Recent research has revealed the financial services industry practised poor cybersecurity behaviours during the COVID-19 pandemic. This article outlines the most common risky behaviours, with advice on how firms can strengthen their authentication.
By Nic Sarginson, Principal Solutions Engineer, Yubico
In response to stay-at-home orders, many companies across the financial services sector switched rapidly to remote working in 2020. It’s likely a number of them will continue to maintain higher levels of homeworking than existed before the pandemic began. This poses a range of challenges for employers and employees, such as how to facilitate collaboration and build working relationships between colleagues and clients when in-person meetings happen less frequently. Another challenge that many, it seems, have yet to overcome is the impact of remote work on cybersecurity. This is a major gap that must be plugged as companies navigate a new hybrid working era.
Our survey of employees provides insight into how financial services have fared in securing remote workers during the pandemic. It reveals that security training levels are fair for employees and the majority have introduced new policies since the start of the pandemic. However, there is significant room for improvement, particularly when it comes to the authentication of remote workers.
The survey also revealed a somewhat lax attitude to the sharing and use of devices. Over a fifth (22 per cent) of responding financial services employees allow others to use their devices and don’t pay attention to how they use them. Meanwhile, the percentage of workers who use work-issued devices daily for personal matters has jumped from 29 to 44 per cent since the start of COVID. Both these revelations are concerning, because this activity opens up financial services to potentially more cyber threats.
Despite this risky behaviour, employees reveal they are stressed by cyber threats. In fact, 40 per cent feel more stressed about this while working from home than they do in the office. That’s higher than employees across a range of sectors, where 35 per cent said the same.
Identity verification is the way users gain access to accounts, services, systems and applications. In the financial services sector, some employees perform high-value transactions on a daily basis, making them key targets for cybercriminals. Call centre agents make likely targets too. Being generally office-based, access security typically exists within a corporate perimeter, but as remote workers, they need a secure and simple way of verifying their identity before accessing critical systems and data. If employees are only using a username and password for authentication and an attacker succeeds in getting hold of this information, their data and company data is compromised.
There are a range of ways cybercriminals go about it. Most commonly through phishing. Many more people are aware of phishing attacks now but despite the dangers, ten per cent of financial services respondents to the survey said they wouldn’t admit to clicking on a suspicious link. Those links could take employees to fake sites where, if they enter their credentials, the identity thief then has their login information to gain access through the real site.
Strong authentication is essential to safeguard against this. Yet only 27 per cent of survey respondents said two-factor authentication (2FA) had been implemented since employees began working from home. 2FA boosts authentication compared to logging in with only a username and password because it requires users to have a second way of verifying their identity. This can be by presenting something they have, like a one-time passcode or security key, or something they are, which is generally a biometric identifier such as a fingerprint.
Phishing resistant 2FA is the most secure option, yet only 26 per cent of survey respondents said their company had gone down the route of hardware security keys. Commonly used SMS codes sent to mobiles and one-time passcodes (OTPs) can still fall prey to phishing if users unwittingly provide the information to a cyber attacker.
Phishing scams, together with unsecured WiFi networks and unmanaged personal mobile devices often used for authentication in a work-from-home situation, can give cybercriminals a way in.
IT security plans in the hybrid work era
Organisations that heed the warning signs from this latest research will develop IT security plans to ensure secure access to systems without the introduction of new risks and vulnerabilities. Enabling stronger forms of authentication with identity access management systems should be a top requirement for a work from home policy.
The pandemic has had a profound effect on the way we live and work, and the changes we’ve seen as a result have raised the cybersecurity threat level. Basic security measures fall short in protecting the high-value systems and data within financial services. As corporations adjust to a new working era that is likely to include more workers logging in from varied locations, they will need strong authentication to mitigate the threat of attacks.