Skip to Main Content

Remote work & technology

Unfortunately, poorly adopted flexible work arrangement plans can lead to increased risk around asset management, data protection, employment practices, management controls, and employee work-life balance.
Woman working at her desk with her headset on

Workplace flexibility and remote work can be a mutually beneficial arrangement when all parties agree on when, where, and how the employee will work to meet their individual responsibility and organizational goals. Adopting more flexible work arrangements may also support long-term strategic business objectives including expense management, reduced employee turnover, and even workplace injury.

Unfortunately, poorly adopted flexible work arrangement plans — especially as it relates to technology — can also lead to increased risks. In fact, fraudsters have increasingly exploited weak security measures or those employees not following proper security protocol as they adjust to remote work environments.

More remote work and technology information

  • As with all credit union processes, a written policy establishing a set of guidelines for the safe and productive digital work by employees should be written and board approved. It should include requirements for users. These policies should be rigid in their expectations, but fluid and customizable as the needs of your credit union change.

  • The laws and regulations affecting remote employees of the state in which the employee has set up their remote office must be followed as opposed to the laws and regulations of the state where the credit union is located.

  • In order to accommodate employees in remote work settings, not everyone has properly maintained an accurate record of the items provided for remote use. Unfortunately, some items may have left without proper authorization, not been accounted for despite offices reopening, or returned damaged.

    Remote workers should be provided with all the equipment needed to do their jobs. Your policy should state that equipment needed will be offered to remote workers. If you choose not to offer equipment to your remote employees, be sure that is clearly outlined.

  • Employees who have not received authorization in writing from credit union management and who have not provided written consent should not be permitted to remove equipment and supplies. Failure to follow any established policies and reporting protocols should result in disciplinary action, up to and including termination of employment.

    An asset tagging system, especially for expensive items, makes it easy for you to keep track of assets. It’s imperative to know where assets are located, how they are being used, and whether there have been changes made to them.

  • Require anyone who uses their computer on home networks to use a Virtual Private Network (VPN). In addition, you should set classification levels for data based on data confidentiality and criticality levels and define acceptable use of data by your employees. Common data levels include:

    • Public data = available to anyone
    • Limited access = available to special groups
    • Restricted = controlled by compliance or legal mandates
  • Multi-factor authentication or out-of-band authentication typically leverages the use of one-time-passcodes (OTPs) or tokens and can be used to authenticate employees attempting to sign into the host system.

    Transmitting one-time passcodes via email is best to be avoided due to email’s inherent risks (i.e., email accounts can be hacked). In addition, transmitting OTPs via SMS text message can be defeated if an employee's mobile phone is fraudulently ported to a new carrier. Carefully assess these risks when considering out-of-band authentication method.

  • Monitoring should be proportionate to legitimate business needs. Poorly adopted flexible work plans can lead to increased risk around employment practices and management controls. Always tell employees about any new or increased monitoring measures and the reasons behind monitoring to avoid violating the law. Consider updating your privacy policy and don’t begin monitoring without first letting employees know in writing that you are monitoring.

    You may also consider restricting access involving applications for social media browsing, replacement email applications, VPNs or another remote-access software type. You may consider the use of technology for preventing downloads of questionable apps and copyright protected media.

Ask a risk consultant

Please complete this brief form to route your question to one of our risk consultants.

Ask a risk consultant

Related resources:

Access the Business Protection Resource Center* for exclusive risk and compliance resources to assist with your loss control efforts.

Bring your own device best practices & policy template*

Frauds & scams eBook

Employment practices risk management resources — www.epl-risk.com

RISK Alert: Don’t Let Data Walk Out the Door* (1/26/2021)

On-Demand Webinar: Employment Practices Trends