Banks are familiar with the need to keep businesses running, and have been key targets of cyber-threats.
As the escalating global spread of COVID-19 has led governments to order mandatory quarantines, lockdowns and other social distancing measures, businesses around the world and across many sectors have been significantly affected.
Many have implemented business continuity plans that rely on staff to Work-from-Home (WFH) or leverage other remote working arrangements.
WFH arrangements bring with it unique cybersecurity considerations for any organization.
Banks have traditionally borne the brunt of cybersecurity threats, and are also highly regulated. They also have to find workarounds to maintain operability; keeping ATMs and other essential banking services running. With WFH being implemented, banks are effectively writing best practices as they go.
To find out what banks are doing and how organizations in other industries can follow suit, DigiconAsia sought out some insights from Brian Hansen, Executive Director Asia-Pacific at FS-ISAC.
The Financial Services Information Sharing and Analysis Center (FS-ISAC) is a global non-profit dedicated to reducing cyber-risk in the global financial system with nearly 7,000 financial institutions as members, spread across more than 70 jurisdictions worldwide. Founded just over 2 decades ago, FS-ISAC gathers and shares critical and time-sensitive cyber-intelligence, analysis, and threat assessments among its numerous members, making a concerted, collaborative, crowd-sourced effort to safeguard cybersecurity in the global financial system.
What are some key concerns and challenges for Work-from-Home strategies? Which industry sectors are most impacted?
Hansen: There is an influx of personal devices being used for work purposes, which tend to be less secure. Managing device sprawl and patching and securing hundreds of endpoints will be a growing challenge.
Current IT infrastructure may have to be adjusted to ensure security tooling is going to work outside the office network, and that there are security controls in place to monitor all web traffic.
Staff working from home may find it difficult to consistently practice proper cybersecurity hygiene for extended periods of time, so firms must consistently remind them to stay vigilant and to maintain practices like installing anti-virus software, ensuring systems and apps are updated, utilizing multi-factor authentication and not clicking suspicious links. Of note, we are noticing several countries begin payouts to citizens and businesses to bolster local economies, and that criminal groups are using Covid-19 campaigns to go after these funds.
They will also have to make it very clear what services and technologies are allowed and what are not.
Firms should also update policies and governance processes, enabling work to be done while maintaining compliance, security, and privacy requirements.
More heavily regulated industries may have additional challenges because of regulatory requirements. We have seen increased interest and collaboration on best practices for implementation amongst our members in the financial services sector.
While ensuring business continuity through such strategies, how could organizations also protect users and sensitive data in the face of cybercriminals exploiting crisis situations and the higher chances of insider threats resulting from employee carelessness or ignorance?
Hansen: The first step is to make sure cybersecurity and technology representatives are included on the ground floor of the planning for implementing wide-scale work-from-home.
Monitoring and setting rules will be important. Options for staff to access the company’s network must be defined to ensure proper user-level and admin-level access. Connectivity options include corporate devices with VPN, VDI, cloud workspaces, bastion hosts, and potentially even personal devices with corporate VPN and robust host checking.
Consistently monitor for unsanctioned data access and movement. Data loss prevention and user behavior monitoring rules will need to be adapted for remote workers. This includes concerns around printing documents at home, usage of external storage devices, email forwarding and so on.
Security patching efforts must continue at a higher intensity along with updating remote access management solutions.
Firms must also recognize that remote staff will need software to collaborate. The right collaboration tools and software must be made available, or staff may turn to unsanctioned services that could put them at risk.
Lastly, with the increased activity from cyber threat actors, it is essential that organizations continue to collaborate and check-in with ISACs and other intelligence sources to keep up to date on evolving threats and best practices.
Please share some strategic considerations and best practices to ensure essential services continue despite mandatory quarantines, city lockdowns and other social distancing measures during crisis situations such as the COVID-19 pandemic.
Hansen: Financial services firms are continuing to provide essential services to keep the financial system up and running.
How individual institutions are responding depends on geography, size and scope. Where branches are closed because of COVID-19 prevention measures, institutions are offering digital products and services.
Many employees are now working from home and some firms have enabled them to provide services that previously they may have only had access to from offices or branches, albeit with enhanced security measures.
How could governments, enterprises and the affected workforce effectively adapt to such situations?
Hansen: Beyond the considerations listed previously when implementing WFH, some key notes are:
- Conduct comprehensive testing for remote capabilities and compliance controls to ensure sufficient oversight and bandwidth for staff to work remotely.
- Assess the risk of remote workers’ computing setups and ascertain how they will be connected to the company network and via which devices. Implement tools to ensure the traffic is monitored and that notifications are enabled appropriately.
- Standardize the process for and decision criteria around granting and tracking policy exceptions (for example printing at home, using USBs, personal computers and so on).
- Instruct employees to take the following precautions:
- Review online collaboration tools before deploying them and check existing security and reports.
- Practice proper cyber hygiene, including installing anti-virus software, ensuring systems and apps are updated, utilizing multi-factor authentication and not clicking suspicious links.
- Be cautious of sharing links outside of the organization.
- Review online collaboration tools before deploying them and check existing security and reports.
Organizations should also consider if the changes implemented will also allow for a return to normalcy, if and when operations eventually return to the pre-COVID-19 operating environment. However, they must also take into account “second waves,” as previous pandemics such as the 1918 Spanish Flu had several waves of infections over many months. Thus teams should plan for having to re-implement these new policies and procedures even after an apparent return to normalcy.