Remote work & technology
Workplace flexibility and remote work can be a mutually beneficial arrangement when all parties agree on when, where, and how the employee will work to meet their individual responsibility and organizational goals. Adopting more flexible work arrangements may also support long-term strategic business objectives including expense management, reduced employee turnover, and even workplace injury.
Unfortunately, poorly adopted flexible work arrangement plans — especially as it relates to technology — can also lead to increased risks. In fact, fraudsters have increasingly exploited weak security measures or those employees not following proper security protocol as they adjust to remote work environments.
More remote work and technology information
As with all credit union processes, a written policy establishing a set of guidelines for the safe and productive digital work by employees should be written and board approved. It should include requirements for users. These policies should be rigid in their expectations, but fluid and customizable as the needs of your credit union change.
The laws and regulations affecting remote employees of the state in which the employee has set up their remote office must be followed as opposed to the laws and regulations of the state where the credit union is located.
In order to accommodate employees in remote work settings, not everyone has properly maintained an accurate record of the items provided for remote use. Unfortunately, some items may have left without proper authorization, not been accounted for despite offices reopening, or returned damaged.
Remote workers should be provided with all the equipment needed to do their jobs. Your policy should state that equipment needed will be offered to remote workers. If you choose not to offer equipment to your remote employees, be sure that is clearly outlined.
Require anyone who uses their computer on home networks to use a Virtual Private Network (VPN). In addition, you should set classification levels for data based on data confidentiality and criticality levels and define acceptable use of data by your employees. Common data levels include:
- Public data = available to anyone
- Limited access = available to special groups
- Restricted = controlled by compliance or legal mandates
Multi-factor authentication or out-of-band authentication typically leverages the use of one-time-passcodes (OTPs) or tokens and can be used to authenticate employees attempting to sign into the host system.
Transmitting one-time passcodes via email is best to be avoided due to email’s inherent risks (i.e., email accounts can be hacked). In addition, transmitting OTPs via SMS text message can be defeated if an employee's mobile phone is fraudulently ported to a new carrier. Carefully assess these risks when considering out-of-band authentication method.
You may also consider restricting access involving applications for social media browsing, replacement email applications, VPNs or another remote-access software type. You may consider the use of technology for preventing downloads of questionable apps and copyright protected media.
Ask a risk consultant
Please complete this brief form to route your question to one of our risk consultants.Ask a risk consultant
Access the Business Protection Resource Center* for exclusive risk and compliance resources to assist with your loss control efforts.
Employment practices risk management resources — www.epl-risk.com
RISK Alert: Don’t Let Data Walk Out the Door* (1/26/2021)
On-Demand Webinar: Employment Practices Trends