Cyber security tips to harden your agency’s remote operations

While many businesses are still shuttered or working remotely, here’s one business that is not: cybercrime. Cyber security is a major issue for businesses working from home (WFH). During a single week in April, Google saw more than 18 million daily malware and phishing emails related to COVID-19 and the FBI says that cybercrime reports quadrupled during COVID-19 pandemic.

It’s vital that you harden your agency’s cyber security for ongoing remote work. While most regions of the country will see a relaxation of stay-at-home rules in the coming weeks and many businesses will move back to their normal offices, it’s likely that some level of WFH arrangements will be with us for the foreseeable future.  Many employers may choose to rotate office staff to adhere to social distancing guidelines  or will accommodate at-risk or older employees with WFH.  Plus, we don’t know if resurgences of Covid19 in the fall or winter might impose further geographic quarantines or stay-at-home rules.

With this in mind, it’s important to take steps to tighten your WFH security practices and communicate these requirements to those working remotely. We offer best practices and cyber security tips we’ve gleaned from trusted sources. Although some of these are common sense, they still represent the source of most breaches that occur so essential to follow.

Cyber security tips for devices

Ideally, you and your employees should not be working on personal devices.  Given that you  may be facing ongoing or intermittent continued WFH setups, it might be wise to invest in agency-supplied laptops that are securely configured by your IT staff/consultant. That way you can enforce security best practices, such as restricting access to unapproved third-party applications.  When employees use unvetted software or apps or personal devices,  they’re inadvertently complicating your ability to comply with industry regulations and develop a thorough disaster recovery strategy. If one of these third parties is hacked, and your data is exposed, the consequences can be financially disastrous. The cost of agency-supplied and configured laptops would pale in comparison.

Other security best practices:

  • Password protect your office devices, including your phone.
  • Have secure passwords. Vary them by site, don’t use the same password for all sites. Update them regularly or use a password manager. See The Best Password Managers for 2020 (PC Magazine) and The best password manager for 2020 (C-Net).
  • Keep your computer software and browsers up to date with the latest versions on all devices.
  • Make sure you have anti-virus and anti-malware software running on your computers. Install updates when alerted to do so. In addition to your preferred antivirus program, many security experts recommend the “belt and suspenders” approach of having an anti-malware program such as Malwarebytes, too.
  • Enable two-factor authentication on key accounts when available. (See: Two-Factor Authentication: Who Has It and How to Set It Up)
  • Lock your computer when away from your desk.
  • Log out of devices at the end of the day.
  • Don’t login to important accounts or financial sites when on a free, public Wi-Fi.

Phishing and social engineering attacks

Human error is the single biggest cyber security threat facing every business. It’s far more common for a cyber criminal to gain access to your systems or data via a lax employee than by a brute force hack. Phishing is using email spoofing and other tricks to get you to give up personal info or click to a dangerous website that might expose you to a virus or a computer hijack. Phishing scams by phone, email, or websites and other social engineering threats are a primary entry point, often impersonating trusted sites or people/companies that you know. Educate your employees about threats and establish best security practices for staff. Provide alerts and training on common threats like phishing, and require reports of any suspicious events.

While most of us are alert to “stranger danger,” our weak spot is in clicking links from people or businesses we know. Many of the big brands we use every day – Microsoft, PayPal, Amazon, Apple – are regularly spoofed and we are tricked into clicking when we see messages like “your account is being disabled” or “thanks for your recent purchase” when you hadn’t made one. Or am email from a colleague asking you to click or download something, or an email from the boss saying “We need your bank credentials for direct deposit of your check.” If something seems off or strange or odd, it probably is. It’s better to be safe and not sorry, so double check if you have doubt. Phishers are good at gaining our trust and exploiting our fears.

It’s vital to train your team about how to be alert for and detect phishing attempts. We’ve assembled some quizzes to give you and your team practice, but be warned, they are pretty difficult. If you take the time, however, even wrong answers will teach you something about what to look for and how to spot a fake.

Here are top cyber security tips for avoiding phishing scams.

