Skip Ribbon Commands
Skip to main content
S1-Post-Only

Remote Work Guide

Today, it's critical for every agency to be fully prepared for remote work – whether this entails staff being full-time remote or hybrid, working some days at home and some at the office.  But how do you get started?  What policies need to be created?  What equipment or services are necessary to ensure a secure and productive work environment for your team at home, in the office, or on the road?  

This 'Remote Work Security Policy' from the ACT Security Issues work group provides a template outlining areas to cover, to help ensure success for your employees and your agency. 

NOTE:  This Guide is provided for general informational purposes only. State and federal laws impose varying security requirements on agents and brokers.  Therefore, it is very important for agents and brokers to carefully review or seek guidance on applicable laws and regulations in all jurisdictions where they do business when structuring their specific security policies. This Guide is not intended to constitute business, legal, or other professional advice and shall not serve as a substitute for obtaining such advice.  If specific advice is required or desired, the services of an appropriate, competent professional should be sought.


Agency Office Needs

Security considerations for connected hardware/software. This section provides insights into the variety of security considerations agencies can provide for their connected hardware and software.  Note this is split into sections specific to the areas to ensure you are successful in security all your remote work needs.




Agency Management System (AMS)
 ASP/cloud, versus locally-installed system (thin client)
  • Adhere to management system provider contracts by using secure connectivity.  Note: This may prohibit the use of public Wi-Fi or other public connectivity.
  • Ensure security settings are enabled on mobile apps used to access your AMS and other agency technology.

VoIP
  • Ensure your VoIP credentials are configured accurately. Instead of using default settings and passwords, users should configure secure credentials to avoid vulnerabilities.
  • Confirm you are using a Virtual Private Network ('VPN').
  • Run regular security checks.
  • Ensure software updates are applied when available.


Customer Relationship Management (CRM)
  • Choose only a trusted CRM provider. Vet these using industry resources such as your AMS user groups, state associations, etc.
  • Ensure access is secure via a firewall.
  • Use strong passwords; non-repeating, do not share.
  • Monitor activity and set up security alerts to report unusual activity.

Ensure Confidentiality of Client Info in Remote Work Situations
  • Consider shared workspaces, who can see or may have access to computers.    
  • Create a policy for shredding printed information.   
  • Evaluate locally saved temp files and other files on remote devices (phone, tablet, or PC).

     

Operating Systems, Browsers, and App Software Updates
  • Enable automatic updates for all operating systems and security platforms in use.
  • Use the latest browser versions and confirm which browsers are supported by your software (ex: Internet Explorer no longer approved).

Mobile Devices
(Tablets, Phones, BYOD)
Policy and technical management components
  • Develop a policy for the security considerations of Bring Your Own Device (BYOD) vs. company-supplied, business use only devices. 
  • Apply an overall 'best practices' methodology for your mobile devices - The NSA offers an easy-to-use overview HERE.  
  • Consider the security implications of employee usage of AMS or CRM mobile applications, email, and all-agency collaboration software such as Office365 on BYOD.
  • Consider which technical security requirements employees should have on mobile and BYOD.
  • Implement the use of antivirus, or other endpoint-to-cloud security platforms for mobile devices (ex: Lookout, CipherCloud, McAfee, etc.).  
  • What technical security requirements should employees have on mobile and BYOD?
    • Be sure you can remotely wipe company info from the BYOD in the event they leave the firm. 
 


Remote Work Plan of Action

This section is split into two components; (1) Considerations and actions for Agency Leadership to ensure a secure remote working environment for employees, and (2) Employee remote work responsibilities.  This can include the software being connected to, physical hardware settings, and other security considerations






For Agency Leadership

Many of the following security devices or platforms do not ‘come out of the box’ fully secured - they require analysis and changes to settings. Some may require technical expertise provided by a security/IT department, or a cybersecurity provider.

Implement Multi-Factor Authentication (MFA)

  • Defined: Multi-factor authentication grants users access to a website or application after successfully presenting two or more pieces of evidence to an authentication tool.
  • EXAMPLES:  Applications such as Duo, Google Authenticator, RSA SecurID, Ping, and some password managers have this capability.  NOTE: Must look at office needs, and determine the fit for the office
  • Consider industry initiatives such as SignOn Once as a resource.

Limit employee Access Privileges to only what is necessarily specific to staff based on their role and responsibilities. Consider reports that should be available to download to a non-work-issued computer.

Be aware of PUPs (Potentially Unwanted Programs) that can be launched when loading a new app.  PUPs can disable services to make an app work better, collect unwanted info, and slow computer speed.

Secure all access points:  - Configure your VPN (Virtual Private Network) / RDP (Remote Desktop Protocol) with appropriate security levels.  Also, limit the number of RDP (Remote Desktop) connections whenever possible.


Implement strong password management and possibly purchase password management software (such as LastPass, KeePass, DashLane, etc.).


Consider industry initiatives such as SignOn Once/ID Federation as a unified credential management resource when possible.


Turn on Access Logs to ensure important data is captured for review in the event of a breach. This should be part of larger agency cyber security policies like those outlined in the Agency Cyber Guide 3.0.


Consider reports that should be available to download to a non-work-issued computer. Make sure you consider any reporting that could be available to download to non-agency drives.



When company devices are not provided, define acceptable use of personal devices as well as system requirements necessary when accessing sensitive data

  • Ensure devices going home with staff are up to date and properly secured according to appropriate agency policies and procedures.
  • Consider adding an extra step to have validation/dual approval on financial transactions for remote staff that handle financial processes/requests.
  • Implement strong and consistent agency security training as part of the Agency Cyber Guide recommendations.
  • Develop and implement policies and procedures aligned to cybersecurity best practices (refer to the Agency Cyber Guide 3.0 for more detailed content).



