By Kannan Agarwal

After years of saying, “It’s just not part of banking’s DNA”, work-from-home in financial institutions looks like it is here to stay.

Faced with tighter balance sheets and lower profits, banks are leaving no stone unturned, including the possibility of remote work as a permanent option for employees. Aside from the continued public health of workers and communities, it may be a far cheaper option than routine testing employees for coronavirus infection and antibodies, and enforcing government-mandated standard operating procedures.

There is, however, a flip side.

The immediacy of quarantines saw a mad dash to the doorsteps of vendors; banks rushed to equip essential staff with hardware and software – laptops, conferencing kits, and virtual private network (VPN) passes – leading to a global shortage.

Deutsche deployed 50,000 videoconferencing sets within two weeks. Standard Chartered increased its VPN system by 600% since February. Goldman Sachs reportedly sent a midnight reconnaissance team to secure additional monitors from a warehouse in India.

“Everyone was facing the same problem at exactly the same time,” says Stuart Gurr, Deutsche’s group chief information officer for Asia Pacific, when asked by Retail Banker International. “Being decisive and acting quickly was critical. If you waited a day or two to decide on your strategy, laptops you wanted would have been gone.”

‘Unprecedented Anomaly’

In the rush to keep the cogs of the financial machinery going, crucial elements were left on the wayside.

A March 2020 research note by digital advisory firm Javelin Strategy & Research had warned of increased security threats – protocol lapse, social engineering, malicious and negligent insider incursions – due to “a sudden work-from-home workforce”.

At the global height of the coronavirus outbreak, cybercrime targeting financial services reached an unprecedented level. VMWare Carbon Black, a subsidiary of Dell Corporation specialised in software security, detected an “unprecedented anomaly” in financial sector security breaches beginning early February to end-April 2020:

  • a 238% increase in cyberattacks;
  • a 9x increase in ransomware attacks; and
  • targeting of customer service representatives and consumers directly by exploiting gaps in the wire transfer verification process or through social engineering attacks.

Reuters reports that at the height of the pandemic in the US, JP Morgan had 180,000 of its 200,000-strong workforce voluntarily working from home. “However, a number of critical functions for the bank – such as securities trading and IT tasks – are significantly more difficult to perform in remote-work situations,” states the news agency citing an internal memo it had obtained.

Across Asia, although humans are slowly trickling back into financial districts, a majority continue to telework. Here, chief information and security officers must take the lead in transitioning teams to collaborate on secure platforms and extend security perimeters to cover endpoints outside of its corporate network.

Some guidelines on how this transition can take place:

Shift to a Threat-centric Mindset

Oliver Friedrichs, an antivirus veteran and co-founder of several cybersecurity companies acquired by Symantec and McAfee, emphasises the need for banks to inculcate a threat-centric mindset in an interview with Bank Info Security:

“As we raise the bar, threats will continue to jump over it. You have to deal with that breach and that includes technologies on the forensic side, the incident response side, whether it’s memory forensics or incident response to recover from a threat.

“A threat-centric approach to security is really getting back to what security is all about…as an industry we tend to focus on things like compliance and other factors, but fundamentally, customers, especially if you look at the Fortune 500 or 1000, they’re dealing with advanced threats today, and that is the single biggest problem faced.”

This involves addressing each phase of the threat life cycle:

> Before: Technologies you can use to protect yourself before you get attacked, like a firewall. It reduces the attack surface so that there are less applications and less protocols being allowed through, but don’t necessarily block attacks.

> During: Using intrusion prevention systems or antivirus software. These are meant to detect, at a certain point in time, whether a threat, content, or object is a threat. If it’s not, then it’s allowed through and typically forgotten.

> After: Systems to tackle post-security breach, i.e. when a threat bypasses those defences, which is increasingly more common today.

“The reality is that there really isn’t a cohesive solution that ties those three steps together – the before, during, and after. That’s really where we’re looking at investing, to really tie together that whole threat continuum to provide a threat-centric approach to security,” Friedrichs said.

Protecting the brand today necessitates asking a different question. Instead of, “What should I do to check the box?”, look at your extended security perimeter and ask, “Where will the next threat come from?”

Safeguarding Data

Regulators have granted banks temporary flexibility in order to cut red tape and guarantee business continuity. These include accepting e-signatures in processes that usually require a wet ink signature and the use of customer selfies to verify their identity. These decisions inadvertently increase the risk of data breach.

In all cases of remote access, teleworkers must exercise the level of care set by the respective national data protection acts, including active enforcement, immediate investigation upon detection of a data breach, and reporting a breach within the specified timeframe. There are no exceptions to the policies outlined in the banks’ information security plan and the message from regulators has not changed, i.e. no carte blanche for reckless behaviour, with emphasis on “reckless” as authorities are aware that some leeway is needed during this period of adjustment. Bankers are encouraged to be open and continuously engage with regulators should they be hard-pressed to comply.

In addition to national legislation, conducting a data privacy impact assessment on teleworking is beneficial in order to identify and mitigate data protection risks. The UK’s Information Commissioner’s Office has extensive tools for financial institutions and designated data protection officers, which may be useful guides for compliance officers in other jurisdictions.

