Group News

Information security and home office in times of corona

"This is the perfect time for all sorts of fraud"


In these times of coronavirus more than 90 percent of the Talanx Group's workforce is working out of a mobile office. Many of them are using personal devices without any security concept – a veritable Eldorado for cybercriminals. The Group Security team is currently devoting particularly close attention to the protection of customer, employee and business partner information. Leonie Windolph is a member of this team. She deputises for the Head of Group Security, Andreas Walz, in specialist matters. For his part, in his role as deputy head of the Group Crisis Management team, Andreas Walz is coordinating IT issues during the crisis and taking key security decisions directly as part of the Talanx crisis response team.

Multiple times a day Leonie Windolph checks for any new avenues of attack and criminal methods – right now with the coronavirus a particularly prominent concern. "We fight back with our safeguards and our technology so as to assess whether there is any risk to our company. If the avenue of attack is technology-based, we pass it on to IT for analysis; if the threat is organisational in nature, we address the employees directly, for example via the intranet or by e-mail", explains Leonie Windolph as she discusses her typical day at the office. The same established security processes as those prior to the coronavirus are in effect – including 24/7 on-call readiness so as to respond quickly to potential aggressors. In this interview with Josefine Zucker from Group Communications, Leonie Windolph discusses the new measures necessitated by the pandemic and the important role played by the members of staff.

Leonie, how is the coronavirus impacting information security concerns?
The threat scenario has changed as a consequence of the pandemic. Petty crime such as pickpocketing and store robberies is down – even the criminals are stuck in their home office, so to speak. Bad actors are exploiting the prevailing concern surrounding the virus to launch wide-ranging cyber-attacks on companies and private individuals. Computers are being held to ransom, passwords and data are being stolen and money is being extorted. Criminals picking up on the latest hot issues is nothing new, however. The coronavirus lends itself so very well to these purposes because it is affecting the entire world, as a consequence of which many people feel insecure and are therefore very interested in the subject. To put it in a nutshell: This is the perfect time for all sorts of fraud using the word "coronavirus" as bait.

So what exactly is new?
There is an extremely large number of fraudulent websites devoted to the coronavirus: various sites including the virus in their name in some form or other that promise information about the disease but instead spread malware. Fake shops offering masks that do not exist or hawking dubious remedies have been springing up everywhere like mushrooms. Attackers know that many companies have enabled their staff to work from home as a preventive measure to stop the spread of the coronavirus. For this purpose, it is normally necessary to install software on the personal devices. Fake versions of the commonly used programs containing malware have already been created. Not only that, malicious e-mails are sent out purporting to come from colleagues, HR or senior management with the latest in-house developments as regards the virus. We warn our employees about them. We encourage them to enable their firewall and make backups. After all, with no home computer there is no more home office either.

In other words, this is a good time to infiltrate malware. The same is true of attempts to commit fraud, most notably the so-called CEO fraud. This is a scam in which false identities – generally on the management level – are used to instruct money transfers. It is incredibly easy to make an e-mail look like it came from someone else (spoofing) or to make a phone call using an artificially generated voice. Given all the restrictions on personal contact, many companies have streamlined their payment methods. Our tip: In order to continue keeping attackers at bay, important policies and processes such as the principle of dual control cannot be neglected, even in times of crisis.

What are you doing to keep the company safe?
In the context of crisis management efforts, our job is to protect the information assets entrusted to us. This is why our Talanx Security Chief Andreas Walz is also a core member of the Group Crisis Management team. It goes without saying that we do face new challenges when so many employees suddenly start working from home: Are the virtual access gateways able to withstand the load? Are we creating potential trouble spots for cyber-attacks? Are we managing to adequately sensitise members of staff to the need to maintain our level of security, even when working out of a home office?

Long before Covid-19 we placed a heavy emphasis on virtualising the work environments, as a result of which we already had a good platform in place – from both a technical and organisational standpoint; we have now been quick to expand this. For example, the virtual clients are adequately encapsulated so as not to be vulnerable to attack by a terminal device. Not only that, we are constantly working flat out to release secure IT tools for mobile working at short notice. There is nothing worse that the establishment of a "shadow IT", i.e. when users switch over to unapproved tools that are offered for free online. The idea behind all these tools is that instead of money we pay with the data transported through them, as is the case with Zoom, for example. My request to the workforce is that if you need a solution, please report it to us. Make use of the official enterprise services and do not turn randomly to alternative solutions.

Another thing: information security means not only confidentiality, but also availability and integrity. We have moved incredibly quickly to enable a very large number of users in Germany to work on a mobile basis, thereby ensuring that our core processes run smoothly!

What role is played by employees?
The prudence exercised by our employees is our most valuable firewall, far more so than all the technological and organisational safeguards that we have put in place. Everyone shares responsibility for ensuring that no unauthorised persons can view or access data and information – in other words, they must consciously and independently implement security measures in their mobile office environment. And they simply have to be on their guard, to take a second look: could I be dealing with fake news or fake e-mails, is someone trying to manipulate my money, my data or me? Only through concerted action can we build a line of defence that withstands all attacks.

What is the biggest mistake I can make in a home office?
One major issue is the secure handling of physical files, in particular their transportation and disposal. In two words: dumpster diving. People really do look through garbage bins to see whether they can find anything! That's why it is so vital to dispose of business documents in accordance with the company's processes – i.e. using the document disposal bins at work. There is a work instruction stipulating the particle sizes according to which confidential documents have to be shredded. This is geared to the value of the information.

Documents are not intended to be printed at home. Instead, business letters can be printed and mailed via a central service. Lockable transportation containers are available for transferring files between locations.

Another thing: phone calls. Conference calls and video conferences are often held near an open window or outside on the patio. Sometimes people don’t even realise how much value the information discussed may have for someone else.

And then we come to the supposedly mundane things: even when you are in your home office, you should always lock your computer before leaving the workstation. A child could erase the work output that you just generated while they are playing or they might send the funny e-mail that was supposed to go to your colleagues to a Board member instead. (laughs)

Leonie, thanks so much for this interview!