Employees working from home? Tips to reduce cyber-risk

From natural disasters to politics, from supply shortages to travel restrictions, it’s a complex world right now. And with the ongoing occurrence of COVID-19 cases, many of us are still trying to perform that tricky balancing act of working from home in some fashion. If that wasn’t enough to juggle, an increasingly menacing presence lurks in the shadows and poses a bigger threat than ever  ̶  cybercrime.

Cybercrime comes in many forms, from the large-scale ransomware attacks on entire companies and networks, to the seemingly innocuous, yet malware-laden, link embedded in the email from the CEO that you just opened. As fully remote and hybrid workforces become the new norm, a perfect storm is brewing. With over 70% of workers saying they want flexible remote work options to continue, cybercriminals are working overtime to take advantage of this surge, resulting in 20% of companies indicating they’ve experienced a remote work-related security breach.

Chances are, many of your clients’ employees are spending more time on websites, social media and especially online meetings. Meanwhile, an increasing number of malicious cybercriminals are unleashing everything in their arsenal, from phishing emails and fake texts, to robocalls and zoombombing.

With the increased volume and sophistication of cybercrime, it’s no wonder that identity theft concerns are higher than ever – and over half the brokers surveyed in Cipher’s 2021 Voluntary Benefits Trends Study expect plan sales increases in identity theft protection. Willis Tower Watson echoed those growth projections, reporting that about 53% of employers currently offer identity theft insurance and 78% say they’ll offer it in 2022 or beyond. With so much critical information being stored online, providing ID protection can offer employees greater peace of mind – and potentially an added layer of protection for employers.

To better understand these cyber-related risks and what can be done to mitigate them, I spoke with Steve Sanford, a security analyst here at ARAG®, a legal plan insurer based in the Midwest. He works to ensure that employees have the appropriate level of security surrounding technology used by the company, and monitors access to our network and data. He receives 10-20 reported hacking attempts on our network daily, and provided some eye-opening observations about cyberattacks, practical tips to help avoid becoming a victim and advice on what to do if something happens.

Working virtually – secure or not secure? 

Sanford says that if you are working from home, the ideal scenario is to be connected to a VPN, or virtual private network, that encrypts the data you’re sending back and forth. “When the pandemic began, we took the important step of reissuing specialized software and hardware, tools and programs that were secure, safe and specifically built for the purpose of working remotely, so it retains all of our controls, all of our protections,” Sanford adds. “It’s no different for us than if we were in the office.”

However, he points out that for employees who are working from home from a personal laptop or a computer that is not connected to an appropriately secure network, the vulnerability for attacks ramps way up.

“There’s no way to know if you have adequate anti-virus programs or a firewall set up to protect the data you’re sending or your PII. Frankly, if you’re not using a VPN, you probably shouldn’t be working from home.”

Related: Benefit plans and cybercrime in the post-pandemic world

An added risk, Sanford points out, is the myriad smart devices that now reside in our homes, ranging from voice-powered assistants to Wi-Fi refrigerators, which all open the door to digital intruders. “The more technological conveniences you incorporate into your home, the more risk you add that somebody is going to find some way to infiltrate the device and leverage it against you, whether it’s unlocking your front door or crashing a Zoom call.”

Developing good data hygiene habits 

While the essential building blocks of any data security system mainly consist of anti-virus programs and multi-factor authentication, Sanford feels the main deterrent in preventing cyberattacks is refreshingly simple: us. “Educating our employees, continuing to update them with best practices and testing them in protecting company data is our first – and best – line of defense against hackers and cyberattacks.”

He suggests some additional straightforward and immediate steps you can share with others to bolster cybersecurity efforts when working from home:

• If you don’t know it, don’t click it. “People clicking on a link in an email or on a website – it’s the number one vector of attack, the biggest hole in any defense – and the first thing we train our employees to not do!” according to Sanford. A simple rule is that if you’re not expecting it, simply don’t click on it.
• Mix up passwords…and phrases. It’s a given that you shouldn’t use the same password across different platforms, yet Sanford believes it happens because of the complicated password combinations that are required. As a result, users enter the bare minimum of characters or use the same password for simplicity’s sake, making it that much easier to be hacked. Sanford suggests one option to consider, when possible, is to use an easily memorable “passphrase” with words separated by spaces – the longer the better.
• Quit sharing on social media. Providing personal details about your family vacation, announcing a new job or answering online quizzes are not necessarily bad things on their own, but pieced together, the information you provide allows hackers the PII needed to hack your accounts.
• Treat your home computer like your work computer. While working from home, treat your computer and the data you share like you would if you’re at work – with the mindset of protecting the company’s information no matter where you’re working. Sanford suggests, “When you’re at home, be as safe as you would be in the office. Lock your computer when you get up, don’t let anyone else use your computer or look at your screen.”

Steps to take if hacking happens

To help employees minimize potential financial loss or damage to their reputation or credit standing, Sanford suggests reporting it as soon as possible.

“If you think you’ve been a victim of identity theft, you can typically file a report with your local police department. That way you have a record of it if you need to relay it to creditors.” He adds, “Also, file a complaint with the Federal Trade Commission (FTC). Go through your credit report in detail and consider putting a fraud alert on your credit report.”

Sanford adds, “If you think a financial account may have been compromised, call your financial institution immediately and put a hold on or close the account. Should a credit or debit card be stolen or your personal information compromised, reset your password, and use two-factor authentication if possible, for added protection going forward.” He adds, “Ideally, you could use some type of identity theft protection service to help prevent it from happening – or use it to mitigate losses if something does occur.”

Plans that offer identity theft monitoring and/or restoration services are often available through entities such as a financial institution or a legal insurance plan. Sanford notes, “Typically you work with an identity restoration specialist who’s got extensive training and experience in dealing with these situations and can offer more specific advice and steps to take. In many cases, they can take actions on your behalf.”

Employers already have their hands full trying to manage a workforce that’s working virtually – at least some of the time. Proactive education on data hygiene best practices, along with professional ID theft monitoring and restoration services can be a powerful combination in mitigating cyber-risk. They can also serve as invaluable resources to help minimize the impact on employees – and their employers — if a cyberattack should occur.

Dennis Healy is a member of the ARAG® executive team. Dennis is a passionate advocate for legal insurance because he has seen firsthand how it helps people receive the protection and legal help they need. He has nearly 30 years of insurance industry experience, with a primary focus on the sale of group voluntary benefit products to employer groups of all sizes through the brokers and consultant community.