Secure and Reliable Connections

Even the best-laid plans can go awry.

Behemoths like Chase, TSB, Capital One, Bank of America as well as regional players have had network outages and access issues, with customers turning to social media to vent their frustrations. Other banks have had to do the ‘intercontinental shuffle’ as network bandwidth hit limit up. Sources informed Reuters that Citigroup asked some employees to log in to its remote access system only after 1 p.m. to prevent systems from being overwhelmed by both Europe- and US-based staff logged in simultaneously. The news agency also cites a Wells Fargo memo asking teams to only begin conference calls at 2.20 p.m. and other odd times to avoid clogging teleconferencing systems.

Even the Big Four consulting firms, whose mainstay it is to advise other financial actors, have experienced web downtime…an embarrassing (but not fatal) circumstance.

The rise of collaborative tools like Zoom has sounded alarm bells. The suddenly popular videoconferencing is now facing at least one class-action lawsuit for illegally sharing personal data with third parties like Facebook and falsely asserting its service was end-to-end encrypted (note: it was not). This was after the Federal Bureau of Investigation issued a public warning about increased Zoom-bombing, i.e. when hackers join a video conference and post pornographic or hate images in the virtual meeting room.

Through this crisis, network pressure points and gaps have emerged. Now, it’s time for networks to up their game (and bandwidth) by leveraging on innovations like cloud technology (see Demystifying the Cloud, page 68) and making a concerted enterprise-wide move towards enterprise-wide adoption of Agile (see Agile Finance: Moving from Cruise Liner to Speed Boats, page 18).

Lurking Landmines

Then there are work-from-home risks that appear when you least expect it.

On 25 May 2020, the federal court of Switzerland decided that employers were required to partially cover a staff’s monthly rental payment under work-from-home arrangements. This is under the proviso that the employee is expected to work remotely as part of his or her job.

Web portal Swissinfo.ch cites a report by the German-language newspaper Tages-Anzeiger that an accounting firm had “argued that they had not reached an agreement with the employee ahead of time and therefore was not obligated to cover part of his rent. The court rejected this argument and added that the employee could even request rent compensation retroactively after leaving the company”.

This landmark Swiss ruling is likely to establish precedents in other jurisdictions and will undoubtedly impact business scenario planning as remote work options become the norm.

With this in mind, we must be aware that any prescriptive, step-by-step plan only reflects the risks or ‘landmines’ at that point in time. To effectively navigate the rough months ahead, organisations must rely on every officer’s good judgement, feedback, and courage to communicate these unforeseen landmines up the value chain.

A Checklist to Reduce Security Risk in the Sudden Age of Remote Work

Doug Saylor, a director at global tech advisory firm Information Services Group, recommends enterprises immediately protect their assets by addressing risks in these three critical areas.

Technical

  • Ensure internal and external workers have VPN access and use it for all connections to corporate networks.
  • Require all employees to use endpoint protections (A/V, personal firewall, etc.). Increase the company’s security level to a higher-than-normal setting and turn on logging for employees in geographies with known security issues.
  • Where supported, use network access controls to validate users and acceptable device configurations during connectivity to enterprise networks. If a device cannot be secured, quarantine it until security issues can be remediated.
  • Require employees to use company-provided assets whenever possible.
  • For high-risk industries, implement data loss prevention (DLP) solutions for access to a broader-than-normal data range. At a minimum, implement DLP for the most sensitive data, if not already in place. Use virtual desktops for sensitive applications to prevent the possibility of data exfiltration.
  • Encrypt all sensitive data at rest and in transit. Many companies do the former; few do the latter. An increase in usage of insecure networks by some remote workers significantly increases the theft risk for data in motion.
  • Encrypt emails when possible. Some technologies, such as Microsoft Office 365, have built-in encryption capability. Publish guidelines on the proper configuration and usage of these technologies for all employees and partners.
  • Avoid public Wi-Fi. The local coffee shop network is at higher risk of being hacked or mimicked. Turn off the ‘auto connect’ function for all Wi-Fi connections to avoid accidental connection to a rogue hotspot. If possible, use a company-provided hotspot or Mi-Fi device for basic connectivity.
  • Educate employees about the importance of being aware of where they are and physically protecting company assets like laptops and hotspots.
  • Instruct employees and provider employees to force the use of screen locks within a shorter-than-normal timeframe and avoid leaving a logged-in device unattended.

Human Resource

Employees who work on sensitive or secret programmes will become high-value targets if allowed to access information remotely. Organisations should:

  • safeguard required data with special information security protections.
  • put in place physical security controls to ensure the overall safety of the employee.

Legal Protections

  • Pay special attention to location provisions, data confidentiality, limitations of liability, and indemnification provisions as they relate to remote workers.
  • Review cyber insurance policies to determine if exclusions exist for remote workers or provider employees who are not using systems that comply with your corporate security policy.

Kannan Agarwal is a researcher with Akasaa, a boutique content development and publishing firm with presence in Malaysia, Singapore, and the UK. His focus is digital content and Big Data analytics.