The 10 Golden Rules are intended to help you ensure information and data security when your employees work from home. These tips come from the operational practice of small and medium-sized companies and the trades. They were developed in close cooperation with companies and are based on the Federal Office for Information Security recommendations.
Home Office And IT Security
Home office and mobile working are omnipresent, not least due to the consequences of the corona pandemic. Many companies needed to prepare for the sudden work-from-home situation, and ad hoc measures were implemented. Topics such as information and data security should have been addressed. Thus, the critical IT security protection goals, e.g. according to the VIVA principle (confidentiality, integrity, availability, authenticity), still need to be fully met.
Although many know the importance of confidentiality or authenticity of data, this is not always guaranteed, for example, due to the use of “insecure” tools for web conferences or the outflow of sensitive data via unencrypted communication channels.
What Is Meant By The Home Office?
Home office (or homework) is any form of telework carried out from home. Telework, in turn, refers to all activities of a company’s employees carried out outside the company’s workplace using telecommunications facilities. Another form of telework is mobile work, which varies in location and time or is carried out on the go. As a rule, home office workplaces are temporary and set up for the long term. As a result, there are overlaps between the two forms of telework, but there are also special features (e.g. of a legal nature). Therefore, tips from this flier can also be transferred to mobile working but should primarily be considered for the home office.
What Precautions Are To Be Taken?
Define The Use Of The Home Office
First of all, as the company’s responsible person or managing director, you should be clear about what home office should be used for and in what context. Typical questions are how long and when employees should or can work from home, whether it is a permanent job away from the business premises or should represent a means of organizing flexible working.
Derive Regulations For Your Company
Depending on the first rule, you should set up regulations, powers and responsibilities for your employees. This includes information about which data can be used, which hardware or software will be used, which data protection regulations apply and how to communicate. These regulations also result from the other points listed in this flier.
Create The Technical Requirements
To ensure the ability of your employees to work outside the company, all the essential technical requirements must be met. This includes, among other things, sufficiently fast Internet access with sufficient upload and download capacities for employees and the company. You should also ensure that there are enough licenses and mobile devices that the company issues and configures. Due to data protection aspects, remote-end devices should be avoided if possible! You should also ensure that occupational safety measures are implemented in the home office.
Get Support
Introducing a home office, especially if there is little or no experience in the company, is very complex and multifaceted. It is tough to have an overview of all this and to observe all the technical and legal pitfalls. Therefore, you should get support from experts or on the open market. It would help if you also considered nationwide funding opportunities such as “go-digital”, “digital-now!” or other programs at the state level.
What Does A Secure Home Office Look Like?
Access And Access Protection
Measures should be taken to make accessing data and devices more difficult, even in one’s household. Lockable cupboards and mobile containers are obvious measures here, as is the use of privacy films for screens or locking work surfaces when the room is left.
Encrypted Communications And Remote Access
Secure communication is essential for the home office. If access to internal resources (data and systems) is required, a secure virtual private network (VPN) should be used. This makes manipulation or access of data by third parties significantly more difficult. Furthermore, phone calls should not be made on private phones, and e-mails should only be sent via business accounts. The Internet, messenger services and video conferencing tools should comply with the company’s IT security requirements. Encrypted transfer protocols such as HTTPS or communication between authorized persons should be mandatory.
Backup
Even when working from home, you should ensure that employees back up their data regularly and per the company’s backup strategy. This is important because, e.g. B. mobile devices can be damaged by falls and transport, thefts occur more frequently, or data can be lost. Here it would help if you used technical (software-supported) routines that store the data, for example, via the VPN channels or cloud services set-up.
Handling Of Documents And Confidential Information
Paper-based documents or data carriers often have to be taken to the home office workplace. These should be protected during transport and on-site (encryption or locking). Rule 5 must be observed here, especially regarding personal data and company-critical information. An important point is the disposal of documents and data carriers, which should not be disposed of with household waste, as this violates confidentiality. Documents and data carriers should be returned to the business premises for destruction or archiving.
How Do I Take My Employees With Me?
Have Trust In Your Employees
The best rules, guidelines and technical equipment do not protect against the all-important human factor. You should coordinate and set up the procedures in the home office closely with your employees, as this is the only way to avoid difficulties on-site and errors. You can also prevent a lack of understanding of regulations and processes since the employees know how they came about.
Furthermore, rules should be structured, so they are clear enough. Otherwise, frustration can quickly arise, and the employees feel restricted. This can result in defensive reactions and deliberate circumvention of regulations. This would have a lasting negative impact on IT security.
Ongoing Awareness Of Hazards
School or train your employees regularly to impart knowledge and draw attention to current threats (e.g. phishing and spear phishing). You can also use offers from the Mittelstand 4.0 competence centers or the Federal Office for Information Security. Also, encourage your employees to report damage events and security incidents (e.g. lost or stolen documents).
Also Read: Social Media Ephemeral Vs. Evergreen Content