Cybersecurity in the Age of Remote Working: How CUs Can Safeguard Operations
It’s critical that CUs have the right safeguards in place to protect sensitive data as more employees work remotely.
The coronavirus pandemic has introduced numerous obstacles for organizations of every size and sector and, in many cases, changed the way companies will operate even after the virus is finally under control. A prime example of this is the shift to remote working. According to Gartner, 82% of organizations will allow employees to work remotely some of the time moving forward.
Looking specifically at the financial services industry, Deloitte also said it expects remote work to increase significantly. The firm pointed to the trend as one of 10 COVID-19-related forces impacting global retail banking, stating, “Remote operating models will evolve at an accelerated pace and will drive both benefits and stresses for employers and employees alike.” In today’s heightened threat landscape, it follows that cybersecurity will factor prominently into credit unions’ concerns surrounding the remote working model. With that in mind, let’s take a look at some key security hurdles and what organizations can do to overcome them.
Protecting the Network
Safeguarding members’ financial data and other sensitive information is both a perennial priority and a perennial challenge. These are only exacerbated when employees are working remotely and accessing corporate files and systems from home. That’s why it’s critical that credit unions introduce new security policies and expectations in tandem with any remote working rollout.
Much of this comes down to education. Employees may be well-versed in security best practices in the office, but it’s not unusual for them to take a much more relaxed approach at home. Many common consumer devices like smart TVs or baby monitors can introduce a range of security vulnerabilities, and there is also the possibility that children or spouses might accidentally download malware on the home network. As such, credit unions should encourage employees to set up a separate Wi-Fi account that can be used solely for business. In addition, it’s important that they use their VPN to access any file or system when they are not physically working out of a branch.
Avoiding Hackers’ Cross-Hairs
Hackers are always poised to capitalize on a crisis, and there have already been numerous breaches associated with COVID-19. Recent research from Next Caller on pandemic-related security concerns found that 44% of respondents have noticed an increase in emails from unknown sources, and calls and texts from unknown numbers. This is a common marker of phishing attacks – scams in which hackers pose as companies or trusted individuals offering a legitimate service in an attempt to trick recipients into disclosing sensitive information. Credit unions should encourage employees to check for grammar, punctuation and formatting errors in all communications, as these are often signs that something is amiss.
Generally speaking, it’s also a good idea to avoid clicking on links in emails. If employees know the web address for the service referenced in the email, they are better off opening a browser and typing it in directly. If they must click on an email link, advise them to hover over the link as most email clients will show the full URL. Before actually clicking on the link, it’s important to review the URL and look for unrecognized domain names, including ones that may simply have dashes, extra characters, or additional letters and numbers inserted in them. For instance, if the corporate domain is mycompany.com, a phisher may try to craft an email with a link to my-company.com or some other variant that points to a similar domain they have registered.
Another common way hackers infiltrate corporate networks is by exploiting credentials that are easy to guess or have been compromised in a previous breach. This was a security headache long before the pandemic, but it could become an even bigger issue with the shift to remote working. Employees may be creating new digital accounts or accessing different resources than they did in the office. If any of these are associated with weak or compromised passwords, it’s akin to rolling out the welcome mat for hackers.
In a perfect world, credit unions would implement strict password policies that mandate the creation of strong, unique credentials and prohibit users from reusing passwords across multiple accounts. However, the reality of our times is that companies must expect poor password hygiene from their users and instead monitor passwords on an ongoing basis to ensure they haven’t been compromised.
With breaches occurring on a near real-time basis, the only way to do this effectively is by screening credentials against a live database of exposed username and password pairs. As part of their remote working planning, credit unions would also be wise to review existing authentication mechanisms and determine what, if anything, should be stepped up to support a more distributed workforce.
As part of the foregoing, one must-have capability is single sign-on, or SSO, for all corporate services. This allows a single set of credentials from the corporate directory to be used for access to any service a user may need to legitimately access – for example, a third-party cloud-based accounting system. Among other advantages, SSO allows for the ability to monitor and audit user credentials for compromise in one single location, rather than each user having multiple credentials scattered across a number of different services, each of which could be compromised independently.
Mitigate the Insider Threat
Employees can inadvertently be a credit union’s own worst enemy when it comes to practicing good security hygiene. In addition to the examples outlined above, they may look for workarounds as they adapt to an increasingly remote or hybrid working model. For example, it can be tempting to take copies of confidential data, email them to personal accounts, or copy the information to a USB or a similar shortcut in the name of convenience.
Companies should be mindful of this tendency and determine how to address it as part of the remote working shift. It might make sense to collaborate with IT to add new resources or files to the intranet, or launch other digital services that will make it easier for employees to do their jobs remotely. Of course, regardless of what an organization introduces to discourage workarounds, it’s important that credit unions still monitor for this activity wherever possible and continually educate employees on the importance of following security best practices.
While the above are some of the chief security challenges associated with an increased remote workforce, this is not to suggest that the model is devoid of perks. On the contrary, increased productivity, enhanced communication, access to a wider talent pool and unexpected cost savings are among the benefits credit unions may experience as remote working accelerates. However, with the possibility of a second wave of COVID-19 looming, it’s critical that credit unions have the right safeguards in place to protect sensitive data as more employees work remotely.
Mike Wilson is Founder and CTO for Enzoic, a cybersecurity company based in Boulder, Colo.