23 October 2020
By Andy Downs – firstname.lastname@example.org
Earlier this month, attackers found a backdoor into the Wisepay service and created a spoof page to harvest payment details from parents who made payments to UK schools. The attack occurred on a Friday night and went unnoticed until Monday morning. While the service has since come back online and is now deemed safe, it’s one of many growing examples of cyberattacks on banks and financial institutions amidst the coronavirus pandemic. The European Central Bank has warned financial institutions of a critical need to plan for the impact of the pandemic and a rise in cybersecurity fraud targeting both banks and their customers.
While digital banking innovations have moved many customer banking interactions online, up until the pandemic, bank employees still worked mostly on-premise. Now, banks are re-adjusting to the new reality in which a majority of the workforce is remote – from frontline employees who used to work within branches to executives who may require access to highly sensitive data, files and systems.
The “Cybersecurity in the Remote Work Era: A Global Risk Report” finds that 63% of respondents now work remotely – and these employees have access to critical, sensitive and proprietary information. Employers report concerns about the lack of physical security for remote workers as well as devices becoming infected with malware. In the UK, nearly 80% of respondents say there has been an increase in social engineering attacks since COVID-19.
This transition to remote work has raised serious concerns around compliance and cybersecurity risks for not only banks, but also their suppliers and other financial services companies. Faced with balancing strict data privacy rules, compliance regulations and access to customer data, financial services providers must find ways to mitigate risk across the entire supply chain as they adapt to the new world of remote work. In this post, I share some of the key risks and solutions around the remote banking workforce.
Understanding Today’s Risk Environment
Long before the pandemic, banks and financial institutions were frequent targets for cyberattacks, which is not surprising given that a whopping 86% of cyberattacks are committed with the goal of financial gains. Banks also have considerably higher stakes when it comes to compliance requirements; the failure to secure endpoints and properly protect sensitive data can lead to hefty fines, legal fees, lost business and damaged reputations.
The Banking Journal sorts the remote workforce reaction from banks into three categories: The first group is big banks with assets and plans in place to accommodate workplace reconfigurations; the second group are banks that have had to scramble to fill gaps and accelerate cloud services to enable a secure remote workforce; and, a third group continues to allow employees to access internal bank networks with their own devices and home internet. Which group do you fall in?
Given this, banks must invest in measures to withstand frequent, sophisticated and persistent attacks, including malware, phishing and social engineering, injection attacks and business email compromise, among others.
Managing the Risk
Here, we share four strategies your team should consider to quickly and effectively safeguard your operations and your remote workforce.
1) Keep Up to Date on Compliance Controls
Now is an ideal time to review and update your current compliance and data policies to reflect the workplace transformation and ensure your processes are up to date with the latest laws and regulations. Failure to take this first step can, at a minimum, result in inconsistent practices among your employees and, at worst, can open attack vectors for nefarious actors. This is especially true among remote workers, where inconsistent practices among workers can easily develop into bad habits that put your operations at risk.
As a starting place, Microsoft suggests you answer a vital question: Where does your data reside when employees are working remotely, especially for risk management-focused departments? If you use Microsoft Teams, for example, data is encrypted at rest and in transport and the platform uses secure real-time protocol for video, audio and desktop sharing. If you use Microsoft 365, there are tools available to help you maintain control, such as restricting the Teams experience for guests and external parties or governing app settings at an individual level, depending on an employee’s role or responsibility. Microsoft also publishes regular auditor reports on its Service Trust Portal to help you keep up with changing regulations and standards.
Even when things begin to normalise and employees return to the workplace, this should be a recurring and regular process at your bank to minimise risk and prevent costly fees for noncompliance.
2) Prevent Shadow IT
“Shadow IT” is another very real threat among a remote workforce. From home, remote workers may rely on personal devices (also referred to as the “Bring Your Own Device” or BYOD challenge) and home internet connections, often for the very understandable and simple reason that it’s easier than navigating internal, networked systems from the company. To mitigate this risk, make sure that secure internal configurations are in place on all enterprise licensed software, like Microsoft 365. Most software today offers baseline security controls that can adequately protect and secure remote workers, but only if the software is correctly configured.
One BYOD challenge is that the technology teams cannot track employee-owned devices for proper patching or to control for visits to fraudulent sites or risky behaviours (like opening suspicious attachments) that may introduce viruses to your network. While it may be impossible to prevent people from using their own devices, proper education on “cyber-hygiene” practices such as password management or incorporating VPN and multi-factor authentication can greatly reduce your risk.
3) Apply Data Loss Prevention
Data loss prevention (DLP) is the set of processes and tools to ensure that sensitive information in messages and documents is not lost or accessed by unauthorised users. Now is the time to revisit your existing DLP policies (beginning with your most-used systems but extending to all potential data transmission channels) to strengthen or improve upon your overall DLP strategy.
For example, if a bank employee tries to share a document with guests in a Microsoft Teams chat that contains sensitive information (often, risky employee actions occur inadvertently or with good intentions), your DLP policy, if properly configured, will prevent users from being able to open or view that document. Teams offers a suite of DLP tools to protect your data, and DLP capabilities were just recently extended to protect chat and channel messages, including private channel messages. All Microsoft DLP policies can be customised to meet the unique risks and needs of your bank and workforce.
4) Educate your Workforce
The last tip is perhaps the most important: Properly educate your workforce so that they can effectively serve as your first line of defence against the known risks of remote work. Alert your remote workforce to the potential threats and pitfalls of cybersecurity, such as poor password management and phishing attempts. Invest in robust and up-to-date employee education and create clear and open lines of communication for people to engage with your technology team so they feel empowered to ask questions and to alert you to suspicious encounters. This, coupled with the right controls in key programmes like Microsoft 365 will make it easier for your employees to follow best practices and protect your business.
At KA2, we know that managing cybersecurity and compliance is a tremendous and ongoing challenging in today’s remote world. We can help you maximise operational effectiveness and productivity, whilst ensuring appropriate security controls are applied and business critical data risk is minimised.
Please get in touch with us today to schedule a 30-Day Assessment of your modern working tools and find out if you’re prepared for today’s biggest cybersecurity and compliance threats.