Cybersecurity Controls Should Not Be Relaxed As Employees Work from Home
This blog is posted on behalf of John Moeller and Sundeep Bablani from CLA’s Information Technology team.
In the face of COVID-19, employers around the world are being challenged to design new ways to allow their employees to remain productive while working from home. Though financial institutions have long been on the forefront of technology, we have seen many institutions struggle to implement widespread work from home initiatives.
As your institution adapts to the new normal, we recommend that you carefully consider the cybersecurity controls you have in place around remote work.
New Corporate Laptops and Bring-Your-Own-Device Creates Additional Risks
In a perfect world, there is time to plan and prepare for a crisis and ensure that there are adequate checks and balances in place. But in the midst of this pandemic, when the world seems to be shifting daily, the time to deploy technology has been greatly reduced and unfortunately that can lead to gaps in internal controls.
Some institutions do not have the infrastructure in place today to allow a significant portion of their workforce to work from home. Without enough laptops and other resources, some institutions have begun allowing employees to use their personal devices as a temporary stop gap without all of the controls and limitations that might be in place on corporate hardware. Other institutions are quickly deploying new laptops to their teams, but in some cases not taking the appropriate time to properly configure applications to ensure adequate security.
Many financial institutions have reported an increase in phishing emails and other attempts to take advantage of these newfound vulnerabilities so institutions should be cautious not to open the doors to hackers due to a lack of established controls.
How Institutions Can Evaluate and Implement Additional Controls
There are several frameworks including NIST, COSO, and FFIEC that include risk and control considerations related to the use of technology by employees who access the institution’s network remotely that may be helpful to management teams.
In addition, prior to implementing remote access, we recommend that management carefully consider whether their plans include the following controls:
- Remote devices that are adequately secured including encryption of sensitive data, malware protection, and up to date patches
- Restricting access to only business hours, as appropriate
- Implementing multi-factor authentication
- Activating and monitoring audit logs for remote access
- Turning on alerts and notifications for unusual activity, if applicable
- Encrypting data in transit
- Strict hardening standards for devices assigned to employees
- Limiting the use of portable storage devices
- Limiting individuals with the privileges to grant remote access
- Educating employees on security over printing documents using personal devices
In addition, financial institutions should carefully monitor for unusual or unexpected activity and ensure there are adequate lines of communication available for employees if they notice anything suspicious.
Next Steps
All employees should be reminded periodically of the institution’s security awareness policies. And in some cases, these policies may need to be enhanced for a remote environment to include additional procedures for validating customer identification and call back verifications and guidelines for not clicking on links within emails or responding to phone calls that require personnel to provide their credentials. Even though things are hectic, now may be the time for additional employee training and communication.
As your institution continues to adapt to this new environment and manage employees in new ways, CLA is here to help. Our information technology team has hands on experience helping institutions deploy a remote workforce. Please contact us.
Amanda Garnett is a principal in the financial institutions practice of CliftonLarsonAllen (CLA) from Peoria, Illinois. She currently leads the firm’s Midwest financial institution tax team and serves institutions ranging in size from $15 million to $3.5 billion in total assets. In addition to tax compliance, Amanda assists clients in the areas of tax consulting, mergers and acquisitions, and regulatory reporting. She also routinely teaches courses for banking associations across the country.
Comments are closed.