  • Don’t click any links or download anything from a sender you don’t know or trust. It’s always worth double-checking. If it’s a web link from your bank, instead of clicking, go to your bank website directly by typing in the Web address in your browser. If it’s a phone call, hang up and call your bank.
  • Get in the habit of hovering over links to see who the email is really coming from and where a link is actually sending you. Learn how. On a mobile device? It’s a little trickier but you can and should still learn the source of a link from someone you don’t know. Here’s how: How to Check Embedded Links on Your Mobile Device
  • Phishing emails often have poor grammar or spelling mistakes. That’s a big clue that it’s a fake. Also watch for copycat domains – domains with spelling errors or wrong extensions.
  • Be suspicious of any email or phone calls that demand you take action right away or that threaten you. The IRS and CDC don’t call or email to threaten you or demand money. Urgency and threats are hallmarks of fraud.
  • Avoid filling out forms in email messages that ask for personal financial information. You should only communicate information such as credit card numbers or account information via a secure website or the telephone.
  • Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser. Look for “https” in the URL. How Can I Tell If a Website Is Safe? Look For These 5 Signs.
  • Regularly log into your online accounts to ensure that all transactions are legitimate
  • Always report “phishing” or “spoofed” e-mails to the following groups: forward the email to; forward the email to the Federal Trade Commission at; when forwarding spoofed messages, always include the entire original email with its original header information intact.

A recent teleconference phishing scam and security threat

With the popularity of teleconferencing while so many are on WFH arrangements, Zoom, WebEx and other popular teleconferencing apps have been the subject of phishing as cyber crooks try to get login details. TechRadar talks about the  multiple scams that aim to steal video conferencing logins by sending spoofed “welcome” and “you missed a meeting” messages, among other scams. Plus, Zoom has been the subject of recent complaints for security flaws and privacy issues, which the company is now addressing. Here are tips from Wired on How to Keep Your Zoom Chats Private and Secure and from Malwarebytes: Keep Zoombombing cybercriminals from dropping a load on your meetings.

Review your Cybersecurity Insurance

Given the change in work circumstances since the pandemic, be sure to review your existing cyber insurance to see what it covers. Does it extend to working from home and does it encompass your employees?  Bruce Cochrane talks about what good cyber coverage should encompass in his article Cyber Risk: The best opportunity for Independent Agents since the invention of the automobile. He notes that, “The real solution is a comprehensive cyber package protection: coverages that address the four primary exposures: property loss, business interruption, crime for theft and extortion and liability. Cyber Liability simply isn’t the solution – it’s like buying one leg of a four-legged stool and trying to sit on it. Our clients need the whole package.”  The same advice would apply to your agency!

More cyber security resources

Cyber  security basics – Everything you need to know about cybercrime– from Malwarebytes: “The world of cybercrime is always changing. When viruses first appeared, most of them were pranks. To stay safe online, one of the best things you can do is stay educated on the litany of threats that lurk on the web. Use this information hub to learn everything you need to know about cyberthreats, and how to stop them.”

Seven Ways in Seven Days to Boost Cyber Security While Working Remotely – from Hartford Steam Boiler: “One productive use of time while working from home is attending to cyber hygiene. Here’s a list of things that can be done simply and quickly over the next week to improve home cybersecurity and enhance digital experiences.”

The Federal Trade Commission (FTC) Coronavirus Advice for Consumers to Avoid Coronavirus Scams and Guidance for businesses on how to get support, avoid scams, and follow appropriate practices in the marketplace.

Lisa M. Johnson – Senior Vice President, Marketing Communications, Renaissance Alliance
Connect: LinkedIn

Related from our blog:

About Renaissance

Powered by a differentiated suite of technology products and services, Renaissance drives organic, profitable revenue growth for your insurance agency.

Keep Reading



These Non-Disclosure Terms and Conditions (“Agreement”) govern the provision of information by Renaissance Alliance Insurance Services, LLC (“Renaissance”) to a prospective agency member (“Recipient”). Renaissance and Recipient Renaissance and Recipient are hereinafter referred to together as the “Parties,” and each may be referred to separately as a “Party.”

