By Karen Epper Hoffman
Digital banking channels may be moving many customer interactions out of the branch, but until recently, most bank employees still spent their days working in financial firms’ premises.
As the coronavirus lockdown plodded forward, banks have been forced to very quickly adjust to a new reality of having many if not most of their employees work from home—a shift a lot of financial institutions have been ill-prepared to make. “Many companies were not ready to deal with a large remote workforce,” says Mathieu Auger-Perreault, director for fraud and security at Javelin Strategy and Research. In a March 2020 Javelin research note, Auger-Perreault cited protocol lapse, social engineering and malicious and negligent insider incursions as security threats that have been heightened with “a sudden work-from-home workforce.”
The financial industry has been forced to fast-forward telework arrangements for a wide and varied range of staff, from frontline employees who typically worked in the branch to top executives, who may need broad access to bank systems, data and files. For many financial institutions, who had up until recently allowed only a few select employees to work from home (or none at all), this sudden change has not only affected the logistics of their day-to-day banking business, but also how they handle information security across a distributed enterprise.
For banks, moving so rapidly to a remote workforce “has forced a refocusing on the need to secure endpoints including laptops and mobile devices that employees are using for work, whether company-issued or otherwise,” says Matthew B. Welling, counsel in Crowell and Moring’s privacy and cybersecurity and energy groups.
“Typically, organizations focus primarily on securing their company systems and networks, with those endpoints getting a secondary focus because they’re operating within the system and are protected by multiple layers of security built into company systems,” Welling continues. “Now, teleworking employees and their endpoints are outside the companies’ fences, and also outside of those layers of security.”
Take for example the State Bank Group, a $230-million-asset bank headquartered in Wonder Lake, Ill. With eight locations and 75 employees, President and CEO Michelle Toll describes her institution as “a very traditional community bank”—one that, until March, like many of its counterparts only had “a very small percentage of employees working from home periodically, no one on a regular basis.” Then with the onset of coronavirus concerns, in the space of just a few days the bank needed to rapidly move roughly 70 percent of its staff to remote working situations.
“We had to be able to quickly adapt because [before that]we had issued secure devices to connect remotely to probably 40 percent of the staff,” Toll says. What the State Bank Group had working in its favor: It had developed specific pandemic and business continuity plans prior to quarantine mandates and had begun using a virtual server and desktop environment more than five years ago, and implemented a more network infrastructure that Toll says allowed them to rapidly deploy more employee devices, test more effectively and secure disparate endpoints.
“The big thing was that we were able to respond quickly with training and processes to people who had never connected remotely before,” Toll says. She adds that these new arrangements did require more employee education on heightened threats, on use of bank-issued hardware and RSA secure tokens for using these more–secure devices to access the bank network.
Securing the unseen worker
For financial institutions that want to secure work-from-home employees, it is most secure to use either virtual desktop-server technology or virtual private networks for allowing access to internal networks, according to Jeremy Baumruk, director of professional services at Xamin, a managed IT and security provider which works with more than 50 U.S. banks, including the State Bank Group. Remote workers should also be using a bank-issued computer or mobile device in most cases, he adds.
“When an employee is using their own computer, IT has almost no control,” Baumruk points out. He added that aside from not having the appropriate endpoint security built in, including multi-factor authentication, IT security professionals cannot track whether these employee-owned machines are properly patched and if they have visited fraudulent sites or have viruses on them. Baumruk says his bank clients, like many other financial firms, have been aggressively educating staff on password education, patching and cyber-hygiene.
Before the pandemic shut down many workplaces and forced all but the most essential employees to work from home, only about 5 million people worked remotely in the United States (not including independent contractors or micro-businesses). For banks, contending with stringent privacy and security regulations and protocols surrounding access to internal information, permitting work from home arrangements has not been nearly as widespread as other sectors.
“In the remote workforce, the first area of focus needs to be your operational workforce and the first line of defense is to ensure operational compliance,” says Maria Schuld, division executive for FIS’s core and banking division. “In most cases, that responsibility falls to the people who are running the day-to-day operations because they are the ones that are interacting with customers and handling sensitive information.” With their own core processing clients, FIS can let banks set business rules and limits around every process and program, which will lock out remote as well as on-premise users if rules are not followed and require supervisory permission from compliance to proceed, Schuld adds.
Indeed, beyond just being able to connect securely, banks need to be able to insure that their employees have secure hardware as well—and the sudden shift to remote access has definitely created some short-term “equipment challenges,” says Emily Larkin, chief information security officer for Abrigo, a technology provider. “Institutions need to make sure employees have corporate–owned and managed devices, which are secured through corporate malware protections, vulnerability detection, AV, patching, and local firewalls,” she says, adding that they need to make internal applications available to external remote workers so they do not use their own uncontrolled equipment or applications.
