Workplace flexibility and remote work can be a mutually beneficial arrangement when all parties agree on when, where, and how the employee will work to meet their individual responsibility and organizational goals. Adopting more flexible work arrangements may also support long-term strategic business objectives including expense management, reduced employee turnover, and even workplace injury.

Unfortunately, poorly adopted flexible work arrangement plans – especially as it relates to technology – can also lead to increased risks. In fact, fraudsters have increasingly exploited weak security measures or those employees not following proper security protocol as they adjust to remote work environments.

As with all credit union processes, a written policy establishing a set of guidelines for the safe and productive digital work by employees should be written and board approved. It should include requirements for users. These policies should be rigid in their expectations, but fluid and customizable as the needs of your credit union change.

The laws and regulations affecting remote employees of the state in which the employee has set up their remote office must be followed as opposed to the laws and regulations of the state where the credit union is located.

In order to accommodate employees in remote work settings, not everyone has properly maintained an accurate record of the items provided for remote use. Unfortunately, some items may have left without proper authorization, not been accounted for despite offices reopening, or returned damaged.

Remote workers should be provided with all the equipment needed to do their jobs. Your policy should state that equipment needed will be offered to remote workers. If you choose not to offer equipment to your remote employees, be sure that is clearly outlined.

Employees who have not received authorization in writing from credit union management and who have not provided written consent should not be permitted to remove equipment and supplies. Failure to follow any established policies and reporting protocols should result in disciplinary action, up to and including termination of employment.

An asset tagging system, especially for expensive items, makes it easy for you to keep track of assets. It’s imperative to know where assets are located, how they are being used, and whether there have been changes made to them.

Require anyone who uses their computer on home networks to use a Virtual Private Network (VPN). In addition, you should set classification levels for data based on data confidentiality and criticality levels and define acceptable use of data by your employees. Common data levels include:

  • Public data = available to anyone
  • Limited access = available to special groups
  • Restricted = controlled by compliance or legal mandates

Multi-factor authentication or out-of-band authentication typically leverages the use of one-time-passcodes (OTPs) or tokens and can be used to authenticate employees attempting to sign into the host system.

Transmitting one-time passcodes via email is best to be avoided due to email’s inherent risks (i.e., email accounts can be hacked). In addition, transmitting OTPs via SMS text message can be defeated if an employee's mobile phone is fraudulently ported to a new carrier. Carefully assess these risks when considering out-of-band authentication method.

Monitoring should be proportionate to legitimate business needs. Poorly adopted flexible work plans can lead to increased risk around employment practices and management controls. Always tell employees about any new or increased monitoring measures and the reasons behind monitoring to avoid violating the law. Consider updating your privacy policy and don’t begin monitoring without first letting employees know in writing that you are monitoring.

You may also consider restricting access involving applications for social media browsing, replacement email applications, VPNs or another remote-access software type. You may consider the use of technology for preventing downloads of questionable apps and copyright protected media.

Related Resources:

Access CUNA Mutual Group’s Protection Resource Center* for exclusive risk and compliance resources to assist with your loss control efforts.

Please complete this brief form to route your question to one of our Risk Consultants.

*Username and password required.
This resource is for informational purposes only. It does not constitute legal advice. Please consult your legal advisors regarding this or any other legal issues relating to your credit union. Any examples provided have been simplified to give you an overview of the importance of selecting appropriate coverage limits, insuring-to-value, and implementing loss prevention techniques. CUNA Mutual Group is the marketing name for CUNA Mutual Holding Company, a mutual insurance holding company, its subsidiaries and affiliates. Insurance products offered to financial institutions and their affiliates are underwritten by CUMIS Insurance Society, Inc. or CUMIS Specialty Insurance Company, members of the CUNA Mutual Group.