The mass relocation of financial services employees from the office to their couch, dining table or spare room to stop the spread of the deadly novel coronavirus is a significant data security concern, several industry experts tell BAI.
But they add that it is a challenge that can be managed with the right tools, the right training and enduring vigilance.
“From a cyber and data security perspective, as well as a technological perspective, there are many challenges with the current environment,” says Steven Estep, director of operational risk for Independent Community Bankers of America. Part of the issue, he says, is how quickly financial institutions had to set up work-from-home capabilities and how reliant they are on new business tools needed for secure remote collaboration.
To ensure their sensitive and valuable data is protected with so many employees working from home, using different connection to the Internet with different levels of security, banks have increased their connectivity capacity with their Virtual Private Network and cloud providers, says Estep.
With all access flowing through corporate systems, traditional corporate security controls can be effectively managed using data loss prevention software, anti-virus and malware software, along with behavioral analytics and anomaly detection, to identify potential security risks as soon as they are detected, says Robert Capps, vice president at NuData Security.
“If these technologies are in place, the majority of threats against end users can be mitigated, regardless of how they are connecting to the internet,” says Capps.
But some have less confidence in VPNs, especially if employees at home don’t maintain the same level of risk aversion that they would at their desk in the bank.
“VPNs have become vulnerable” and no longer provide “a fully secure channel to the enterprise network,” says Ratan Jyoti, chief information security officer for India’s Ujjivan Small Finance Bank. He says the risks are enhanced because cybercriminals are particularly focused on bank employees working from home due to the COVID-19 pandemic.
The solution, he says, is a “zero-trust” approach – no one, internal or external, is trusted by default. Strict standards are applied to verify every person or device before granting access. Jyoti says the zero-trust model can be established as either network-centric or identity-centric, and combined with multi-factor authentication, malware scanning and endpoint security systems.
“These preventive controls must be complemented by agile incident response and user behavior analytics,” he says. “Increased cyber awareness of employee and customers remains the key… With this, the VPN technology can soon become extinct, as it is not able to address both outside and inside attacks.”
Undergirding all of this is the human risk factor, says Jeremy Kennelly, manager of financial crimes analysis for the cybersecurity firm FireEye.
“Operational friction” caused by a range of factors – among them, hardware or peripheral issues, challenges connecting to a corporate VPN or inability to access required systems or data – “may cause employees to communicate, store data, or perform critical business tasks on systems or in manners that put important data or business processes at unforeseen risk,” Kennelly says.
For this reason, reinforcing cybersecurity hygiene is essential. For employees, this means at a minimum using their work computer only for work, running anti-malware protection on all devices on the home network and being on guard when it comes to emails sent from outside the company.
“Ultimately people tend to be the weakest link,” Nabil Hannan, managing director at vulnerability management firm NetSPI. “This is why I usually underscore the need for proper education around security and providing employees with appropriate security training so that they don’t end up making a decision or taking an action that puts the organization at risk.”
Bill Malik, vice president of Infrastructure Strategies at the enterprise security firm Trend Micro, says managers and supervisors can support security efforts within their remote work force by setting clear and achievable goals that take into account that employees are under stress due to COVID-19 worries.
Malik says managers should also reach out to every member of your team regularly, even at the risk of overcommunicating, to maintain trust and make sure everyone has the latest information and understands goals and processes. IT teams should make on-line training and support available, as well as formalizing policies and procedures for employees who may be accustomed to informal, in-person support in the office.
Estep, from ICBA, acknowledges a wide array of concerns and says banks are working to mitigate the threats.
“An increase in the number of devices and connections will naturally cause an increase in risks and potential vulnerabilities, which community banks are addressing,” he says. “Community banks are imposing stricter due diligence when considering various permission levels and the types of access they will allow employees to have into the bank’s network… and enforcing stronger data access controls in keeping with the bank’s risk appetite.”
Howard Altmanoversees coverage of issues affecting troops and their families as managing editor of Military Times. He has won more than 50 journalism awards and his work has appeared in the New York Times, Daily Beast, Philadelphia magazine, the Philadelphia Inquirer, New York Observer, Newsday and the Tampa Bay Times.
Discover how the fraud landscape is evolving — from phishing attacks to man-in-the-middle, vishing and now, payer manipulation — and how the industry needs to take a different approach to resolve fraud...