The Parties acknowledge that Renaissance may disclose to Recipient certain of Renaissance’s confidential, sensitive and/or proprietary information including, but not limited to, business, financial or technical information, in connection with the potential establishment and/or conduct of a business relationship or transaction between the Parties (the “Transaction”). In connection therewith, for good and valuable consideration, the receipt and sufficiency of which consideration are hereby acknowledged by Recipient, and as a condition of the provision of Confidential Information (as defined below) to Recipient, Recipient hereby agrees as follows:

  1. Confidential Information.Confidential Information” means any and all information provided by Renaissance to Recipient in any form, and at any time (including prior to or following the execution of this Agreement), including but not limited to any such information that (a) is related to Renaissance’s business, finances, financial information, pricing, business plans, profitability, projections, business or financial opportunities, investment strategies, other strategies, data, products, services, concepts, contacts, personnel, customers, vendors, prospects, intentions, formulas, methods, processes, practices, models, tools, computer programs, software, discoveries, inventions, know-how, negative know-how, business relationships, agreements (including this Agreement), intellectual property, trade secrets (whether or not patentable or copyrightable), trade secrets, or other confidential or proprietary information, (b) contains or is related to any communications, negotiations or proposals regarding the Transaction; (c) Recipient has either been informed, or reasonably should know, is confidential in nature; or (d) consists of or contains names, addresses or other information of any description relating to any of Renaissance’ member agencies or any of such member agencies’ customers or clients. Confidential Information shall also include any analyses, compilations, studies or other documents or materials prepared by Recipient or by any of its Representatives, that contain, rely upon, are derivative of or otherwise reflect any Confidential Information as described in the preceding sentence. The foregoing notwithstanding, Confidential Information shall not include any information which, at the time it is provided to Recipient; (i) is already known to Recipient, (ii) is then or later becomes available to the general public without violation of any requirement of confidentiality.
  1. Providing of Confidential Information. Renaissance may provide to Recipient any Confidential Information, in such manner and at such times as Renaissance may determine, to assist Recipient in evaluating, negotiating and carrying out the Transaction, but shall have no obligation to provide any, or any particular, Confidential Information to Recipient. Renaissance makes no, and disclaims any, representations or warranties regarding any Confidential Information it may provide, except as may be provided in any definitive documentation relating to a Transaction.
  1. Non-Use and Non-Disclosure; Representatives. Recipient agrees not to use any of Renaissance’s Confidential Information for any purpose other than for or in connection with the evaluation, negotiation, entering into or carrying out of a Transaction. Recipient agrees not to disclose any of Renaissance’s Confidential Information to any third party other than Recipient’s directors, officers, employees, affiliates, counsel, consultants, advisers, representatives and agents (collectively, “Representatives”) who have a reasonable need for the same in connection with the uses thereof permitted under this Agreement. Any such Representatives who are provided with any Confidential Information shall be instructed to maintain the same in confidence, and not to make any use or disclosure of the same other than as permitted under this Agreement. Recipient shall be responsible for any breach of this Agreement by any of its Representatives, to the same extent as though Recipient had committed such breach personally. Recipient agrees to use the same level of care in protecting the Confidential Information from unauthorized disclosure as it uses to protect its own confidential or proprietary information, and in any case will use no less than a commercially reasonable level of care in protecting all Confidential Information from unauthorized disclosure. The foregoing notwithstanding, Recipient shall be permitted to disclose so much of the Confidential Information as has been authorized for release by Renaissance in writing, to the persons and upon the conditions so authorized by Renaissance, in connection with the carrying out of the Transaction. Recipient shall not circumvent or seek to circumvent Renaissance’s negotiations with any third party, either by entering into discussions directly with such third party otherwise than on behalf of Renaissance, or otherwise. For purposes of this Section, each Party shall act in good faith and deal fairly with the other Party.