For Employees Working Remotely

Consider data exposure in your home or another remote work environment. Who can see/hear what you're doing? What devices share a network and could access information?

Treat your work-at-home environment as if you were in the office.  Adhere to agency processes on limiting non-work use on devices or networks that are connected to the office or accessing resources.

Apply an overall 'best practices' methodology for your mobile devices - The NSA offers an easy-to-use overview HERE.


At-Home Physical Technology

Router

  • Change default router password.  Initial setup, and change 2x/year ongoing
  • Segment router for work vs. personal: If possible, use existing segmentation between Wi-Fi nodes.  GRFX: Initial setup, and as needed
    • 2.4 GHz (for work applications and connectivity), vs.
    • 5.0 GHz (for personal streaming, online gaming)
  • Use hard-wired ethernet cable if available – dedicated work bandwidth.  Initial setup
  • Update firmware or router itself (if outdated)  Initial setup
    • Updates may require advanced knowledge and assistance
  • If you can, invest in a quality router to avoid using the ISP-provided router

Computer/Laptop – Agency-Issued
  • Only allow work-related software to be installed.
  • Limited to work use only: do not access personal sites or social platforms.
  • Use password-protected login and set screen timeouts. Initial setup, and as needed
  • Use next-generation antivirus or other security platforms for mobile devices (ex: Lookout). Initial setup, daily
  • Devices should be remotely monitored with the capability to push updates (not dependent on connection to the company network).    
  • Use hard drive encryption and outdated or retired hard drives should be cleaned.  Initial setup – Refer to Agency Cyber Guide 3.0.  
  • Consider making devices 'wipeable'; able to remotely lock/erase data. 

 


Computer/Laptop Personal, used for Work (whether accessing agency data via VPN or software such as Citrix)

  • Treat it like a work-issued device, see above for the 'Agency-Issued' considerations – Security and processed for personal devices should be at the same level as work-issued devices.  Daily   
  • Set up separate 'work' and 'personal' user profiles.  Initial setup
  • Use next-generation antivirus or another security platform for mobile devices (ex: Lookout).  Initial setup, daily
  • Use a VPN to shield connection when connected to public Wi-Fi or use a mobile hotspot  Initial setup, daily
  • Even in a remote environment, watch for people looking over your shoulder or people eavesdropping.  Always
  • Don't leave devices unattended.
  • Don't use a public charging station.
  • Have disk encryption in place in case a device is stolen. Initial setup

Document/Data Point Storage

  • Do not store documents and data locally on your computer
  • Ensure you understand your cloud storage options on the AMS, CRM, and other agency systems.  Ensure you follow corporate cloud guidelines.
  • Utilize approved cloud file hosting services such as Microsoft OneDrive as well as network storage whenever applicable
  • Destroy any customer/credit card/PCI and agency data that you capture as soon as it is stored
  • Adopt an agency shredding policy


Webcam Security

  • Use a webcam cover – both for built-in and external cameras.
  • Use a laptop webcam 'kill' switch (if available) when not in use.
  • As with previous steps, use solid anti-malware/spyware virus protection.  Initial setup, daily

Printing

  • Follow agency policy on securing, retention, and shredding.
  • Wireless printers (Initial setup, daily):
    • Limit or disable network printing
    • Secure printing ports (disable ports 515, 721-731, 9100)
    • Use your firewall
    • Update firmware to the latest version
    • Change default password


 


Human/Behavior Aspects

This section details those 'human' aspects that can creep into everyday work and processes, and result in actions that could result in the exposure of sensitive data and cyberattacks.  Not that these can often occur regardless of role across an agency, so all must be vigilant.  These behaviors must be embraced and driven by senior leadership through all staff and monitored consistently.



  • Provide training on email phishing, hacking current red flags; KnowBe4, Cofense (formerly PhishMe), ESET, Keeper, LastPass, DashLane, RoboForm, and others.
  • Develop policies for reporting and dealing with phishing/hacking attempts.
  • Offer training on eliminating distractions and preventing errors.  
  • Implement and follow policies for using work laptops for social media, YouTube, personal communications.
  • Create a policy for printing and destruction of anything containing PII
  • Create Clear communications and expectations (use ACT 'Remote Work Best Practices Guide')
  • Implement virtual get-togethers and virtual breakrooms to keep remote staff connected.  




For Agency Leadership       
  • Develop policies and procedures for both in-office and for out-of-office work (use ACT's Remote Work Best Practices and Remote Work Agreement).
  • Make sure a well-written and tested Incident Response Plan is in place to account for how remote workers will play a role in the process – notification process, staff responsibilities, etc.).  Refer to the Agency Cyber Guide's 12-Step Compliance Roadmap for more detailed content.
  • Ensure an agency's Cyber Liability Policy covers remote workers and that coverage is sufficient.


Additional Suggestions for the Home User/Employee 

  • Be an asset, not an addition to the problem. Ensure you are not only following agency policy and procedure, but also if you detect a potential issue or concern, alert agency leadership.
  • Be vigilant about phishing emails in general and especially those specific to world events.  Examples of this are emails asking for donations to Coronavirus relief, fake emails on vaccine availability, etc.
  • Create your own “WFH" network to share issues, learn about tips and tricks.  Several social networks like Facebook have 'remote work', and 'WfH' groups, and employees can find support in their geographical area.
  • Quickly report phishing emails and malware infections.
  • Be cautious with web browsing, saving data, and the transfer of sensitive information.  Follow agency policies on work versus personal browsing and applications.

 
image 
 
​127 South Peyton Street
Alexandria VA 22314
​phone: 800.221.7917
fax: 703.683.7556
email: info@iiaba.net

Follow Us!

Empowering Trusted Choice®
Independent Insurance Agents.​