Cyber security has recently been identified as one of the top risks facing banks, with the Bank of England’s systemic risk survey highlighting the extent of the challenge facing the industry. In response, banks have developed strategies to deal with such threats, backed by increased vigilance and innovative technology. But in a sector that is renowned for its global reach, the drive to offer convenience and ease of access to corporate and client data for staff on international assignments has changed the risk landscape forever.
The ubiquitous nature of smartphones and tablets has transformed the workplace, creating greater scope for flexible and remote working. But as the barriers to the use of personal devices have come down, the threat to corporate systems and confidential information has risen exponentially. Cyber criminals are eager to tap this rich seam of data and access gateway.
A sharp rise in the use of personally-owned devices in the workplace, dubbed ‘bring your own device’ or BYOD, has seen many organisations implementing policies for the use of non-corporate hardware. This trend is likely to continue, with some analysts forecasting a doubling of the current number of consumer devices in the workplace, reaching 350 million globally by the end of 2014. An additional challenge is also emerging in the guise of ’bring your own application’ (BYOA), where staff being confident with the latest app want that installed in all places that they work. Inevitably, this is likely to include personal, home and corporate devices.
With international assignments and remote working comes the risk of blurring the well-defined boundaries of a physical office, which goes well beyond the use of smart devices or the occasional day working from home. There is growing evidence to suggest that a greater focus is required to keep sensitive information away from prying eyes, while safeguarding the safety and well-being of staff.
Tackling this challenge is one that requires the involvement of HR, IT and security teams, to allow the development of a strategy that effectively addresses security, personal safety and corporate governance.
For any work in high risk areas staff should be issued with a ‘clean’ designated laptop, pre-loaded with a basic profile that does not contain company or personal data. This should have whole disk encryption installed, which renders the device unusable, should it fall into the wrong hands. In countries where stable internet access is available, some companies opt for ‘thin client’ type devices, which allow remote data storage over a secure connection, rather than held locally on the device itself.
Some simple additional steps, such as restricting the use of removable USB drives; strengthening passwords; and restricting user privileges can build further barriers to unauthorised access.
On location, the team must consider arrival and departure issues, particularly if carrying specialist kit and documents. Data storage and the possible removal of sensitive data from the jurisdiction can also prove challenging in some parts of the world.
Whether working out of a hotel room, a hotel meeting room, space in the firm’s local office or a client’s site, each scenario will present different security risks. Irrespective of the location, issues such as room cleaning and access control should be considered, alongside the safe storage and disposal of documents, flipcharts and diagrams.
Electronic devices are of particular concern and teams must remember working remotely means corporate security can only do so much; local security rests squarely with the staff on-site.
Laptops should be turned off when work is completed or not in use and these should not just be locked using the screen saver or left unattended in sleep mode, which may prevent encryption from being switched on. In particular, any training should highlight the importance of keeping an eye on laptops immediately after power down, as the encryption key is temporarily retained in the computer’s memory.
Public Wi-Fi hotspots have mushroomed in recent years and, while convenient, pose a particular security challenge for remote workers. If unavoidable, a secure connection, often referred to as a VPN, should be established before any sensitive data is transmitted or internet sites visited. Apart from the technical risks, there are also physical considerations, such as ‘shoulder surfing’ and eavesdropping. Likewise, if printing, copying or scanning a document on a digital device, including copy and fax machines in hotel business centres, an electronic copy is probably stored in that device and, therefore, vulnerable to unauthorised retrieval. For the same reason, electronic devices should not be lent or borrowed from anyone outside the organisation.
Security measures used for work-related equipment should also be used on personally-owned devices. It is important to remember that location services on smart devices and posting information to social media can inadvertently generate risks. Meetings where sensitive issues are being explored should be held in internal areas of the building and it is sometimes a good idea to change rooms with minimal discussion and notice. For high risk countries, some organisations may even opt to bring their own security specialist or employ a trusted source for technical security countermeasures (TSCM), such as bug-sweeping.
Mobile telephones pose a security challenge in their own right and should be protected, with particular attention to the SIM card. The same rules should apply to tablets, where appropriate.
Once back home, devices that have been used outside the office should be reviewed. Best practice would suggest quarantining such equipment before connecting to the corporate network, as any digital media used or collected during the visit and files transferred electronically could contain malware. A forensic examination of activity, such as existing processes/services, open connections, auto run features, remotely opened files, mounted and un-mounted volumes and virus content, will identify anything unexpected. This information, in addition to a formal debriefing of travellers returning from high-risk locations, will be valuable for future assignments and help develop a profile of personal and information security risks for a specific country, client or project.
International assignments, with or without smart devices, poses a particular security challenge. Preparation, investment in configuration and reporting procedures, along with training, vigilance and common sense, will help strengthen banks’ resilience to such threats.
Martin Baldock, CISSP-ISSMP, is a managing director of Stroz Friedberg, a digital risk management and investigations company.