  1. No License; Return of Confidential Information. Recipient will not acquire any license or other rights whatsoever with respect to any of the Confidential Information by virtue of its disclosure to Recipient pursuant to this Agreement, or by virtue of any use thereof permitted hereunder. Recipient agrees to destroy or to return all Confidential Information to Renaissance, including both originals and all copies thereof (other than copies created as part of the routine backup of Recipient’s servers, or copies retained pursuant to a requirement of a governmental or regulatory authority, all of which retained copies shall be held confidential for so long as such materials are so retained), and to confirm the completion of such return or destruction to Renaissance in writing, promptly upon demand by Renaissance within the term of this Agreement. The term of this Agreement shall be for a period of five (5) years, commencing on the Effective Date set forth above. Either Party may terminate this Agreement at any time, upon written notice to the other Party, provided that the obligations of Recipient hereunder shall nevertheless survive for the period above stated, with respect to all Confidential Information provided prior to such termination.
  1. Orders Requiring Production. In the event Recipient receives a court subpoena, request for production of documents, court order or other requirement of a governmental agency to disclose any Confidential Information (a “Disclosure Requirement”), Recipient shall (unless prohibited by law) give prompt written notice to Renaissance thereof so that Renaissance may seek to challenge or limit the Disclosure Requirement. Recipient agrees to cooperate reasonably in any effort of Renaissance to limit or prevent any required disclosure of Confidential Information, provided that Recipient shall: (i) not be required to incur any expense in connection with such cooperation, and (ii) not be required to disobey any Disclosure Requirement. Recipient shall not be deemed in violation of this Agreement if it complies with any such Disclosure Requirement either after having provided Renaissance with notice thereof and a reasonable opportunity to contest the same, or if such notice is not permitted. Recipient agrees to (a) exercise reasonable efforts to disclose only the minimum amount of Confidential Information that Recipient is compelled to disclose, in the opinion of its legal counsel, and (b) request that confidential treatment (if legally permissible) will be accorded to the Confidential Information being disclosed.
  1. Injunctive Relief. Recipient acknowledges that the Confidential Information is confidential, and that disclosure or use of said information in violation of the terms of this Agreement would result in substantial and irreparable harm to Renaissance, the actual dollar amount of which damage would be impossible to determine. Accordingly, Recipient agrees that, in addition to any other remedies that may be available, in law, in equity or otherwise, Renaissance shall be entitled to seek injunctive relief against the actual or threatened breach of this Agreement or the continuation of any such breach by Recipient, without the necessity of proving actual damages and without posting bond. This provision shall not limit the right of Renaissance to seek actual damages or any other legal or equitable remedy for any breach hereof.
  1. Miscellaneous. This Agreement shall be construed in accordance with and governed by the laws of the State of Illinois, without regard to its conflicts of laws principles. Any action or proceeding against either Party relating in any way to this Agreement shall be brought and enforced only in the Federal (to the extent appropriate jurisdiction exists) and State courts located in Cook County in the State of Illinois, and the Parties irrevocably submit to the jurisdiction of such courts in respect of any such action or proceeding, and irrevocably waive any objection to venue in such courts, including but not limited to any objection that such venue is inconvenient. This Agreement embodies the entire agreement of the Parties with respect to the subject matter hereof, and supersedes all prior and contemporaneous agreements and understandings, oral or written. No amendment to this Agreement and no waiver of any provision hereunder shall be effective unless it is in writing and signed by an authorized officer of the Party against whom such amendment or waiver is asserted. No invalidity or unenforceability of any provision of this Agreement shall affect the validity or enforceability of the remaining portions hereof. This Agreement shall be binding upon, and shall inure to the benefit of, each of the Parties and their respective successors and assigns. There are no intended third-party beneficiaries of this Agreement. This Agreement does not in any way bind either Party to enter into or continue any type of business relationship with the other. Nothing in this Agreement shall prevent Renaissance from at any time disclosing any of its Confidential Information to others or negotiating with others for any purpose whatsoever. Nothing contained in this Agreement shall be construed to constitute the Parties as partners, joint venturers, co-owners or otherwise as participants in a joint or common undertaking. Recipient’s indication of assent to this Agreement via electronic means shall be equally binding and effective as an original signature hereon, and shall be deemed duly and effectively delivered if so transmitted or provided.