Cyber and Other Risks of the Work-From-Home and Remote Employee
This material is provided for informational purposes only. Before taking any action that could have legal or other important consequences, confer with a qualified professional who can provide guidance that considers your unique circumstances, including applicable employment laws.
Much has been written in the press lately about cyber security risks. The bulk of the attention has been focused on large multi-national organizations that have exposed millions of their customers and business partners to potential cyber crimes. These liabilities can be huge and large organizations are spending millions if not billions of dollars to strengthen their cyber security.
Small firms are far from being immune to this threat as well. In fact, one insurer's business owner survey found that over half of all businesses have been the victim of cyber crimes such as
virus attacks, fund transfer fraud, phishing, and ransomware schemes.
Indeed, companies large and small are recognizing the cyber crime threat and arming their company computers and networks with antivirus software and other forms of protection. They are bringing in security experts to conduct tests to identify potential threats and then mitigate them.
Yet there is one area often overlooked when combating cyber crime at company offices. It's a backdoor into your computer network that is often left unguarded. We're talking about the vulnerabilities that exist when employees are working out of their home offices or from other remote locations and tapping into the company computer network.
More and more companies are allowing employees to work from home on a full-time or part-time basis. It's a growing trend and not one that will be going away anytime soon. The proliferation of wireless mobile devices and work-related software and applications will make sure of that.
There are a number of reasons for this growth in work-from-home employees. First, employees are demanding it. The current generation of 20-, 30- and 40-year olds see working from home as a highly desirable company perk for balancing their work and personal lives. Offering such set-ups often becomes mandatory to attract talented professionals. If you don't provide the ability to work from home to a top job candidate, chances are one of your competitors will.
There are advantages to the employer for offering the work-from-home option, too. Employers can attract a larger pool of job candidates from a larger geographic territory. Also, demands on company office space and, in turn, leases and rents are reduced. Employee productivity and loyalty have shown to increase while turnover lowers when employees can work remotely.
Not Safe At Home
Allowing employees to work from remote locations has its potential pitfalls, however, and the lack of cyber security is a big one. Employers would be wise to conduct a cyber security review of each work-from-home office to identify and eliminate exposures.
Have an IT professional visit each home office and examine the connection to the company's network. Is it adequately protected by robust ID/password combinations, and are these updated regularly? How much access does the remote employee have to company servers, clouds and other databases? Are these adequately protected by firewalls and other defenses? Can access to sensitive information be restricted to a need-to-know basis? Can activities be tracked and alarms sounded in the event of an attempted cyber breach? Are files backed up regularly to a secure location? Your goal is to make the home desktop, laptop, tablet, cell phone and other devices that have access to company servers and networks as secure as any computer in the home office.
It's a good idea to investigate the employee's internet service provider (ISP) as well. You'll likely want the ISP that serves your company headquarters to serve the remote home offices. If that's not feasible, make sure the ISP each employee uses offers the latest generation of security enhancements.
You'll also want to establish policies for the use of company computer equipment in the home office. It is almost impossible to stop employees from accessing company computers and internet connections at their home office for personal use, but you should set limits and guidelines as to what is allowable and what is strictly prohibited. For instance you should prohibit employees from visiting any websites that contain offensive content. Set guidelines for how to handle suspicious email attachments. And prohibit anyone other than the employee from using the company computer or network.
Educate all remote workers (indeed all employees) on cyber threats and how to address them. Discourage employees from using laptops or other devices attached to the company's network on public Wi-Fi connections at airports, hotels, coffee shops and other vulnerable places.
Enter Cyber Insurance
More and more insurers are developing cyber insurance policies that provide a broad range of coverages, most of which apply to remote office exposures. Specific coverages and policy language will vary by carrier. When reviewing policies, look for and discuss the value of the following coverages and how they apply to remote offices:
Network and data security breach
Loss of income
Business interruption and extra expense
Electronic media liability
Security breach remediation and notification expense
Computer program and electronic data restoration expense.