Applications that historically have been protected by the nature of their architecture as internal enterprise applications are now being used outside that walled garden via internet access, Larkin explains. “That brings about a series of unknowns and potential unidentified application security vulnerabilities.” Banks may be forced to shortcut their hardening processes or ensure appropriate cybersecurity testing has been conducted on these apps, she adds.
A lack of availability to adequate VPN bandwidth and VPN licenses for employees have also been issues, according to both Larkin and Auger-Perreault. While many institutions scaled their connectivity infrastructure to allow a handful of remote users to log into the bank’s internal network at one time, their plans typically did not account for having to offer virtual private access to “the entire workforce” all at once, Larkin points out.
Dave McKnight, principal for digital security at Crowe, which ABA endorses for risk management consulting, breaks banks into three camps (based on how they have handled the abrupt move to distributed workers):
- Most big banks, with over $10 billion in assets, had a thorough, adaptable plan in place with enough equipment, bandwidth and VPN licenses to accommodate their pandemic reconfiguring.
- A second group has scrambled to quickly fill in the gaps, accelerating their use of cloud services, adding VPN licenses, bandwidth and hardware if necessary, to enable a secure remote workforce.
- Finally a third group of banks is allowing employees to access internal bank networks with their own PCs and mobile devices and use their own home internet access—essentially, to do their jobs any way they can.
“That last group is where the most risk exists right now,” McKnight says, adding that it’s a small group—roughly 20 percent of U.S. banks—and “getting smaller every day. These banks are mainly on the lower-end of maturity and typically under $3 billion in assets,” he adds. “And for them, it’s like the wild, wild west . . . they’re just reacting to a need.”
Managing risk on the rise
At Sheffield, Alabama-based Bank Independent, there was a business continuity and pandemic preparedness plan in place prior to the onset of COVID-19, says Penny Camp, the bank’s EVP and chief people officer. Of the bank’s 600 employees (including some branch staff), half were working from home by mid-April, using corporate-issued laptops and MFA keys to remotely access the bank’s VPN.
“It’s been working incredibly well,” Camp says of the move to remote work for employees at the $1.7 billion-asset bank.
But the changing working arrangement is not the only factor affecting employee risk during this quarantine time. Fraud historically increases during disaster-related events, and the COVID-19 pandemic is not an exception, notes Caroline Brown, partner in Crowell and Moring’s international trade and white collar practice groups and a former Treasury Department official. “Agencies such as the Treasury Department’s Financial Crimes Enforcement Network and the Office of Foreign Assets Control have issued guidance that makes clear that they expect financial institutions to remain vigilant against efforts by fraudsters and other bad actors to take advantage of the pandemic,” she points out.
According to recent Aite Group research, 94 percent of attacks on banks originate through phishing emails sent to employees. . “As soon as we move employees to remote connections, during a time of high stress, people are nervous and looking for news [about the pandemic and quarantine]and less likely to look closely,” says Steve Hunt, Aite’s senior analyst for cybersecurity.
Jamie Davis, VP for product management and quality control at Safe Systems, says financial institutions are seeing as much as a 500 percent increase in phishing attempts on customers and employees since early March. “They’re taking advantage of fear and people’s thirst for information,” Davis says. “COVID-19 has been a huge win for phishers.”
Added to this human factor is the fact that the technology used to distinguish “normal” employee behavior from the disparities that typically point out bad actors or fraudulent is not as effective when employee activity is far from normal—they’re logging in through different devices, potentially handling different tasks and perhaps working non-standard hours to accommodate home-schooling children or other WFH issues.
Hence, Hunt says, the machine learning or AI technologies, geo-location, IP or out-of-band authentication tracking or other cybersecurity measures based on gauging normal activity may be “thrown out of whack.” And bad actors are taking full advantage—anecdotally, Hunt says banks are experiencing three times as many cyber-attack attempts on their systems and their employees in recent weeks.
In the meantime, bankers are doing their best to get the word out to employees (as well as customers) about heightened risk for phishing and fraud scams, as well as to revisit education about good cyber-hygiene practices. The banks that have already implemented multi-factor authentication for employee access have an advantage, and more banks that do not have employee MFA have moved it to the top of their to-do lists.
Michelle Toll, like many ther top financial executives, is staying in touch with other bank presidents, tracking security risks as they emerge in this environment. “We hope that there is a heightened sensitivity for employees working from home, a sense of prudence about the risks,” she says.
Based in Washington state, Karen Epper Hoffman covers cybersecurity and bank innovation. Her reporting has appeared in American Banker, CSO magazine, CoinDesk, and other outlets.