As COVID-19 vaccine programs expand, many organizations still have a workforce that looks very different from before the pandemic. Employers have had a virtual workforce, or a mix of work-from-home and office, for the past year. This unprecedented change in how we work has been largely positive. Nearly 83% of employers surveyed by PwC in a January 2021 study said the shift to remote work has been successful, a 10% increase from their previous survey in June 2020. With the favorability of working from home increasing, it isn't a surprise that 67% of organizations are planning to keep their expanded work from home policies indefinitely or long-term.
While some organizational leaders may feel they have a handle on this change after a year, it's imperative that they remain vigilant and continue to keep these policies and procedures strong. Employers can review the following suggestions to help keep their organization, and employees, safe and productive.
General Work from Home Tips for Employers
One of the most important tips is to create a work from home policy, disseminate it to all employees, and make clear that strict adherence is required.
PHLY customers have access to the following resources, which may assist with creating policies and other documents:
PHLYGateway
PHLY Management Liability Insurance customers with Directors and Officers (D&O) or Employment Practices Liability (EPL) coverage are eligible for a free in2vate membership. In addition to sample policies, they provide web-enabled employment practices services, including training and management tools for harassment and discrimination. Find out more here.
Nonprofit Risk Management Center
PHLY Non-Profit Insurance customers are eligible for a free Nonprofit Risk Management Center membership. They offer practical risk management resources, including webinars, unlimited consultation, and sample forms and documents. Register here to gain immediate access.
In addition, Telework.gov provides a safety checklist, among other information and checklists. The state of Virginia has its own website with a free safety checklist, and Society for Human Resource Management (SHRM) has their own at-home work policy.
The physical safety of remote workers should also be considered. The Occupational Safety and Health Administration (OSHA) has communicated guidance that while the employer is not liable for an employees' home office, the employer is still required to keep records of injuries that occur there. Organizations should contact their workers compensation carrier for resources and best practices in ensuring they meet all local, state, and federal guidelines for employee safety.
Teleworking: A Cyber Threat for Employers
When organizations first began shifting their workforce to virtual in response to the pandemic, the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) issued a cyber-threat alert. Hackers and other nefarious actors had already started to take advantage of the situation. A year later, the need to be vigilant remains.
Evan Fenaroli, PHLY's Cyber Product Manager, says businesses and organizations should "remain diligent and aware of ongoing cyber threats, continue to engage their employees on these issues (particularly device security, password complexity, and phishing/social engineering), and ensure they are reviewing their own internal policies and procedures."
The main concerns center around two potential vulnerabilities: remote access via enterprise virtual private networks (VPN) and email-based phishing attacks. A VPN is the connection organizations use to allow remote access to their corporate network. Phishing emails are those that are sent to unsuspecting recipients and appear to be legitimate requests from individuals, businesses, or governmental authorities; however, clicking a link or downloading a file subjects the user's computer - and in turn the connected network - to malware or other viruses.
PHLY's cyber liability experts suggest following these tips to help manage the increased cyber risk of telework:
Create new and complex passwords
Organizations should already be enforcing policies that require users to select complex passwords and update them on a regular basis. Proper password hygiene is equally important in the home environment and there is nothing hackers love more than a WiFi network with an easy, default password. Remote users should therefore ensure that their WiFi network is encrypted (WPA2 at minimum) and protected by a complex password - NOT the default password from the modem provided by the internet service provider
Beware of phishing scams
Phishing scams with messaging that preys on panic and uncertainty during this public health crisis are on the rise, so emails should be read with extra scrutiny. Employees should be particularly skeptical of embedded links within emails; when in doubt, users should avoid clicking on such links and be instructed to report suspicious emails to their IT departments. Social engineering attempts to defraud companies through fake wire transfer requests also remain prevalent, so organizations should adopt strict call-back verification procedures to ensure that these requests are legitimate. One or two extra steps could save organizations from a debilitating cyber incident or substantial monetary loss.
Promptly install updates and antivirus software
Updates to operating systems, applications, and antivirus software should be installed as soon as they are available. Frequent patching ensures that known exposures and vulnerabilities are being addressed. IT departments can push these updates out to company-owned devices, but should also make sure that employee-owned devices (laptops, PCs, mobile phones) are protected with the latest updates
Utilize VPNs for accessing company networks
All remote access to the corporate network should be through VPNs, or "Virtual Private Networks," which encrypt the connection and reduce the chance of hackers intercepting data during the send/receive process.
Enable multi-factor authentication
Multi-factor or two-factor authentication should be enabled for all remote access to corporate networks whenever possible, particularly for users with elevated or administrative privileges.
Cyber Security Resources
PHLY can assist with navigating this difficult time by providing resources and assistance with managing the risks of teleworking. Please review the following cyber security resources provided by our partners, as well as other sources:
eRisk Hub
All PHLY Cyber Security Liability policyholders are eligible for complimentary access to PHLY's eRisk Hub. This online portal offers a variety of cyber risk management tools and resources, including an incident roadmap, risk manager tools (including a self-assessment and guidance on state breach notification laws), a learning center for best practices, a news center, and referrals to outside experts and vendors. It also includes a sample telework policy with a heavy concentration on cyber risk mitigation. Insureds can register here using the access code found in their PHLY Cyber Security Liability policy.
Other resources
The National Cyber Security Alliance (NCSA), a builder of public/private partnerships focused on cybersecurity, is offering a comprehensive resource library at StaySafeOnline.org.