Beyond the insurance coverage, some innovative insurers now offer robust risk management resources and services that strengthen your cyber security measures, both pre- and post-breach. These may take the form of Web-based risk management portals and companywide Webinars on specific cyber liability topics. Insurers can also assist with assessments of your current vulnerabilities. And should you suffer losses, you'll likely receive assistance from your insurance company in tracking the infiltration, identifying the perpetrator and notifying those whose data has been compromised.
Physical "Real World" Liabilities
In addition to having cyber liabilities, remote workers present real-world liabilities for material and financial losses as well as physical injuries. Consider these risks associated with remote work-from-home employees:
As an employer, you have an obligation to provide a safe working environment for your employees, including remote workers. It is recommended that the home office be restricted to a defined space, preferably one that is used solely for conducting company business. Once defined, the home office space should be examined by an ergonomic and safety consultant. Consider:
Furnishings and equipment should be ergonomically designed to help prevent injuries, including repetitive motion and carpal tunnel injuries. The chair and its relation to the desk should provide both comfort and support.
Lighting should be designed to provide ample illumination of the employee's work and to avoid eye strain due to glare and shadows.
Electrical, phone and computer wiring should be safe and secure. Make sure there are no trip-and-fall or fire hazards and that surge protectors and other electronic safety equipment is properly installed.
Smoke, fire and carbon monoxide detectors should be installed in and around the home office and tested on a regular basis.
Walkways and outdoor entrances should be kept clear and clean and the surface designed to prevent trips, slips and falls.
Home workers should be trained in proper use of equipment and basic ergonomic principles. Such training should be documented and updated as necessary.
In addition to having sound cyber security, home offices need to be physically secured as well. Consider these added measures:
Install locks and alarms that enable the employee to secure the home office from the outside and the rest of the home.
Establish rules, such as the use of locked and fireproof files and safes, to secure sensitive business property.
Set procedures to have all electronic files backed up regularly at the main company office or a secure offsite location.
Remote offices raise insurance concerns beyond cyber insurance for both the company and the work-from-home employee. It is crucial that the employee's personal homeowners coverage and the company's business policies be carefully melded to ensure there are no significant gaps that create uninsured liabilities for either party. Consider these insurance scenarios:
Should a client, supplier, or other business associate become injured while at the home office, the employee's homeowners insurance will likely provide the primary coverage.
Should the work-at-home employee become injured at the home office, the company's workers compensation policy likely covers the incident.
If company equipment at the home office is damaged or stolen, the company's general liability policy may provide primary coverage for the loss. However, the equipment and its location would likely have to be identified on an endorsement to the company's property insurance schedule. Alternately, the company's policy form (BOP or PKG) may provide limited coverage for company equipment.
If the employee's personal office equipment becomes damaged or is stolen, it would likely be covered by the employee's homeowners policy.
If an employee is involved in an automobile accident with his or her personal car while traveling from the home office to the company headquarters or to a client or supplier, his or her personal auto policy likely provides primary coverage. If the company has a "non-owned vehicle" endorsement on its general liability policy, that may provide excess coverage.
Clearly, insurance issues can be quite tricky when it comes to work-at-home offices. When there is a mixture of employee and company property involved it becomes even more confusing.
Ask to see a copy of the employee's up-to-date homeowners policy. Sometimes, the employee has, in the company's mind, inadequate limits of coverage. If that's the case, who would pay for raising the coverage limits on the homeowners policy?
It is also advisable to alert the employee's homeowners insurer regarding the business activities taking place at the home office. It is best to clear up any coverage questions before a loss occurs.
We invite you to contact us to discuss your remote worker situation and develop a comprehensive insurance plan, including cyber insurance, that can provide both you and the employee necessary coverages, security and peace of mind.
We may be able to help you by providing referrals to consultants, and by providing guidance relative to insurance issues, and even to certain preventives, including the development and application of sound human resources management policies and procedures. Please call on us for assistance. We’re a member of the Professional Liability Agents Network (PLAN). We’re here to help.
For more resources dedicated to Professional Liability go to our Architect & Engineer page.