When widespread shutdowns forced an overnight shift to remote work, financial services companies made rapid-fire adjustments to their tech stacks to keep teams up and running. Many of these changes, however, were designed to be temporary. More than a year later, as offices reopen and many organizations adopt long-term hybrid work models, companies should act now to assess the changes they made—and ensure that their software and systems are secure today and into the future.
Even when changes were made as securely as possible, remote connectivity introduced risks that simply weren't there previously in the financial services industry, which has historically leaned heavily on protective measures like physical protections, firewalls and network segmentation. The use of noncorporate assets surged to enable remote workers, all the while firms struggled to provision, patch, update and manage mobile devices and laptops centrally for a remote workforce, increasing the threat posed by ransomware, credential theft and other cyberattacks.
It's clear now that the move to remote work or hybrid remote work is not a short-term work style. Nine in 10 executives envision a hybrid model going forward, according to research by McKinsey, and most employers expect their employees to be on site between one and four days a week. In the financial services industry in particular, nearly two-thirds of employees say they would prefer a blend of home, office and remote work, a recent survey found.
Given this outlook for the long term, financial services need to take steps now to secure their systems for the future. Here's how:
Step one: Understand what systems were affected
Many financial services organizations may find that they don't even know what networks and systems were opened, modified, augmented or changed during the pandemic. That's why a good first step is for the CISO or CTO to make a thorough assessment. Which of your systems did you change, both in terms of what could connect with them and what they could talk to? You may find that you don't know what you don't know. If that's the case, start with your most business-critical systems.
Step two: Understand how the systems were affected
Most organizations found that the shift to remote work necessitated adding remote access where it didn't exist before. With each of the systems you are assessing, what was changed related to access, identity and encryption? Did security protections change to facilitate a remote workforce or are there new systems connecting? Do the changes meet your current security needs, and are there processes and access still in place that are operating under an exception to your security policy?
Step three: Decide what you want to do about it
You may find that all of your systems are secure, that there are risks you're willing to accept, or that you need to remediate what you put in place during the pandemic. It doesn't necessarily mean going back to the old; rather, it's about adapting your new configurations to meet pre-pandemic security requirements, for example by putting in new controls, improving security, implementing two-factor authentication or removing technology altogether.
For many organizations, the decision of how to proceed hinges on their risk profile. Are you trying to protect against a remote unknown adversary, an internal actor such as a contractor or a rogue employee, or IT administrators within your organization? Each presents a different threat and necessitates a different set of security precautions. How you design systems depends on what you're most worried about as an organization—and the risks you are willing to accept.
How to adapt existing cybersecurity infrastructure for hybrid workforces
Although each organization is unique, there are some functions that are commonly affected by remote connectivity in the financial services industry:
- Secure identities: Organizations can use certificate-based identities, tokens or multi-factor authentication to ensure that remote workers are connecting securely—and that the people connecting to systems are who they say they are.
- Secure network communications: Financial services firms that had to open their networks to enable remote access can use encryption tunnels such as IPsec (a protocol suite that enable a computer to talk to another over an encrypted tunnel) to enable devices to communicate more securely.
- Device management: The first line of defense against any cyberattack, including Ransomware, involves making sure that systems are managed, updated, patched and protected with antivirus software. Additionally, consider implementing a device management solution like Microsoft Intune, AirWatch or MobileIron to ensure that all devices are up to date. Make a long-term plan for how your organization will update and refresh remote workforce devices as well as provision and send devices to new employees.
- Remote access and security: Financial services firms that previously relied on physical controls and firewalls to isolate network segments can leverage solutions such as bastion hosts to proxy access into secure payment processing networks.
Remote work, in one form or another, is here to stay. There's no such thing as a perfectly secure system, at least not one that functions, but by taking a pragmatic approach to network connectivity and security, balancing workflows with the risks the organization is willing to accept and designing systems accordingly, financial services firms can make their systems more secure for long-term hybrid work.