For many businesses, allowing employees to work from home has changed from a privilege or perk to a necessity as measures are being taken to slow the spread of the novel coronavirus that causes COVID-19. As they shift from having full conference rooms to video conference calls, employers can review the following suggestions to help keep their organization, and employees, safe and productive.
General Work from Home Tips for Employers
The Society of Human Resource Management (SHRM) offers several prudent tips for organizations to follow when considering their new, virtual workforce. One of the most important tips is to create a work from home policy, disseminate it to all employees, and make clear that strict adherence is required.
In addition, Telework.gov provides a safety checklist, among other information and checklists. The state of Virginia has its own website with a free safety checklist, and SHRM has their own at-home work policy.
The physical safety of remote workers should also be considered. The Occupational Safety and Health Administration (OSHA) has communicated guidance that while the employer is not liable for an employees' home office, the employer is still required to keep records of injuries that occur there. Organizations should contact their workers compensation carrier for resources and best practices in ensuring they meet all local, state, and federal guidelines for employee safety.
Teleworking: A Cyber Threat for Employers
The shift to a virtual workforce in response to the COVID-19 crisis has led the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) to issue a cyber-threat alert. Hackers and other nefarious actors are already taking advantage of this unprecedented situation, increasing the need for organizations to remain vigilant and adhere to with cybersecurity best practices.
The CISA alert highlights several concerns, which center around two potential vulnerabilities: remote access via enterprise virtual private networks (VPN) and email-based phishing attacks. A VPN is the connection organizations use to allow remote access to their corporate network. Phishing emails are those that are sent to unsuspecting recipients and appear to be legitimate requests from individuals, businesses, or governmental authorities; however, clicking a link or downloading a file subjects the user's computer - and in turn the connected network - to malware or other viruses.
Cyber liability experts suggest following these tips to help manage the increased cyber risk of telework:
· Create new and complex passwords
Organizations should already be enforcing policies that require users to select complex passwords and update them on a regular basis. Proper password hygiene is equally important in the home environment and there is nothing hackers love more than a WiFi network with an easy, default password. Remote users should therefore ensure that their WiFi network is encrypted (WPA2 at minimum) and protected by a complex password - NOT the default password from the modem provided by the internet service provider.
· Beware of phishing scams
Phishing scams with messaging that preys on panic and uncertainty during this public health crisis are on the rise, so emails should be read with extra scrutiny. Employees should be particularly skeptical of embedded links within emails; when in doubt, users should avoid clicking on such links and be instructed to report suspicious emails to their IT departments. Social engineering attempts to defraud companies through fake wire transfer requests also remain prevalent, so organizations should adopt strict call-back verification procedures to ensure that these requests are legitimate. One or two extra steps could save organizations from a debilitating cyber incident or substantial monetary loss.
· Promptly install updates and antivirus software
Updates to operating systems, applications, and antivirus software should be installed as soon as they are available. Frequent patching ensures that known exposures and vulnerabilities are being addressed. IT departments can push these updates out to company-owned devices, but should also make sure that employee-owned devices (laptops, PCs, mobile phones) are protected with the latest updates.
· Utilize VPNs for accessing company networks
All remote access to the corporate network should be through VPNs, or "Virtual Private Networks," which encrypt the connection and reduce the chance of hackers intercepting data during the send/receive process.
· Enable multi-factor authentication
Multi-factor or two-factor authentication should be enabled for all remote access to corporate networks whenever possible, particularly for users with elevated or administrative privileges.
Cyber Security Resources
Insurance carriers can assist with navigating this difficult time by providing resources and assistance with managing the risks of teleworking. Please review the following cyber security resources:
· Other resources
The National Cyber Security Alliance (NCSA), a builder of public/private partnerships focused on cybersecurity, is offering a comprehensive resource library at StaySafeOnline.org.