Future-Proofing your Information Security: How to Work from Home Securely in a Crisis
Faced with the global outbreak of COVID-19 earlier this year, banks were forced to act quickly to enable remote working for much of their workforce almost overnight. This reactive approach has not come without its information security risks. Customers placing greater reliance on remote banking services, combined with organisations’ rapid procurement of collaborative tools to maintain virtual communications and high numbers of staff absenteeism due to the pandemic, have left many organisations stretched, vulnerable and ill-equipped to deal with cyber-attacks.
Unfortunately, according to a study by Reuters, hackers are becoming emboldened by the confusion and potential weaknesses caused by the pandemic, with hostile activity against corporations more than doubling in March alone. IT consulting giant, Cognizant, a recent victim of a successful ransomware attack, is facing an estimated $50 million USD in remediation costs. It is hardly surprising, then, that when employees were asked if they felt more cyber-secure in the office or at home, 59% responded with the office.
Despite these challenges, a survey of 317 Finance leaders has revealed that at least 74% plan to adopt remote working more permanently. Indeed, Twitter and Facebook recently announced that employees can continue to work from home “forever”, and Jes Staley, CEO of Barclays, has suggested that city offices may be a thing of the past, as the Bank reconsiders its long-term location strategy.
In light of this shift towards remote working, banks should thoroughly examine their technology, processes and people in order to effectively future-proof their information security.
The COVID-19 outbreak has seen a number of technological factors contribute to increased information security risk:
- In order to remain operationally resilient and maintain consistent communications, organisations have accelerated their acquisition of collaborative tools. Microsoft Teams has reported that its active daily users surged by 70% in March, whilst Zoom has become the most commonly-used video-conferencing software for remote employees in a matter of weeks.
- Use of “shadow IT” has also increased, whereby remote workers take the selection and deployment of tools into their own hands, without the permission or knowledge of their employer’s IT team.
- There has been an uptake in use of Virtual Private Networks (VPNs), with 22% of employees working from home purchasing a VPN since the start of the pandemic. This has led to more data being transferred by remote services, creating focused, business-critical dependencies where previously there had been none.
- Furthermore, use of Cloud services has increased by as much as 50% as companies attempt to increase data storage and access, despite some not necessarily having the infrastructure to support this.
While maintaining BAU operations has understandably been paramount, in many cases, this has had to come at the expense of information security. Indeed, Cloud cyber-attacks rose by 630% between January and April, and 1 in 10 employees report having had their video calls hacked while working remotely.
Fortunately, however, there are several measures that banks can take in order to mitigate these risks:
- Regular communication of business-approved tools to employees
- Make sure that everyone understands how to use new software, that application authentications need to be kept up-to-date, and that security policies must be strictly adhered to.
- Tighten security configurations
- Apply a more coordinated security approach.
- Ensure that patches are applied to all devices provided to employees, and make sure that all updates can be carried out remotely.
- Identity and access management
- Implement robust policies around data access by applying multi-factor authentication and avoiding the use of shared accounts – even if this increases costs.
- Ensure that privileged information is kept secure, audit account access and remove orphaned accounts.
- Consistent monitoring of shadow IT
- There needs to be effective and continuous analysis of where and when data is being accessed. Tools such as a Cloud Access Security Broker (CASB) can provide a “security perimeter” using access control tools and offer visibility on user activity within cloud applications.
- Understand your supply chain
- Evaluate your third-party vendors in order to determine whether they provide critical services. Contact your vendors to understand their business continuity plans and establish vulnerabilities.
- Where services are reduced or vulnerable, re-evaluate your risk exposure and consider refocusing internal employees to those areas.
- Review Data Loss Prevention (DLP) controls
Prevent the loss of confidential information by reviewing the causes and effects of data loss throughout your organisation. Is data loss or theft more common across:
- Technology – due to a lack of DLP tools or poor remote connectivity, resulting in shadow IT?
- Processes – Are data usage and security policies not circulated often? Is data monitoring not consistent or flexible enough for the Business?
- People – Are responsibilities and accountabilities unclear?
