by Sanjay Parikh, Vice President – Professional Services, IT and Compliance, CRITICALSTART
Cyber security controls in the banking and financial sector are an absolute necessity as Internet scammers attempt to obtain sensitive information to gain access to credit and banking accounts. Now, with COVID-19 and many employees working remotely, it’s even more critical that employers carefully review their IT policies and procedures.
At Allied Affiliated Funding, we are acutely aware of the significant threat cyberattacks pose to our customers and encourage all our business clients to carefully evaluate their operating procedures to ensure they’re as protected as possible. Why does Allied care about your cyber security? We believe in the power of user education on important topics that can reduce risks to our clients’ businesses.
How a Remote Workforce Increases Your Vulnerability
As with anything, there are pros and cons to a remote workforce. While technology provides connectivity and allows many organizations to continue business as (almost) normal, the sole dependence on a virtual workplace may leave a gaping hole in a company’s digital security if they’re not prepared. And, many companies fail to truly grasp just how vulnerable they have become due to an increase in their “attack footprint” and their lack of the necessary controls to protect their data.
As businesses increase their number of remote workers, data — originally stored on servers and branched out to local workstations within the four walls of an organization — has slowly crept out of these protected networks and onto remote laptops and storage repositories. According to U.S. Census data
, in 2017, about 5.2 percent (or eight million people) worked entirely from home. Since the global pandemic began in March, that number has skyrocketed to more than half
(51 percent) of American workers. To facilitate this exploding remote workforce, data is being used on more devices, creating a potentially disastrous security threat to organizations.
Top 4 Threats to Your Organization’s Data Security That You Can Quickly Address
While there are many potential ongoing threats to an organization’s data, we’ve identified the top four immediate threats:
1. Security Awareness.
Users are blasted with emails encouraging them to click on links, baiting them with information around current events. Remote employees are more isolated, left on their own to face these increasingly sophisticated phishing techniques
. How prepared are your employees to address these attempts? Have you prepared them well through your own education and awareness training?
2. Accessing sensitive data through unsecure wireless networks.
If your remote workers are using their own home network, public hotspots (i.e. Starbucks) or other unsecured wireless networks, your organization’s data is at risk of being compromised, even more so when the employee is authenticating to any site or accessing sensitive data. To combat this risk, employees should always use a secure VPN (virtual private network) connection when accessing sensitive information or authenticating to a website.
3. Use of personal devices.
Although convenient, personal devices could be configured with an insecure footprint depending on who is responsible for the maintenance of bring your own devices (BYODs). Additionally, any time an employee with a BYOD is terminated, some of your company’s intellectual property may still be on the ex-employee’s device, and you have no way of retrieving it.
4. Physical protection of information in public environments.
Employees who are new to working remotely may fail to take adequate precautions, particularly when working from a coffee shop or other public spot. Something as simple as a phone call may be a violation of your internal customer protection policies on confidentiality. Likewise, there may be sensitive information displayed on your employee’s laptop screen that is visible to others sitting nearby. Or, in a moment of carelessness, they may leave their device unattended while they order a cup of coffee or use the restroom.
6 Ways You Can Protect Your Company’s Data
Protection of data within an organization is a complex task, to say the least. But there are simple steps and basic controls every company should implement to protect their data and ultimately, their organization. Your organization should implement these processes and technologies to assist your employees in addressing the threats outlined above and to allow you to respond quickly if necessary.
1. Implement a remote work policy, or review your existing policy.
If you do not have a remote work policy, it is time to create one. If you do have an existing remote access or remote work policy within your organization, now is the time to review that policy to ensure it covers conditions that may apply to a more permanent remote workforce and address any of the concerns noted above. Be sure your policy addresses the daily threats your workers may encounter to help them face these threats proactively.
2. Restrict or remove administrative rights.
Ensure that administrative rights are restricted to only necessary individuals so that your employees will not be allowed to download and install applications or tools that may introduce licensing issues, vulnerabilities, and/or the increase of help desk issues. Your organization should already have a determined list of applications and tools that are consistent across your remote workforce, which will help reduce the risks and vulnerabilities across your entire organization.
3. Always use multi-factor authentication.
All remote workers should use multi-factor authentication that will reduce the risk if a user’s password is compromised and increase the complexity of your remote environment as a target.
4. Use only secure networks.
The access of sensitive data by users should only be performed through secure networks such as your organization’s VPN network. This will protect the user and reduce vulnerabilities to the security of sensitive information.
5. Protect remote devices and workstations with an EDR solution.
The use of an Endpoint Detect and Respond solution along with an Endpoint Protection solution helps protect all laptops, workstations, and servers by allowing your company to monitor asset log events and respond by isolating or shutting down technology as needed. An EDR solution is typically done with the implementation of an external Security Operations Center.
6. Develop a proactive incident response plan.
Should your organization experience a security issue, a documented incident response plan with clear steps outlined can help organize, investigate, and form a conclusion in a quick, efficient, and effective manner. Being proactive to address potential concerns before they arise is critical.
Of course, there is no bulletproof security plan to entirely guarantee that your organization’s data will never be compromised. However, taking the time to implement these processes and technology will reduce the likelihood of threats and help your organization establish a solid security foundation that can be built upon as your organization and remote workforce matures.
This article contains information about cybersecurity. The information is not advice and should not be treated as such. You must not rely on the information in the newsletter as an alternative to cybersecurity advice from an appropriately qualified professional. If you have any specific questions about any cybersecurity matter you should consult an appropriately qualified professional. The Bank excludes all representations, warranties, undertakings and guarantees relating to the newsletter. The Bank does not represent, warrant, undertake or guarantee that the information in the newsletter is correct, accurate, complete, or non-misleading; that the use of the guidance in the newsletter will lead to any particular outcome or result; or in particular, that by using the guidance in the newsletter your data will be safe from cyber breaches.
To the maximum extent permitted by applicable law, the Bank shall not be liable for any indirect, incidental, special, consequential or punitive damages, or any loss of profits or revenues, whether incurred directly or indirectly, or any loss of data, use, goodwill, or other intangible losses, resulting from (i) any content contained in the above newsletter; (ii) your use of the guidance contained in the above newsletter.; or (iii) any unauthorized access, use, or alteration of your data which occurs due to your use of the guidance contained in the above newsletter.