Risks While Working Remotely [Webinar]
[Lauren] Welcome to our Webinar
Our discussion today provides an overview of some of the risks that organizations may encounter by having teams working remotely via computer during the current COVID-19 Pandemic.
We will also discuss ways to mitigate risk proactively, to reduce the potential for losses as the result of changes to the operational model.
My name is Lauren Hart and I’ve been with Travelers for 8½ years. I’m currently based in Chicago, IL Risk Control’s National Accounts as an Account Consultant to partner with our business insurance customers in helping reduce and eliminate their exposures.
Before we get started, just a reminder from our legal team… The program or presentation does not cover all possible hazardous conditions or unsafe acts that may exist and does not constitute legal advice. For decisions regarding use of the practices suggested by this program or presentation, follow the advice of your own legal counsel.
Now, let's take a moment to meet our Panel of knowledgeable Specialists:
Dave Roy joined The Travelers in 1987 as an Ergonomics Specialist. Dave currently works with our Forensics Lab where his duties include working closely with our claim partners to integrate science and technology into claims investigations.
Ken Morrison joined Travelers about a year and a half ago, and he is the Cyber Risk Control Director for Bond and Specialty Insurance. In Ken’s role, he supports our Cyber practice by providing risk and threat assessments. He consults with claim, underwriting, and our external partners on cyber threat and security issues.
Our organizations manage risk every day, and in response to COVID-19, most of us want our employees to be able to work from home to protect them from potential exposure in the workplace.
Some organizations were prepared to send people to work from home; others were not….
Let's explore the concept of how risks have changed in the time of COVID-19 by starting with a question to both of our panelists:
What are the risks associated with moving many of our office employees to a remote working model based on changes in 2020?
[Dave] Lauren, let’s take a look at the scale of the issue. According to a recent article in Forbes, back between 2005 and 2017 nearly 4% of the American workforce worked from home at least half of the time. Compared to now, when we are in the midst of the pandemic, 46% of American business surveyed have implemented remote work practices. This increase happened rapidly, with many employees and employers not having a choice, and with little time to prepare.
So, in situations like this, I like to look at risk in a few ways. We have the traditional safety and health risks that may impact employee discomfort and injury, but we have additional risks that may in fact be more impactful to the business. Employee wellness and engagement can be adversely impacted which we know has a direct correlation on employee productivity, absenteeism, turnover, and total worker health.
[Ken] Our homes are now our offices, business is being conducted over our home networks, which are probably not as secure as our office networks.
For many companies, this is something brand new. Almost overnight, their entire workforce has gone home. How to manage that remote workforce poses several challenges, among which, is information and cyber security. They may not have everything they need to ensure their employees can work from home securely. Things like, do they have the technology, enough network infrastructure to handle the increased load of remote connections? Do they have the processes in place like incident response plans if there are problems, and have the employees been trained on security and privacy, specifically in the work-from-home context?
So, several cyber based risks are increased:
- of malware infection such as ransomware,
- of lost or compromised sensitive information,
- of lost, stolen or damaged computers
[Lauren] Dave, tell us more about the increased risk to employees that may result from working in a non-traditional office space.
[Dave] So, the level of risk is related to amount of planning the employer did prior to the implementation of the work from home policy. Many companies had detailed plans and training in place that included an ergonomics overview and the types of computers and accessories that employee was going to use. Others had little plans except to provide a computer to the employees, where they left it up to them where to set up their workstation.
Let’s look at the physical risks, as you can see from the slide, sitting in a recliner using a laptop may look comfortable, and it may be for a short period. But if you had to compose a long document or do a task that required focus and concentration, this employee could experience back and neck stain, arm pain and even leg pain. Over time if this was the employee’s daily workstation, you could the potential for the development of a repetitive stain injury or RSI.
Now let’s take a look at a more subtle impact which we call psychosocial risks. Not all people are cut out for remote work. Some love it and some have challenges. There are also situations that add complexity that need to be taken into consideration. Spouses working from home, child care, adult care, and social isolation leading to loneliness. These stressors can be even more impactful than the physical stressors and need to be taken into consideration when individual plans are being made about remote work.
[Lauren] Dave, so how can we keep employees comfortable and productive while working remotely?
