A look at recommendations from the BSI for protecting the home office
Germany’s highest ranking authority for IT security, the Federal Office for Information Security (BSI), warns that “cyber criminals are increasingly exploiting the coronavirus crisis”. It is therefore producing a range of guidelines to provide recommendations and suggestions for working securely in the home office. The BSI website contains a number of guidelines on this subject.
The BSI is aware that many businesses were caught off guard by the situation and had to act without time to prepare. To begin with, it therefore recommends: “When ad hoc solutions for mobile working are adopted, it is usually not possible to implement all IT security requirements in full from the outset. As a first step, businesses should identify the measures they can implement as swiftly as possible.”
Parallels with baseline protection
As in the case of IT baseline protection, the BSI differentiates between various areas of security and offers the appropriate advice in each case. It is fundamentally important to install security updates regularly, use up-to-date antivirus programs, and have a VPN (virtual private network) in place. Access to the company IT system should only take place via the VPN. Firewalls and data security are also fundamental. Teleworking often involves working with company data using private devices. This data should also be secured.
The private network infrastructure used for the home office, e.g. DSL and WLAN routers, also deserves particular attention. The software on these devices must be kept up to date, and an appropriate level of access protection is essential. Password protection and automatic screen locking should be the default, even on private IT devices. Family members should not have access to company data as a matter of course. It can therefore be useful to save business data in encrypted form.
Tasks for the IT department
The IT department must monitor VPN accesses to identify abuse and attempts to hack the system. Guidelines for working in the home office should also be drawn up. The most important organizational measures include password guidelines and technical support processes for mobile workplaces, in addition to emergency plans.
Video conference systems must satisfy the company’s security requirements. The BSI writes that “the protocols used are particularly important”. Video conference software often requires “far-reaching authorizations for clients or browser plugins, including access to the user’s webcam, microphone, screen sharing, and remote control”. These factors must also comply with the company’s security requirements. When large numbers of employees work from home offices without prior planning, many companies place increasing reliance on Cloud services. When selecting a provider, however, minimum IT security standards must be considered. A recommended approach is to encrypt data stored in the Cloud.
The BSI stresses one particular recommendation: “Keep mobile devices with you at all times when you are travelling. Never leave mobile devices out of sight, not even for a short period.” Of course, this advice remains relevant even in the absence of a pandemic.
For further details of the BSI recommendations, see: https://www.bsi-fuer-buerger.de/BSIFB/DE/Empfehlungen/empfehlungen_node.html
You will also find news about all aspects of it-sa and the world of IT security in the it-sa Security Newsletter.