Failure to overhaul cybersecurity for remote work creates regulatory risks
Firms scrambling to enhance their policies and procedures should focus on the three most common weaknesses — device security, software vulnerabilities and data privacy.
The Smarsh 2020 Annual Risk & Compliance Survey makes it clear that work-from-home models have become deeply entrenched in the wake of the Covid-19 outbreak. Seventy percent of the respondents said their organizations had moved primarily to such a model, while 86% within that group say more than three-quarters of their workforces have done so.
Never before have banks, broker-dealers, RIAs, insurance companies and hedge funds allowed such large numbers of employees to work off-site. This sudden shift produces not only an environment ripe for fraud and nefarious behavior, but it increases the likelihood of cybersecurity or compliance risks.
As a result, many firms are now scrambling to enhance their policies and procedures for dealing with these challenges. To play catch up, they should focus on the three most common weaknesses — device security, software vulnerabilities and data privacy.
During the pandemic, firms have largely adopted a bring-your-own-device (BYOD) policy for workers. This approach undoubtedly saves money and solves many of the logistical hassles associated with getting company-purchased laptops and smartphones to everyone who needs them. But it becomes a problem when those devices are used to connect to corporate servers without being encrypted, backed up or armed with malware detection. One misstep by a single user and it’s possible to give bad actors an access point to company assets.
Company-owned laptops and devices acquired specifically for in-office usage may also lack sufficient remote work controls. These include the ability for company administrators to wipe devices from afar instantly, block them from accessing servers, and track both the locations of all remote devices and the times when users access servers. All these features are necessary in case a worker decides to go rogue or a device goes missing.
The main software-related cybersecurity risks stem from storing work files on unprotected drives, connecting to corporate servers from unsecured home Wi-Fi networks, or using unapproved collaboration and messaging applications. The best way to prevent these problems is to develop explicit usage policies that address which devices and applications are approved and which are not. As an extra step, install software that automatically limits access. This way, users cannot violate cybersecurity protocols, either intentionally or unintentionally.
A remote work environment calls for cybersecurity platforms that test system vulnerabilities, detect server intrusions, remediate and update software, generate audit logs and enable administrators to implement hierarchical access rights. Operating without these tools all but invites trouble. In their absence, client data may fall into the wrong hands without financial firms learning about a breach until after it’s too late. This is precisely why regulators such as the Financial Industry Regulatory Authority Inc. and the Securities and Exchange Commission are scrutinizing firms’ cybersecurity posture.
The typical confidentiality-related cybersecurity risks come from workers sharing devices with their children or spouses, exposing sensitive or confidential information to guests in their homes, responding to email scams or posting confidential data on the web or social channels. Good cybersecurity platforms conduct awareness training sessions for workers about these issues. The best ones automatically create playbooks in response to violations.
Of course, some worker behaviors will go undetected. For example, there may be no way to know for sure if someone is reviewing personal information about clients while a guest walks over and looks at the screen. That’s why detailed, clear and, importantly, enforced policies and procedures are essential. This is the key to establishing cybersecurity best practices that become intertwined with a firm’s culture.
Financial firms that have fallen behind on cybersecurity can struggle with getting started on the road to improvement. Fortunately, solutions exist to help organizations monitor and address their cybersecurity risk posture across multiple threat vectors.
Based on Smarsh’s Annual Risk & Compliance Survey, the era of remote work is here to stay. Firms that delay ramping up cybersecurity protections do so at their own risk.
Stephen Marsh is founder and chairman of Smarsh, the global technology leader in digital communications compliance. Sid Yenamandra is CEO of Entreda, the cybersecurity solutions provider for wealth management firms that is a subsidiary of Smarsh.