10 Ways Companies Can Protect Against Cyber Attacks When Employees Are Working at Home

The increased amount of employees who work from home have heightened the potential of already prominent cyber risks. Here are 10 ways to diffuse them.

By: Annemarie Mannion | November 5, 2021

Topics: Cyber | Risk Management

The COVID-19 pandemic eventually will wane, but it appears some of its effects will become lasting, including more employees working from home.

The remote-work trend can make companies more vulnerable to cyber security threats, especially because home internet connections are generally less secure than those in an office environment, and employees may be more at risk of falling prey to cyber criminals, from both social and technology standpoints.

The good news, according to Gwenn Cujdik, claims manager for cyber incident response at AXA XL, a global commercial insurance and reinsurance company, is that companies are aware of the increased threats and are seeking to bolster their cyber security defenses.

“Cyber security is certainly on the radar for most businesses and companies, especially since COVID,” Cujdik said. “The challenge is to make sure that their data and network are safe and secure.”

Cujdik offers ten tips on how to prevent cyber attacks, especially when employees are working at home:

1) Training Against Phishing

“The human element is something that the bad guys will always try to take advantage of,” Cujdik said. “That is something that even the best tools sometimes can’t overcome. People fall victim to social engineering events, downloading malicious software or having their credentials compromised.”

The best way to help employees understand the threat is to train them in how to recognize the dangers, understand the bigger picture of how a cyber attack can adversely impact their organization, and encourage them to ask questions or seek input if they receive a suspicious email, or have another question about cyber security.

“Training is a huge thing that we often advise companies to do,” she said. “They also need to make sure they are up-to-date on the latest cyber security threats and are consistently training employees about cyber security.”

She said that training done virtually is just as effective as an in-person session.

“Virtual training is great,” she said. “The important thing is to conduct trainings regularly.”

2) Raise Awareness

Keeping employees aware of a challenge such as cyber security can be easier when people are working in the office, but it is still possible to raise cyber security awareness for employees working at home.

“Companies can and should take advantage of the technology they have such as sending emails about cyber security or using company screen savers or pop-up banners to remind colleagues of training sessions or other efforts focused on enhancing cyber security,” she said.

Many companies also host cyber-security focused events during the month of October, which is widely recognized as cyber awareness month. Holding regular coffees or other virtual events to reinforce the importance of maintaining cyber security can also help raise awareness.

“It’s a great way to connect with each other and it’s also a way to continue the virtual trainings that can keep employees on top of evolving cyber security threats,” she said.

3) Take Advantage of Third-party Training Programs and Software

Cyber security training programs do not have to be created from scratch. Cujdik said there are many programs that simulate real-life scenarios to help employees improve their cyber security game.

“Third-party training programs for phishing help companies understand how to prevent cyber security events by simulating phishing. A lot of IT companies are using third parties to help bring awareness of phishing events.”

4) Password Complexity

Cujdik said companies should require employees to use complex passwords and to rotate them. Employees should never use the same passwords for their professional and personal lives.

“Using the same password for personal use and professional work is a huge danger because it is easier for those passwords to be compromised,” she said. “Cyber criminals can get access to a network and try to elevate their access from a standard user to an administrator, which essentially gives them the keys to the kingdom.”

5) Multi-factor Authentication

A common example of multi-factor authentication is to use a password in combination with a code sent to a smartphone so an employee can authenticate themselves.

Cujdik said multi-factor identification is another good way to prevent a cyber attack.

“Even if a password is compromised in some way, there is a backup solution in place that catches it and keeps people from logging on to the environment,” she said.

6) Endpoint Detection Response Tools & Managed Detection & Response Services

Cujdik noted that a lot of companies use endpoint detection and response (EDR) tools which may rely on artificial intelligence and other tools to keep their companies and networks safe.

She suggested taking it a step further and consider using a managed detection and response (MDR) service, which are service providers who specialize in monitoring the EDR tools.

“That’s a group of professionals who are watching out 24/7 for viruses and known threats, and also for other, less common threats,” she said.

“There are a lot of different pieces of malware that the EDR tools might not catch that the MDR will catch,” she added. “They can alert the company that something is happening that doesn’t seem normal and say ‘Let’s talk about this and cut it out before it gets to be something like a ransomware attack.’”

She noted that many companies are deploying Endpoint Detection and Response Tools, with the managed detection resource as an added component.

7) Patching Firewalls and VPN

“This summer we saw a big spike in vulnerability of firewalls and people trying to get in through the VPN,” Cujdik said. “Having that patch and making sure that you constantly have the most up-to-date configurations for those security features is really important.”

“After you install a firewall or VPN, you have to maintain it and make sure you’re on top of the latest updates and patches.”

8) Minimize Remote Access

Remote access to a computer should be limited to minimize intruders accessing your network through a remote desktop portal.

You should limit remote desktop access to trusted sources, such as your IT department. Many employees, especially those working off-site, may rely on their IT department to remotely access their laptops to help them solve any technical issue that may arise. While that ability is often valued by employees, Cujdik said it needs to be protected.

She suggested requiring access to remote services through a VPN and using multi-factor authentication to enforce defenses.

9) Keep Professional and Personal Use of Work Computers Separate

“When employees are working at home there can be a huge blurring between professional and personal lives,” Cujdik said. “Employees want to make sure they are keeping them separate. A work laptop should be for work only. An employee shouldn’t be accessing personal websites or going on the Internet scrolling websites in their spare time.”