[Dave] Looking at the diagram you see that there are 4 basic principles that can be followed to improve the employees’ posture and performance while working from home. They are:
- Proper Desk Height that allows you to type at your seated elbow height
- Proper Desk Thickness – that allows for comfortable leg clearance.
- Allowing adequate knee clearance from the center of the chair to the edge of the seat.
- Make sure you can position the monitor at arm’s length.
These dimensions on the diagram will accommodate the majority of the staff. Minor adjustments that make the employee more comfortable are fine. Consider these starting points to work from.
If you look at the photo this is an example of these principles being put into practice. Note the monitor location (distance and height), the keyboard height and the chair height fit the employee and allow them to achieve what we call the neutral posture.
Providing external accessories such as a keyboard, mouse and monitor will allow remote workers greater flexibility in their workstation set up.
[Lauren] Ken, what are some potential security concerns for companies who have employees working remotely?
[Ken] Lack of secure remote networks can allow attackers to eavesdrop on sensitive transmissions, impersonate users, gain unauthorized access, inject malware such as ransomware
[Lauren] Okay, Ken – pause: what is malware and what is ransomware for the non-cyber people in the room? AKA me
[Ken] Lack of control over employee computers. As an employer, you just don’t know if security patches or anti-virus software is being updated
Lack of detection – if there are incidents can companies detect them?
Lack of response – if the company can detect an incident can it actually respond to contain and respond to fix the damage?
Work from home networks are more than 3 times more likely to be infected than when on the corporate network (BitSight report)
Family members could view sensitive material, or if they try to use a company computer to “just check Facebook” could accidentally delete a file, end an online session, modify information or even infect the computer with malware.
[Lauren] What are the different types of cyber security and what do we need to know about their level of protection? Security has three main components: People, Process, and Technology:
Okay, Ken – can you first explain how companies should approach the human element of cyber security related to the People and Process components?
[Ken] Let’s start with People…
- Attackers have started taking advantage of human weakness with several social engineering attacks geared around Covid-19. So, we need to make sure our people are aware of this and are trained to recognize when they are being targeted.
- Avoid clicking on links or opening attachments in unsolicited emails.
- Do not reveal personal or financial information in emails
- Employees are also your best early warning system. Train them to report suspicious incidents, emails, etc.
- Then for Process
- Update (or develop) business continuity and incident response plans with consideration of remote and on-site work environments
- Establish a way for employees to report incidents, ask questions, and get technical assistance, like a dedicated email, a Skype channel, or a telephone hot-line.
- Understand privacy laws, appropriate use, and other compliance requirements, particularly in a work-from-home context.
[Lauren] (Slide showing graph with level of protection vs. the need for administrative controls)
Alright, now let’s talk about the Technology component. If I’m thinking about this from the employer perspective, what things should I be thinking about when it comes to cyber security?
[Ken] For Technology
- Ensure networks, servers, and computers are fully patched.
- Enhance system monitoring to get early warning of alerts or abnormal activity.
- Use Virtual Private Networks (VPN) for remote access, with multi-factor authentication (MFA). When on a VPN, the computer goes through the company’s more secure network, to get to the Internet. There are several companies that can provide VPN services for your company.
- If VPN is not feasible due to financial or resource constraints, a Remote Desktop Gateway (RDG) is a (less secure) option.
- Remote Desktop Protocol (RDP) is not recommended as it has several known vulnerabilities. Attackers are continuously scanning the internet for an open port 3389 (the default RDP port) to launch a brute force attack. Even with a complex password and MFA, RDP is vulnerable to denial of service and account lockout.
- It is relatively easy for bad guys to find user ID’s and passwords. That’s why Multi-factor authentication is a best practice for overall security access, and a requirement for things like PCI (Payment Card Industry). It is a 2nd way to prove your identity using a different method, like a biometric or security token with Google or Microsoft Authenticator, or a text to a mobile phone.
[Lauren] So VPN with multi-factor authentication is best. Got it. Okay, then if you have a lower level of technical controls, what types of behaviors should I be reinforcing with my staff?
[Ken] If Technology is Lacking, – enhance the people / process aspects of your security program.. Examples –
- Get your management, business and technical teams together to get an understanding of the key risks facing your company. Remember, not all of them are technical!