In June, several European banks announced a combined total of over 60,000 redundancies. It is very likely that numbers will continue to rise in the UK as the Furlough Scheme comes to an end in October. These conditions could precipitate an increase in insider threats, as former employees, or cybercriminals posing as employees, intentionally misuse confidential information for personal gain or to threaten an organisation’s integrity. In fact, 92% of insider threats are often preceded by a negative work event such as a redundancy. Existing mitigating controls may also be obsolete due to the rapid change in circumstances or new business continuity plans being administered.
Here are three key strategies that banks can consider in order to combat insider threats:
- Re-assess internal risk and control frameworks
- Evaluate internal processes and corresponding impacts to information security risks and controls. These may need amending to reflect any recent adjustment in business practices, such as increased remote working or reliance on technology.
- Evaluate your off-boarding process
- Make your off-boarding process more secure by working with functions (e.g. HR) to identify employees at risk of redundancy and conducting reviews to establish which have access to sensitive information.
- When employees leave the organisation, prioritise the disabling of access to offices as well as business devices, applications and systems on the corporate network or third-party systems.
- Utilise Machine Learning (ML) and Artificial Intelligence (AI)
For companies with the infrastructure to support AI and ML, otherwise mundane and error-prone tasks such as manual incident response and analysing false positives can be completed in record time.
- Monitor network and device usage and detect irregularities in behaviour to combat shadow IT.
- Use security information and event management (SIEM) technology to sweep large quantities of data gathered from network appliances and detection systems, categorising and analysing events in real-time to pinpoint cyber-attacks.
- Use a security orchestration, automation and response (SOAR) solution in tandem with SIEM to centralise data so that it can be analysed from a single location and incident response can be automated.
Arguably the most important barrier between a company’s data and a potential information security breach is its employees. An organisation may have the best tools and technology to keep data secure, but it is vital to reinforce this with education, communication and policies which are made easily accessible for its workforce.
A recent study of people currently working from home, however, suggests that this has been largely overlooked: 65% stated that their managers have not educated them on COVID-19 scams, and 56% confirmed that they did not receive formal guidelines on videoconferencing safety before leaving the office. So how can banks make more effective use of such a valuable information security asset?
The sudden transition to remote working has blurred the lines between the professional and the personal, increasing the risk of data security complacency. As cyber-attacks become more frequent and elaborate, individuals with childcare commitments or working in stressful environments are likely to become more susceptible.
- Offer regular interactive training, in the form of e-learning or virtual seminars. Do employees know how to recognise suspicious activity, or the difference between phishing and pharming?
- Provide clear and consistent messaging on to whom security concerns may be reported, and educate your workforce on password protection, application authentication and corporate device usage.
- Plan regular communication campaigns to highlight the importance of data management and security.
- Involve senior management in the creation and distribution of these communications. Surveys show that tone from the top is essential in building trust and integrity with employees.
- Circulate company policies on data and outline key messages, such as how and when to apply the correct data classification to e-mails and corporate material.
- Distribute these messages consistently and ensure that they are easily accessible.
- Share best practices for company-wide communication, emphasising the use of business-approved collaborative tools and outlining the dangers of shadow IT.
- Data Privacy
As employers resort to tools, such as company surveys, to monitor employee well-being, it is important not to overlook employees’ rights in relation to data privacy.
- Make sure that data is being processed in adherence to relevant data protection regulations by only collecting information that you require, ensuring that you have the individual’s consent, and communicating clearly how and why you will use this information.
- Distinguish between personal and sensitive personal data to understand if they need to be processed differently. Be sure to regularly review and distribute relevant data classification and retention policies.
As the data volume globally continues to grow, so too will its value – and the sophistication of cyber-attacks to obtain it. A worldwide shift towards remote working, and organisations’ increasing reliance on technology to enable it, have already uncovered significant information security risks. With the number of end points predicted to triple by 2023, protecting against the threat landscape will only become more challenging as its entirety becomes more unknown.
Faced with such a lack of visibility, banks must be proactive and strengthen the management and security of their data. This may be achieved, for example, by implementing AI to monitor network and device usage and flag cyber-attacks in real time. New technology, however, can expose new vulnerabilities. Strong cyber risk management and control frameworks should therefore be the foundation of every organisation’s data security. Lastly, and perhaps most crucially, there needs to be mutual trust between the company and its employees in good data hygiene practice. This not only requires consistent education and communication, but senior management must visibly set a good example for its remote workforce to follow.