by Paul Smitherman
6 recommendations to mitigate information security risks in Financial Services
We’ve all heard stories in the media over the last few weeks about how cyber criminals are taking full advantage of the confusion and fear around Covid-19.
Google are blocking 18million coronavirus scam emails every day. Personal and business users alike are being targeted, asking us to click on false updates about Covid-19, from requests for donations to fake vaccines to fraudulent sales of face masks and HMRC tax rebates. Large organisations are not immune, fraudulent Covid-19 update emails apparently sent from the World Health Organisation (WHO) led those who clicked through to unwittingly receive malicious malware installed on their device.
All these clicks will deliver ransomware and infect your device costing you or your organisation time and money. What can you do to protect your employees and your business from phishing and other cyber-attacks? Answer these questions to determine how safe your business is when your employees are remote working:
Is increased remote working exposing your business to risk?
As remote working has ramped up, so too does your potential exposure to cyber-attack. It’s likely that many of your end users will be working from untrusted home networks, outside the safety of the corporate firewall, accessing from their own devices and less aware of security risks.
Has security become an afterthought as you scramble to deliver remote working tools?
The IT department is under massive pressure to deliver the latest remote working tools to their employees quickly, so you may not have given the right level of thought to the security risks. Maintaining strong authentication, audit trails, controlling data sharing features and access control is critical in Financial Services.
It’s very likely that your users are already using a variety of apps and workarounds to do their job from home without any security wrappers. If you don’t give them a tool, they may have already downloaded a free trial of Zoom or Skype for their business meetings. Only last week when criticised for using Zoom and publicly displaying their IDs, the UK Government’s response was that it was the quickest way to get teams together from multiple departments who were all using different conferencing facilities from their homes.
Is there risk of corporate data loss or transfer onto your employees’ personal devices?
With more personal devices than ever currently being used for business purposes from remote locations, this poses an increased chance of corporate data loss. Personal devices by their nature are less secure as they are not managed, so there is a much higher risk that your corporate data could end up on one of those personal devices, compromising its security.
Our top 6 recommendations to secure your remote users
If you checked yes to some or all of the questions above, then here are our six key recommendations to help your financial services business move forward in a more planned and secure way:
1. Increase your users’ awareness training with dummy COVID-19 phishing testing
Build your users’ awareness with phishing training and carry out more frequent penetration testing to fill knowledge gaps. Get your users to spot fraudulent emails which are specifically based on COVID-19 campaigns and communicate guidelines.
2. Deploy virtual desktop technology where possible on users’ personal devices
We know many of your users will inevitably be working from non-corporate personal devices. Our best advice is to get your users onto virtual desktop technology which leaves no corporate data on their device. We’re seeing an increase in take-up of Microsoft Azure Virtual Desktop in the cloud which helps deliver apps and data securely to personal devices. With virtual desktop technology, it doesn’t matter if the personal device is compromised because data is never downloaded onto the actual device.
3. Maintain good preventive security controls with a basic checklist
Most cyber security breaches are down to people getting the basics wrong. Your checklist should cover off password management, anti-virus, web filtering, dual factor authentication, intrusion prevention system, a test back up and mobile device encryption. Check in regularly with this list of basic security controls to ensure they are acted upon across your users’ devices.
4. Conduct a security assessment on any new collaboration tools
Any new collaboration tools straight out of the box are not automatically secured or configured in line with your corporate security policies. It’s important that your internal security teams do a security assessment on any new tools, such as Microsoft Teams, before they are rolled out to your remote workers. Your use-case might be just to use Teams for Video Collaboration but unless it’s secured correctly you will have allowed your users to collaborate on documents and more in the cloud.
5. Update your Security and Acceptable Use Policy
Does your Acceptable Use Policy comprehensively cover your remote users? If not, then now is the time to review and update it. Items to consider include client confidentiality, unauthorised access arrangements to client data and how to access corporate documents and files. Without this you have little protection from an HR perspective as users will not be informed on what they can or cannot do.
6. Ensure your remote users are well serviced by IT support
Ensure your IT department is adequately equipped to support your users remotely in their homes and address any security incidents relating to login on untrusted devices. Ask your IT team to carry out basic security assessments on your staff’s personal devices, such as whether their anti-virus software is up to date, if they are using an unsupported operating system or if they have Windows installed. There are various tools which can automate this.
Secure your remote workers with confidence
We want you to have the confidence to know your remote users are working securely.
If you have concerns that remote devices may be compromising the integrity of your data or your business or any other remote working challenges, please get it touch now. We’d be pleased to help and advise you on a positive way forward.