Since the COVID-19 pandemic in 2020, home office workstations have become the norm. This allowed employees to quickly and easily access the company network from home and continue their work.

 

Even after the pandemic, home offices have remained an alternative workplace in many companies, providing cybercriminals with new opportunities to access internal company data.

 

The following sections outline the cybersecurity challenges and risks associated with home offices and how to secure remote access.

 

Home networks, particularly WLANs, are often inadequately secured. Lack of encryption on private routers can allow attackers to gain access to the home network and intercept company data. To cut costs, companies often avoid providing dedicated home office equipment, leading employees to process company data on personal devices. In the private sector, there is often a lack of understanding about implementing state-of-the-art antivirus solutions. If a private PC is already infected with malware, attackers could steal data.

 

Additionally, private devices are often not adequately or automatically patched, making it easy for attackers to exploit vulnerabilities due to outdated software.

Due to data protection regulations, employers generally do not have the right to install security software on private devices. This means they cannot control which programs employees use to process company data. For example, if an employee uses a foreign cloud service to upload data, sensitive information could be transferred to a country outside the EU without authorization, potentially leading to an irreversible data protection incident.

 

However, with the right measures, employers can minimize the security risks associated with home office workstations.

 

As a rule, company data should not be processed on private PCs. Instead, devices owned by the company should be provided. These PCs should have the same security measures as office workstations, such as Mobile Device Management (MDM), patch management, and Endpoint Detection and Response (EDR).

 

The principle of Zero Trust should apply: Access to the PC must be secured with multi-factor authentication (MFA), ensuring that logins are always authorized and logged by the system. Access to company data should only occur via VPN or Virtual Desktop Infrastructure (VDI) solutions, as these encrypt the connection from the home office to the company network.

 

Since the correct configuration of home WLAN routers is beyond the company’s control, it is advisable to secure company access with a firewall. This creates an additional layer of security and allows monitoring of data traffic.

 

The same rules apply to home office workstations as to office workstations: Documents and devices must be protected from unauthorized access and physically secured with access controls. Employees should also be regularly trained and made aware of these requirements.