- Prioritize, then implement action plans for how to address those risks.
- Make sure you have processes in place to enable communications – both up and down.
- You can really push training and awareness. The key is training people on what social engineering is, how to spot the most common indicators of a social engineering attack, and what to do when they spot one. And don’t focus on just email phishing attacks, but other methods, for example, phone calls, texts, and social media.
- There are some technical controls that can be enhanced that do not break the bank.
- Require complex passwords, or better yet – pass phrases, like a sentence instead of a word. Can’t remember all those passphrases? Use a password manager.
- Change default user id’s and passwords
Make sure systems are kept up-to-date
- There are some technical controls that can be enhanced that do not break the bank.
[Lauren] Ken, what are your concerns going forward, as employees start returning to their physical offices?
[Ken] Several security companies have already noted that remote employees are being targeted. Particularly if not using a VPN, corporate computers may already be infected with malware that is waiting for the computers to be back on the corporate network before detonating the malware, like the “trojan horse”.
[Lauren] To both Dave and Ken
What actions should companies be taking if their work from home model is short-term, or will be moving toward a model where employees work from home on alternating days?
What preparations should companies make now if they anticipate their employees will work from home long-term or even permanently?
[Ken] The security considerations we discussed apply to either short term or part time remote work. Ensuring the computers are patched, the network connections are secure, and the employees trained and aware are key protections.
For long term or permanent work-from-home, then we recommend that the company have a formal program in place. As we discussed above, people should be trained and aware not only of security issues, but privacy and other compliance issues.
Processes must be in place to support the remote workers, handle incidents, etc.
For a long term or permanent remote environment, have technical solutions to ensure computers are kept up-to-date with patches, updates and anti-malware, and VPN with MFA is really the only way to go.
[Dave] Generally speaking, whether it is short- or long-term, to help promote employee safety and health, employers should view working from home as an extension of their company’s approach to workplace safety management. It is an additional consideration that needs the same level of attention as any other workplace exposures. Involvement of those company managers and employees that currently have safety and health responsibilities is key. This is not solely an IT issue or a space planning/real-estate issue. This needs to be a coordinated effort from all areas of the employer that would deal with conventional office issues. Basic ergonomic principles should be followed (some how mention TRV/RC resources) and applied to the work at home environment.
[Lauren] What are your suggestions as we bring people back into the physical office?
And Finally, as companies transition employees back to Offices, consider developing alternating schedules that allow your workplace to maintain 50% of capacity or less for the foreseeable future.
Please always remember to follow all CDC and state and local health department guidelines, for example, those related to social distancing, hygiene, and the proper cleaning of office workspaces.
[Lauren] As we look down the path ahead of navigating through and beyond COVID-19, what are the key takeaways our listeners should walk away from this session with for planning and taking action for the road ahead?
[Ken] Keeping our systems and information secure is everybody’s job. The abrupt change to the way we work is a challenge like we’ve never seen. And to get the job done, we have to improvise, adapt, and overcome. As we mentioned earlier – security has three components: People, Process, Technology. If we cannot enhance the technology immediately, we can make sure our people are aware of and acknowledge the risks, and are trained to prevent, detect, and react to threats. We can have processes in place that give our people the tools and procedures to let them be the “human firewall” and protect our networks and our information.
[Dave] One of the key factors that can make a work at home program work for both the employer and employee is starting with a strong foundation of ergonomic planning and execution. Employers can focus on providing adequate equipment and accessories, establishing and implementing employee training. Making the process of creating a successful work at home strategy involves collaboration with the employee and considering their individual circumstances. One size does not fit all. This may mean the historical HR policies and operational practices need to be re-evaluated. Flexibility with the end goal of worker total health will lead to positive employee engagement and experience. Productivity and reduced employee distress can be improved.
Working from home is not a 9 to 5 proposition. If employers want the most of their employees they need to:
Plan Act Teach and Health will be Achieved
[Lauren] I’d like to thank each of you for participating and listening in with us today. We hope you found Dave and Ken’s insights valuable to you and your organizations as you think about work from home and cyber security for 2020 and beyond. I’d like to thank our esteemed panelists for sharing their expertise today. It’s certainly difficult navigating uncertain times. Thank you, and we hope you, your families and your employees stay safe and healthy!