By Pete Watson, CEO, Atlas Cloud
Financial advisors, insurers, banks and brokers; the entire financial services sector has been forced to rethink operating models to keep staff safe and clients served throughout a global pandemic. Traditionally, the industry as a whole has been slower to embrace home working and the solutions that power it, as roles were heavily office-based, or branch-based in the case of traditional banks.
Underpinned by stringent regulations and with access to an abundance of sensitive data, the process of remote cloud-based working is not only a discussion of logistics. It also throws up huge security considerations for firms making the transition. With 95% of financial services applications now said to possess vulnerabilities, it is easy to understand any reservations these companies might have about implementing a Software-as-a-Service working environment.
However, these same concerns may also hinder success in the long run, as a more flexible digital approach moves from value-added to business-critical in a remote setting. The question is, how do firms create a setup that both minimises risk and maximises success?
Understanding your needs
As with every new technology, the first step is understanding why your business needs it. Like all modern workplaces, financial service firms expect a lot from their IT infrastructure. Users require better connectivity, access and speed from their systems and decision makers must implement a network connectivity infrastructure that can meet these demands. Today, this setup must also account for every device that employees are using to work remotely.
Next is the fundamental security considerations. It goes without saying that financial services epitomise the need for watertight IT systems. Financial service firms store their sensitive information within key applications, all of which vary based on the service requirements. With sensitive customer and company data stored in applications and on devices, their networks are at constant risk of compromise.
Protecting this information is a necessity and managing a large scale shift to the cloud must cover every base – particularly as cybercriminals have raised their game to ‘exploit the chaos’ during lockdown. However, there often is a big difference between where those key applications are hosted.
Setting up securely
If financial firms have older applications, then data will typically be stored on-premise on company servers. Where this is the case, moving to a cloud-hosted virtual desktop environment offers a quick way to get remote working underway securely and with minimal friction. Modern Desktop-as-a-Service (DaaS) solutions can replicate the familiar desktop setting users know and love, but allow them to access all data, email and applications from anywhere and on any device. With all data managed in a secure cloud setting, no sensitive data is stored directly on the end-user device. This improves all-important cyber resilience without having to invest large resources in upgrading to new iterations of required software applications.
In other cases, many firms have already migrated legacy on-premise applications to SaaS-based applications, which alleviates the hosting burden with access enabled through your everyday web browser. However, where sensitive data is concerned, it is not quite so easy to just give employees access to a SaaS platform, where they can use any device and download often sensitive data to uncontrolled personal devices outside of the company network.
This issue has intensified in lockdown. A recent survey found that 23% of those working in financial services are now using their laptop to work, with 43% storing work on their personal devices. Inevitably, more devices in use leads to more potential entry points. A large amount of trust is placed with individuals to make sure they’re working safely. But when handling large caches of highly sensitive data, even the smallest oversight or breach could prove disastrous when adequate levels of threat protection are not in place. With 20% of home workers having taken no action to mitigate potential cyber threats during lockdown, successful security becomes about the safeguards that firms actively put in place.
To alleviate risk, companies would previously look to IP address blocking, which restricts access to SaaS logins to only ‘whitelisted’ IP addresses, such as the company premises. When working out of the office, you could then use a VPN to route your internet back through the office and allow access. However, as many have learned, a VPN-based approach has inherent security challenges that can be exploited by attackers to gain access to a network. A weak identity or unguarded device can allow unwanted visitors access to data through a VPN, with many often flying under the radar undetected. What’s more, in a time where access to on-premise devices and networks is limited, the significant housekeeping to stay on top of patching VPNs is by no means scalable or effective.
Assessing your options
Hosted virtual desktops offer a convenient solution to these issues, as firms no longer need to rely on the security of every device, and all security patching and updates can be applied to all users simultaneously. Yet, for firms already running their business from SaaS applications that enable access from anywhere – albeit not as effectively – this can seem an unnecessary expense. So, how do you then unlock the security benefits without overhauling your IT approach?
There are various solutions that offer add-on security features to your existing SaaS-based setup. The likes of Citrix Workspace can deliver a secure multi-factor login into one controlled cloud environment, providing access to pre-approved company apps and file storage with one-click access. Although a seemingly simple change, this additional layer not only keeps firms in control, but also affords user access to business-critical information and apps from any Internet-enabled location.
This calibre of financial data naturally makes firms across the sector susceptible to an array of other cyber threat tactics. Financial services are no stranger to spam emails which include viruses, or calculated impersonation attacks designed to deceive staff with malicious attachments, URLs and other pieces of content. When assessing an workspace setup, financial service companies must consider exploring multi-level assessment solutions that deliver advanced checks to protect them from this popular method of attack. What’s more, modern disaster recovery from certified suppliers can reduce risk of network downtime, eliminating the potential reputational damage (as TSB suffered) and FCA fines and maintain continuity with data loss measured in seconds, not minutes.
Remote working is here to stay, and the time to act on security is now. While it can be a daunting task for finance companies, simply ignoring the growing cyber risks of a modern working environment could be catastrophic. By working with the right partners to put these safeguards in place, financial services can arm their workforce with secure remote working at scale, keeping threat at bay and maintaining the standard of client care needed to assure customers in times of change.