She said employers should track employees’ work computer use, and let them know when a problem arises.

“You should be looking into whether employees are going to risky sites, and keeping an eye on what they are downloading, which can be done very easily through their IT department.”

Employers should notify employees when they notice them using a computer inappropriately. In many instances, companies have installed firewalls that prohibit downloading software or access to risky and malicious sites to ensure employees adhere to company security policies.

If something slips through the cracks, the IT department should make sure to communicate with the individual and remind them that certain things need to be approved by the company or, for example, say ‘I saw that you visited this website and that is a risky website. We want to remind you that you have to abide by company policies regarding securing our systems and network.’”

10) Back Up Data

Cujdik also advised companies to back up their data in an environment that’s segregated from the network so they can recover that data if needed. &

Annemarie Mannion is a freelance writer. She can be reached at [email protected].

Why Insureds Might See an Uptick in M&PL Claims

George Schalick, Jr., Senior Vice President of the Management and Professional Liability Division, Philadelphia Insurance Companies

The current soft market might come as a bit of a surprise as it does not track with previous underwriting cycles and economic conditions. Afterall, many privately held and non-profit organizations struggled during the early days of the pandemic with shutdowns and rapidly declining revenues. But the Government assistance programs, like the Paycheck Protection Program loans, helped keep many afloat during the tough times.

“During COVID many organizations stopped doing business until they were able to sort out all of the health and safety challenges,” Schalick said. “They were forced to lock down, but then all the government assistance programs allowed them to keep people employed. The increased volume of claims we anticipated we would see coming from the lockdowns and restrictions that were imposed upon businesses in the U.S. didn’t manifest at first.”

“Just because there wasn’t an onslaught of reported claims at the beginning of the pandemic, doesn’t mean the circumstances that would give rise to a claim being reported didn’t occur. Courts and the judicial system were closed or slowed and now that they are back open, we’re starting to see the circumstances that occurred during the COVID lockdowns becoming claims today,” Schalick said. “Litigation is progressing.”

Added to the delayed pandemic litigation is a concern over newer claims that might be filed as the country inches toward an economic downturn. Though a recession was avoided in 2023, experts think a soft dip could occur in 2024, with 76% of economists saying there’s a 50% or less chance of an economic downturn this year — that almost always results in more management liability claims.

“During the Great Recession in 2008, we saw an almost immediate spike in claims because of the economic conditions and the pressure it placed on organizations. They were making personnel changes with significant belt tightening almost immediately.” Schalick said.

What’s in Store for M&PL Policy Rates in 2024?

Despite an uptick in claims and increased economic uncertainty, management liability rates haven’t increased, resulting in market-wide pricing levels that may not meet the increased pressure of rising settlements and jury verdicts.

“Rates are going the other direction and settlement values are not falling,” Schalick said.

The mismatch between rates, claim frequency and severity is, in part, because carriers experiencing the dramatic soft market in the public D&O market are seeking premium gain in the private and non-profit market.

“In the public company market, the rates have been decreasing significantly. The rates were increasing in the private, not-for-profit market, and rightfully so, but there’s a desire to supplement overall mid-size D&O for carriers who also write private not-for-profit, and they see that as an opportunity to aggregate premium,” Schalick said. “So the always competitive landscape in the private, not-for-profit market has dramatically increased in the last 18 to 24 months.”

Still, companies of all sizes and types should be concerned about management liability rates in the future. Legal system abuse is resulting in increases in both the amount of litigation and the size of verdicts plaintiffs are receiving.

Certain areas of the country are particularly vulnerable to this type of legal system abuse. As a result, insureds in these localities are likely to be vulnerable to rate increases.

“The environment is so positive for the plaintiff that forces premium increases so carriers are able to stay in that market long term,” Schalick said.

Why a Tenured Carrier Partner Can Help Insureds Navigate An Uncertain Market

It’s clear that insureds are facing an uncertain M&PL market over the next few years. Fortunately, carriers with a long history in the M&PL space will be there to offer stability.

Philadelphia Insurance Companies has been supporting this market for 35 years. PHLY is committed to offering long-term rate stability, even as economic and claims trends start to push premiums upwards. They have an appetite for all sorts of companies, large and small, for-profit and nonprofit alike.

“We’ve been at this game for a long time and are one of the most tenured underwriters in this space,” Schalick said. “We like to stay very consistent.”

PHLY has worked with both for-profit and non-profit on management liability policies. With dedicated M&PL teams throughout the company’s 13 regions, PHLY provides the support agents and brokers are looking for on behalf of their clients. The teams know their regions well and can respond to local trends. They’re also dedicated to making the renewal process as easy as possible for their partners and policyholders.

“We have real confidence in our results, so we focus a lot on making the renewal experience as painless as possible for all agents and insureds,” Schalick said.

The company is also investing in tools to help insureds avoid losses. Earlier this year, they launched a new online risk management platform, PHLYGateway, which offers resources for insureds on how to create an employee handbook and trainings on issues such as recognizing workplace sexual harassment and discrimination.

If insureds have questions, they can consult a Best Practices Help Line, provided via the platform. That way, they can get on the spot risk management guidance to help them prevent claims.

To learn more, visit: https://www.phly.com/mplDivision/managementLiability/default.aspx.

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Philadelphia Insurance Companies. The editorial staff of Risk & Insurance had no role in its preparation.