WFH Best Practices for the Financial Services Industry

FS-ISAC or the Financial Services Information Sharing and Analysis Center, is a global non-profit dedicated to reducing cyber-risk in the global financial system with nearly 7000 financial institutions, across over 70 jurisdictions, as members.

It gathers and shares critical and time-sensitive cyber intelligence, analysis and threat assessments among its members, which not only results in a collaborative crowdsourced effort to safeguard cybersecurity for the industry, but also makes them the authority on best practices for Work From Home (WFH) measures.

Enterprise IT News speaks to its Executive Director in Asia Pacific, Brian Hansen.

EITN:  What are the top 3 data privacy and security implications of WFH?

 Brian: There are several data privacy and security implications arising from a sudden and massive transition of the workforce from working in an office environment to their homes.

A distributed workforce will bring with it a sudden increase in personal devices being used for work purposes. Personal devices tend to be less secure, and most staff will face some challenges in maintaining proper security practices over a long period of time in a home environment. Managing device sprawl and patching and securing hundreds and thousands of endpoints will be a growing challenge – essentially a bring-your-own-device situation on steroids.

There likely will be an impact on infrastructure – IT teams will need to ensure security tooling is going to work off the network and that there is a requirement or security control in place to monitor all web traffic.

More heavily regulated industries may have additional challenges because of regulatory requirements. We have seen increased interest and collaboration on best practices for implementation amongst our members in the financial services sector.

The worldwide shift to working from home has also led to an increase in cyber attacks with phishing appearing to be one tactic of choice. Of note we are noticing that as several countries begin payouts to citizens and businesses to bolster local economies, criminal groups are using Covid-19 campaigns to go after these funds. Organizations should be sure to remind personnel about proper cyber hygiene as well as reemphasize what technologies and services are allowed.

Policies and governance will also need to be updated. Security, privacy, risk and compliance teams will be adjudicating policy exception requests. Many may be valid, but not all will be wise business decisions. There will be a need to ensure that adjustments to IT protocol aligns with the organization’s risk appetite.

EITN: What are the systems, tools and support required to make WFH a success?

 Brian: As a very first step, organizations implementing wide-scale work from home scenarios will need to  ensure that technology and security representatives are embedded in the various planning groups to allow proper consideration of the myriad of technical aspects of this shift, including the security considerations that come along with it.

That aside, IT teams will need to over-communicate with personnel, ensuring that how-to documents and FAQs are readily available. IT, security, and HR contacts should also be widely shared and made easy to reach for staff who might need support.

The right collaboration software will need to be made available as a means to discourage the use of unsanctioned services within the IT environment. It is recommended to purchase these additional licences if needed. For example, if you’re utilizing Office 365, remind employees to use Teams, SharePoint and OneDrive to share documents and collaborate. Ensure that employees are not trying to use services that are not sanctioned by IT, for example, using personal editions of Google Drive or Dropbox. Explicitly block unsanctioned services – this is a very important precaution.

While companies should ensure staff only use approved software and communication platforms, they can also maintain a means for employees to recommend new tools or software that companies could use. For instance, perhaps a team member finds a useful mobile application for research or learns about a better video conference tool, it would be great for them to be able to share it so as to potentially improve said company’s capabilities.

Define the options for staff around the world to access your environment. Be sure to set proper user-level and admin-level accesses. Connectivity options include corporate devices with VPN, VDI, cloud workspaces, bastion hosts, and potentially personal devices with your corporate VPN and robust host checking.

It is also recommended to monitor for unsanctioned data access and movement. Adapt your data loss prevention (DLP) and user behaviour monitoring rules to account for remote workers which may include but not be limited to concerns around printing at home, email forwarding, external storage drives, and alternate work schedules.

Financial services companies will need to determine how much risk for insider threat they are willing to take with a distributed workforce that is primarily remote. They may need more frequent local supervisor checks, in the form of phone calls, video conferencing, or text messages, to ensure that staff are following the right procedures and continue to remain mentally healthy.

Beyond that, double down efforts on security patching and updating remote access management solutions and continue to check in with ISACs and other intelligence sources to keep up to date on evolving threats and best practices. This is especially important as we are seeing upticks in activity by cyber threat actors taking advantage of Covid-19.

EITN: Are there any regulatory concessions that need to come into play for WFH to work? How to roll it out and any cautionary advice on how to implement? What are the measures and controls you would put in place to ensure business continuity as well as data integrity and integrity of the financial services industry isn’t compromised?

 Brian: Though we are not able to comment on regulatory issues pertaining to each market, it is essential for companies to adhere to the legislative environment of the markets they operate in.

Beyond the considerations listed previously when implementing WFH, some key tips are:

  • Conduct comprehensive testing on remote capabilities and compliance controls to ensure sufficient oversight and bandwidth for staff to work remotely.
  • Assess the risk of remote workers’ computing setups and ascertain how they will be connected to the company network and via which devices. Implement tools to ensure the traffic is monitored and that notifications are enabled appropriately.
  • Standardize the process and decision criteria around granting and tracking policy exceptions (for example printing at home, using USBs, personal computers and so on).
  • Instruct employees to do the following:
    • Review online collaboration tools before deploying them, and check existing security and reports.
    • Practice proper cyber hygiene, including installing anti-virus software, ensuring systems and apps are updated, utilizing multi-factor authentication and reminding staff not to click suspicious links.
    • Be cautious of sharing links outside of the organization.

EITN:  What adaptations would you recommend to current cybersecurity measures to enable WFH? Any best practices on how to implement? What other industries could adopt these measures as well?

Brian: Companies should consider remaining flexible in the beginning as staff members get used to operating outside of the office. Leaders need to remember that the staff member may not be the only person working from home. Many students are now doing online learning, and spouses and partners may also be working remotely. Employees may not have access to childcare and need to step away to take care of infants and little ones or support elderly parents.

Frequent checks on staff to ensure they are mentally healthy is important. Leaders should also look for innovative ways to interact with team members when they cannot physically visit them during the day at their work desk. Above all, be prepared for this operating environment to not end quickly. Companies should also be planning on how to integrate teams back into the physical space once it is safe to do so.