By Joe McManus, director of security at Canonical
For any business the COVID-19 pandemic has brought about significant changes to their operations, and financial services (FS) organisations are no exception to this. From insurance to banking, we’ve seen a seismic shift to almost entirely remote workforces as trading floors and offices have become kitchens and bedrooms. It’s been a real test that some FS businesses have been well-equipped to handle, however, many organisations have not been prepared for it. According to research by Leesman only a small percentage of staff at 700,000 employees worked remotely on a consistent basis prior to the pandemic. The study revealed that 52 percent of employees have little to no experience of working from home, and even of those who do, 83 percent typically do so for just one day a week or less.
Naturally, there are a number of challenges which need to be addressed with a large-scale remote working model. Security, perhaps unsurprisingly, is top of this list, especially for the highly regulated financial services industry. The sector has traditionally been slow to roll out remote working programmes prior to the pandemic for this reason. There are worries over data access control, VPNs, and rapid changes to the infrastructure required to cope with increased volume of teleworkers. The challenge is two fold – including the management of existing risks now amplified by the wide-scale shift to remote working, but also in protecting networks and staff from an increasingly advanced cyber threat as cybercriminals look to exploit the heightened uncertainty resulting from this global situation.
As this new way of working becomes the norm for FS businesses, It’s imperative for them to address these security challenges now, enabling them to efficiently navigate the current landscape, as well as prepare themselves for lasting impact as we look beyond the pandemic and firms start to develop and initiate business recovery strategies.
From a device perspective, there is now a newly-created and significantly dispersed end-point network which requires managing. It’s likely that most FS businesses will have enabled some form of multi-factor authentication (MFA) to ensure they are complying with current regulations, however, the need for MFA has been heightened during the pandemic to reduce the risk of brute force attacks related to passwords. Perhaps more significantly though, an out-of-date mindset which sees security as ‘behind the firewall, or not’ will lead to insufficient controls when it comes to managing the inevitable combination of bring your own device (BYOD) and managed devices that comes with a remote workforce.
A multi-layered approach
FS businesses can reduce cyber threats in a number of different ways but a multi-layered strategy is the most effective and robust approach. Firstly, it’s important that staff are well trained and educated to ensure they are hypervigilant to potential cyberattacks such as phishing attacks and mindful of sensitive data and regulations. Secondly, this recourse also requires effective monitoring of home networks given that they are now an extension of the office.
Beyond this, the hardware itself needs to be secured. Security can be both baked into devices, as well as delivered via software updates which are easily implementable and scalable across the increased number of end-points. Those using Ubuntu Desktop can benefit from unattended-upgrades and Livepatch to protect endpoints from any new threats or discovered vulnerabilities, removing the need for IT intervention, especially useful in the current climate. Using a corporate proxy server or VPN can also help to protect and monitor the newly extended network, while staff can also restrict access to harmful sites through enabling low-cost DNS filtering services like OpenDNS.
VPNs: added security but don’t ignore the potential risks
Unsurprisingly, there’s been an increase in VPN usage as a result of the rise in remote workers, with employees wanting remote access to company resources. Beyond authenticating users and providing access control, VPNs can also be used for more substantial enterprise protections. This includes the capability to leverage corporate network filtering such as Intrusion Detection and Protection Systems (IDS/IPS), as well as additional situational awareness tools such as NetFlow to monitor network traffic. The issue is that businesses have deployed VPN endpoints in such rapid time, there is a heightened chance of a mistaking occurring during network segmentation. If this happens, there is the possibility that it could expose company resources more widely than wanted and for financial services business this could be intellectual property or sensitive information
Consider cloud security
Covid-19 has created a unique operational environment for many financial institutions. The cloud isn’t exactly a new concept to these businesses, with financial services slowly becoming a major adopter of the technology. However, for many, cloud technology has really come into its own and the pandemic has highlighted its ability to provide resilience and scalability when needed. Having said this, the adoption of cloud-based platforms and services also carries risks, and FS companies making such a transition need to carefully deliberate how they secure their own services and data. A common presumption is that security will be managed for them by their cloud provider, but this varies depending on the service. It’s therefore important for FS businesses to carry out the same due diligence when selecting a cloud platform as they would when deploying their own infrastructure. Alternatively, they should look to employ managed services which include maintenance, security and scalability of their cloud infrastructure provided by a trusted partner. This will enable in-house IT teams to turn their focus to priorities elsewhere.
According to a recent Gartner CFO survey, 74% of CFOs intend to shift some employees to remote work permanently. This data is an example of the lasting effects the current pandemic will have on the way business and their staff work, especially for those who were resistant to adopting remote strategies before. Capital One is one example of a financial services organisation that recently disclosed that they will not have any broad return to work until at least September.
As remote working policies become much more commonplace in the financial services sector, and the proliferation of cloud resources and VPN services continue to grow it’s fundamental that IT teams overcome the associated security risks. For many adapting to this “new normal” will be key to being prepared for both the immediate and longer-term future.