As a result of the COVID-19 pandemic, there has been a marked shift in the way we work and use technology to stay connected and execute business. Many institutions are managing remote workforce security as states navigate the ongoing effects of the pandemic, leading to a variety of challenges, including addressing cybersecurity threats.
Understanding Remote Workforce Risks
As financial institutions continue remote work, criminals are adapting their tactics to target remote work environments in efforts to access your institution’s data, devices and users. There is a variety of cybersecurity risks for financial institutions to combat, including:
- Phishing: To capture sensitive data and spread malware, cyber criminals are launching rampant phishing attacks via email. As many employees transitioned to remote work in early 2020, phishing scams skyrocketed with attackers exploiting the need for information about the pandemic, as well as employees’ heightened stress and vulnerability. Phishing activity targeting personal email accounts has dramatically increased, and children are being specifically targeted in hackers’ attempts to compromise home networks and infiltrate work-from-home environments.
- Malware: Cyber attackers are leveraging malware to obtain usernames, passwords and payment card information stored in a user’s browser. According to security vendor Carbon Black, attacks targeting the financial sector have increased by 238 percent from February to April 2020.
- IT Falling Behind: A recent Aite report noted that IT departments are often short-handed and are now having to respond to the challenges of remote work environments, leading to increased maintenance backlogs and slow response times. With cyberattacks continuing, IT departments could be busier than ever, reinforcing the need to have a security-minded workforce and up-to-date systems.
- Business Email Compromise (BEC): The FBI issued a warning in early 2020 regarding a spike in BEC scams, many relying on the uncertainty of the pandemic to prey upon victims. BEC scams involve a criminal sending an email and imitating the owner’s identity, such as a high-level company executive or recognized vendor. In most cases, criminals attempt to trick trusting employees into performing seemingly legitimate wire transfers or other financial transactions. Employees working from home could be more susceptible to these fraudulent emails or scams.
How to Enhance Your Remote Workforce Security
To defend against the ever-present threat of cyberattacks, consider the following tips to ensure your institution can secure its network and have a plan for the future.
1. Provide Secure Internet Access
While providing employees with virtual private network (VPN) access will help mitigate risk of cyber threats, there are a variety of risks associated with employees using their home networks for business when not connected to VPN, including employees not having a password properly set on home networks or using personal devices for business activities. Personal devices are often prime targets that can provide attackers a base to operate from within home networks, allowing them to monitor or intercept secure traffic and compromise work devices. Security solutions that protect your network and users, but do not interfere with business activities, are a priority. Your institution should encourage employees to address the following questions to reduce penetrability of home networks:
- What is the quality of your home network?
- Does your home network still have the default password?
- How old is the router?
- What protocols is it running?
- Are your personal devices secure?
- Do your personal devices have up-to-date malware and virus protection, the latest security patches and updated third-party software installed?
2. Create an Acceptable Use Policy
In addition to securing networks, your institution should consider the blurred lines of personal and professional lives of employees as they work from home. In this new hybrid reality, employees may be more likely to use corporate-owned devices for personal business. For example, if an employee uses their business laptop to access their child’s online learning portal, that device could be vulnerable if not on VPN. Online learning portals are a top target for cyber criminals, and you do not want to risk exposing your network to an attack. By creating and communicating a clear Acceptable Use Policy and outlining your specific policies for business devices, your institution can strengthen its security posture. Your institution’s Acceptable Use Policy should also include a section explicitly addressing work-from-home environments to educate employees on expectations and risks of remote work.
3. Use Mobile Device Management
If your institution issues business-owned devices to employees or if employees use personal devices to engage in business activities, consider implementing mobile device management and encryption to safeguard all devices with access to your institution’s data. For example, if an employee accesses business email on a personal device, your institution should have the ability to sandbox that email and to wipe the email inbox should the device become lost or otherwise compromised. This technology will also allow your IT support staff to remotely fix issues or install updates.
4. Implement Web and Content Filtering
Web and content filtering can extend beyond a VPN connection, offering additional layers of security. By providing web and content filtering capabilities to the remote workforce, your institution can protect devices that are off-network. With this tool, your institution can prevent employees from accessing malicious or inappropriate sites and mitigate threats like malware.
5. Enable Multi-Factor Authentication (MFA)
Multi-factor authentication is one of the best ways to protect your workforce from the two largest threat vectors: social engineering and phishing. Through MFA, multiple credentials are required to verify a user’s identity. According to Microsoft, MFA can help prevent over 99 percent of account compromise attacks since a fraudster cannot gain account access solely by obtaining or cracking a password. By verifying a user’s identity and protecting credentials using two or more pieces of evidence, you can strengthen the resiliency of your network and prevent harmful attacks.
6. Strategically Invest in Technology
The number of available technology solutions designed to support your institution can be overwhelming, but it is important to remember that you should not invest in technology that does not align to a business objective or support revenue generation. As you consider technology options, think holistically about your institution’s IT strategy, goals and environment. vCIO services can help determine your short- and long-term goals and provide guidance about which technology solutions best align with your specific needs and IT strategic plan.
7. Develop Well-Documented Processes
Even before the pandemic, institutions often experienced disruption if an employee moved branches, as business processes are not always clearly documented and maintained. This is an opportunity to revisit key processes and determine how to integrate them in the new reality of remote work and if current technology accommodates existing processes or requires updates to enhance security. Auditing processes for efficiency will also benefit your institution as you determine whether processes are scalable, have the appropriate number of steps and/or touchpoints and if they will meet your needs in the future.
8. Promote a Security-Minded Culture
As employees work remotely, your institution should prioritize employee cybersecurity education to help create and maintain a security-minded culture. Technology such as multi-factor authentication can help stop a breach, but education can prevent an employee from clicking on a malicious link in the first place. By creating a culture focused on security, you can not only educate employees on proper online conduct but reinforce the importance of asking for assistance after engaging in potentially risky behavior. Everyone—even the most well-intentioned and informed employees—can make mistakes, so your institution should create a culture that encourages employees to immediately communicate with IT after a mistake was realized.
The Future of Remote Workforces
According to industry experts, circumstances surrounding the COVID-19 pandemic have accelerated change in financial services by almost five years, and that estimate could be extended to a decade should the pandemic continue through the remainder of 2020. There is no doubt the way we work, communicate and do business have been transformed, and as the landscape of the financial services industry continues adapting, your institution should prioritize security to better serve your customers.
Check out our remote workforce security infographic to learn more about how CSI can help you manage your remote workforce by securing your institution’s devices, data and users.
Steven Ward has over 29 years’ experience in technology with 14 years in community banking technology and currently serves as CSI’s vCIO manager.