Workplace flexibility and remote work can be a mutually beneficial arrangement when all parties agree on when, where, and how the employee will work to meet their individual responsibility and organizational goals. Adopting more flexible work arrangements may also support long-term strategic business objectives including expense management, reduced employee turnover, and even workplace injury.
Unfortunately, poorly adopted flexible work arrangement plans – especially as it relates to technology – can also lead to increased risks. In fact, fraudsters have increasingly exploited weak security measures or those employees not following proper security protocol as they adjust to remote work environments.
As with all credit union processes, a written policy establishing a set of guidelines for the safe and productive digital work by employees should be written and board approved. It should include requirements for users. These policies should be rigid in their expectations, but fluid and customizable as the needs of your credit union change.
The laws and regulations affecting remote employees of the state in which the employee has set up their remote office must be followed as opposed to the laws and regulations of the state where the credit union is located.
In order to accommodate employees in remote work settings, not everyone has properly maintained an accurate record of the items provided for remote use. Unfortunately, some items may have left without proper authorization, not been accounted for despite offices reopening, or returned damaged.
Remote workers should be provided with all the equipment needed to do their jobs. Your policy should state that equipment needed will be offered to remote workers. If you choose not to offer equipment to your remote employees, be sure that is clearly outlined.
Require anyone who uses their computer on home networks to use a Virtual Private Network (VPN). In addition, you should set classification levels for data based on data confidentiality and criticality levels and define acceptable use of data by your employees. Common data levels include:
- Public data = available to anyone
- Limited access = available to special groups
- Restricted = controlled by compliance or legal mandates
Multi-factor authentication or out-of-band authentication typically leverages the use of one-time-passcodes (OTPs) or tokens and can be used to authenticate employees attempting to sign into the host system.
Transmitting one-time passcodes via email is best to be avoided due to email’s inherent risks (i.e., email accounts can be hacked). In addition, transmitting OTPs via SMS text message can be defeated if an employee's mobile phone is fraudulently ported to a new carrier. Carefully assess these risks when considering out-of-band authentication method.
You may also consider restricting access involving applications for social media browsing, replacement email applications, VPNs or another remote-access software type. You may consider the use of technology for preventing downloads of questionable apps and copyright protected media.
Access CUNA Mutual Group’s Protection Resource Center* for exclusive risk and compliance resources to assist with your loss control efforts.
- Flexible / Hybrid Work Arrangements Risk Overview*
- Managing Flexible Work Arrangements*
- Bring Your Own Device Best Practices & Policy Template*
- Rethinking Protection: People, Assets & Reputation eBook*
- Frauds & Scams eBook
- Employment Practices Risk Management Resources – www.epl-risk.com
- RISK Alert: Don’t Let Data Walk Out the Door* (1/26/2021)
- On-Demand Webinar: Employment Practices Trends
This resource is for informational purposes only. It does not constitute legal advice. Please consult your legal advisors regarding this or any other legal issues relating to your credit union. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value, and implementing loss prevention techniques. CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group.