By Rick Vanover, Senior Director, Product Strategy, Veeam
The COVID-19 pandemic has shifted the spotlight back on that pesky security issue that organisations have struggled with for years. Workers are connecting to corporate networks from more devices than ever before – but moves to protect, manage and back up the sensitive information in those networks aren’t keeping pace.
The problem’s getting worse. Studies show the number of connections spiked suddenly during the pandemic, as workers handle more mission-critical tasks from remote locations. Rogue, shadow IT continues to intensify year after year. Financial services (FS) organisations are particularly concerned, keen to offer employees the flexibility and better work-life balance remote working can provide, but at the same time mindful of being able to comply with audit and compliance requirements. IT departments, already stretched thin by pandemic-related layoffs, are scrambling to do more with less at a time when threats are getting more serious.
That’s not all. Workers are not only hooking up more laptops, tablets and phones to give themselves more work flexibility – they’re getting sloppier about the way they manage the connections under their control. They’re replacing devices more quickly than they used to, upgrading phones every year or two. But consumers don’t always wipe their old phones clean when they give them away, sell them or trash them. IT might not always be keeping track as they perhaps did when everyone was in the office every day. The data from that confidential presentation, sensitive information from a financial deal or client proposal doesn’t go away by itself.
Hackers are watching this trend closely – and capitalising on it. Rather than storm a corporate network with a “Game of Thrones”-style, all-out attack, hackers prefer to find an unguarded endpoint, slip into a network, poke around and pilfer assets quietly before setting off any alarms.
In the context of financial services, the consequences could be even bigger. It’s an industry built on trust, and clients count on their investments and needs being met in a discrete, professional way. A data breach, leak or other insider activity is the last thing a financial services brand needs.
It’s time for organisations, particularly in the financial services sector, and workers themselves to step up. They need to protect data and ensure it’ll be there for future use by backing it up. But it can’t stop there, because many have been doing that for years. Backups are just the start – part of a larger strategy that includes things like two-factor authentication and more dedicated use of VPNs. As they say, “If you connect it, protect it.” Here are four key cybersecurity strategies financial services organisations and their employees can deploy to protect and manage the growing issues imposed by the era of ultraconnectedness.
Strengthen your remote access strategy
This is “job one” for IT departments – especially with remote work promising to play a bigger role in the future. Banks and financial organisations have typically been more office-focused than other sectors, but many of the changes we’ve seen over the past year to working patterns will, for some, become permanent. IT needs to be able to cope. Equipping corporate networks with VPNs for sensitive data is a good start, and should be seen as the absolute bare minimum. Just as important is the follow-through. Sophisticated role-based management tools can enable employees to work productively while also blocking them from accessing information outside of their assigned areas or sharing strategic documents. Train employees in the do’s and don’ts of accessing information remotely, and regularly review your strategy to ensure it’s meeting your corporate needs.
Manage devices ‘from cradle to grave’
Too much sensitive information is sitting on devices waiting to be had. For FS organisations, this is a compliance nightmare, not to mention the impact on things like client relations. IT departments need to take the lead on any corporate-issued phones and laptops – equipping them with security features up front and doing thorough wipe-downs before issuing to a new user. This goes for loaner devices, as well. Workers connecting to network information need to do their part, too. Kill old corporate emails from home devices, and before selling or destroying models make sure to purge any materials. Keeping accurate logs of what devices have been loaned, and their status, is invaluable.
Use encryption and Two-Factor Authentication
Security breaches are all too common – and most are preventable. Basic steps like encrypting sensitive documents can protect FS organisations and their clients from disaster scenarios where client data, details on trades or deals, or a highly classified report inadvertently falls into the wrong hands. Passwords provide a moderate level of protection – and, if they’re updated regularly and managed properly, they can do the job. But they’re really a basic first line of defence. If you’re accessing important information that could compromise the company in any way, equipping all private devices with two-factor authentication is a better option.
Doubling down on diligence
Phishing forays aren’t new, but they’re still dangerous. Staff in FS organisations may receive requests to transfer funds or share highly sensitive data many times a day, as part of their usual roles. But they should continue to be watchful of threat actors taking advantage. IT departments can circulate refresher notes and conduct periodic trainings reminding people to exercise basic cautions like don’t enter credentials online, don’t click on documents from unknown sources and when in doubt contact IT. Keep the time-tested slogan in mind: “Trust but verify.” You don’t want to find out the hard way that a communication isn’t what it appears to be, when what seemed like a legitimate request to transfer funds or provide access, was far from it.