting obligations
Every data incident in which personal data is affected triggers an obligation to notify the relevant state data protection authority, unless the incident does not pose a risk to the data subject. This may be the case, for example, if the lost laptop is fully and securely encrypted. Caution: Failure to comply with the notification obligation pursuant to Art. 33 or 34 of the GDPR may result in significant fines and, if the case arises, claims for damages by the data subjects. In the event of grossly negligent non-compliance, managing directors may also be liable with their private assets.