Data security during telework

published on 17 March 2020 | reading time approx. 3.5 minutes

Data security during telework

In the time of coronavirus enterprises allow their employees to work from home. Unfortunately, they very rarely remember that this implies an increased risk for the security of data, which is one of the pillars of business operations.

The numerous data security audits conducted by Rödl & Partner in various enterprises reveal that there is generally a problem when it comes to the proper protection of data used and processed by teleworkers. When setting the teleworking rules, companies focus first of all on the organisation of work processes in HR terms only. Thus, priority is given to work efficiency, working time records or team communication, whereas other business continuity issues and risks are seldom analysed. With such an approach, IT departments are left with the challenge to provide employees as quickly as possible with remote access to the in-house IT infrastructure, applications and data. But it is precisely the IT department and other units, including the Data Protection Officer, responsible for corporate security that should be actively involved in the planning activities beforehand and be able to develop adequate rules and work out and implement procedures to ensure telework security.

In-house IT infrastructure

First of all it should be considered how to prepare the company’s IT infrastructure for access from the public network. Typically, the minimum required to work remotely is to have access to an e-mail account and an encrypted VPN channel enabling remote connection with in-house applications or company's servers. But it is good to establish the basic rules of using those facilities.

Data security crucially depends on whether employees work on their private equipment (e.g. on smartphones or laptops) or use exclusively company devices configured for teleworking purposes. Remember that a company has no means whatsoever to control the security of data processed on private equipment. Thus, it cannot check whether employees’ computers have adequate anti-virus protection, whether their operating systems have in place up-to-date access safeguards or whether the data stored on their drives are not shared on a (W)LAN. In such a case, providing an employee with access to an e-mail account or a VPN channel creates a real risk that a virus or hackers attacking the employee's home IT equipment will intercept access data or obtain access to the company’s IT infrastructure. Therefore, for security reasons, only company-owned equipment should be used for teleworking.

Network security

Another important issue is the security of the network to be used by teleworkers. This is beyond the company's control as well, whereas a lot of people use shared networks (together with e.g. other dwellers of the block of flats or the housing estate) or WiFi networks configured by themselves which do not meet the required security standards. You may ask: What is the difference if I use an encrypted VPN connection anyway and no unauthorised person captures such a movement? Please note that the VPN channel protects data during its transfer only, whereas you must also protect data stored on your device or on data carriers connected to it. An attacker who has accessed the shared or WiFi network may try to take over control of the computer and obtain access to the data stored on it. Such data may also include the user’s credentials, in particular, the password to the company’s VPN network or other internal systems. Teleworkers should also receive devices (SIM cards or modems) enabling independent access to the Internet and should be instructed that they may connect to the company’s network using only and exclusively those devices. This is especially important because, as practice shows, remote work is not always performed at home, but also in hotels, in cafes, on trains or in other public places.