• Private devices should be considered compromised, and therefore the business use of private devices should be avoided.
    • If this is not possible, the use of external boot media must be checked
  • Disable Office Macros
    •  If this is not possible, macro signing should be used
  • Is a collaboration solution sufficient or is a full VPN necessary?
  • If a VPN is used, it should end up in a DMZ (Demilitarized Zone)
  • Use of a 2-factor authentication (but at least for external services such as VPN and WebMailer)
  • Setting up a hard disk encryption
    • Optimal with pre-boot authentication, e.g. 6-8 digit pin or token
  • Separate user accounts (Admin and User
  • Avoidance of inspection by third parties (e.g. use of a privacy film in the web)
  • Use of interface monitoring, whereby only controlled removable media can be used and USB worms can be avoided
  • Use a password manager to avoid single and/or multiple passwords (e.g. KeePass)
  • Increased monitoring on systems that are primarily used by home office users (e.g. VPN endpoint, terminal jump server, etc.)
  • Regular updates of laptop, mobile phone and third-party software, which are often forgotten (e.g. Adobe Reader, Media Player, Internet Browser)

Source: Florian Hansemann, Managing Director HanseSecure