Week 24: Personal devices when working from home pose high risks

21.06.2022 - The number of reports received by the NCSC remained at the same high level last week. An incident involving a data leak and ensuing blackmail shows that using private devices to access company networks entails considerable risks.

Keep your home office secure!

At the beginning of the COVID-19 pandemic and the imposed contact restrictions, many companies had to quickly set up technical options to allow employees to work from home. Many companies have maintained them and, even since the COVID-19 measures have been lifted, they continue to offer their employees the possibility to do a certain amount of work from home. Secure remote access via VPN (virtual private network) to the company network plays a central role in this regard. However, if this technology is used without sufficient care, it can massively increase the risk of cyberattacks as illustrated by the following case, which was reported to the NCSC last week. Attackers managed to gain access to a computer and then infiltrate the company network using remote access. They then copied data and blackmailed the company about publishing it. How was this possible? It was triggered by malware that spied on an employee's computer and obtained the access details for the VPN connection. This allowed the attackers to gain access and then infiltrate the company network.

This case is particularly noteworthy because the employee did not use a company computer for the VPN access, but rather his own personal device. Computers used privately are not controlled by the company and therefore there is no guarantee that the company's security standards are followed, that updates are applied and that software installations, including malware, are blocked. If the computer is also used by other family members, the risk increases even more. It is also problematic that the log files, which are needed and helpful if an incident occurs, are not available, or are incomplete, because they are not recorded on the private device, or only partially.

The NCSC has produced guidelines on the secure use of remote access, which are aimed at both companies and employees

  • Access to a company's network should be permitted only from company computers with VPN access.In addition, make sure that two-factor authentication is installed for the VPN connection.
  • Guidelines for companies
  • Guidelines  for employees

Last modification 21.06.2022

Top of page