Few companies have had a viable alternative to remote working during the COVID-19 lockdown, but most sectors have been surprised by how easy and how effective this change to home working has been. As the lockdown begins to ease, many are looking at how they can maintain the benefits of this new approach in the long term.
An uptake in remote working presents new opportunities for firms across the financial services sector. With more people working from home in the long term, firms can reduce their physical overheads, and attract top talent from further afield.
Remote working means new challenges
The greater flexibility that comes with remote working is also good for employees, as it promotes a healthy work-life balance. And the environmental benefits from ;an end to commuting can help the UK meet its reduced carbon targets.
Remote working, however, brings new challenges and you need to adapt your cyber security safeguards to take account of this. This is particularly true in the financial sector, where outages are particularly damaging and can cause widespread economic harm and impact individual customers. Good operational resilience is vital, regardless of whether your people are working remotely or on-premises, and your cyber security framework should reduce the potential for outages and help the firm bounce back to business as usual.
Your new remote working cyber security framework should broadly cover three areas:
Remote workers will not have the same support as they did from an on-sight IT support team, and most home networks will not have the same security configurations or robust safeguards in place as an office environment.
Offering additional training and raising awareness of your remote working policy will promote cyber vigilance for those working from home. Ensure your workers are aware of the importance of following procedures.
Key considerations for remote working:
Is there a clear process to continuously monitor infrastructure performance, such as VPN connections, laptops, bandwidths or security tokens?
- Is your IT support team adequately resourced and trained to accommodate an increased number of requests?
- What measures are in place to safeguard personally identifiable information, considering data security, fraud, cyber security?
- Are all devices, including employee's own, secured with strong passwords and updated firmware/software?
- Is your cyber security training current, clear in employee's minds and are clear protocols in place for if suspicious activity is detected?
Good cyber security leads to good cyber resilience. If a cyber incident does happen, good cyber resilience keeps firms functioning and minimises the impact. This is critical for financial firms’ operational resilience frameworks, particularly when remote working is the norm.
Cloud storage is a key element of both business and cyber resilience processes, but greater reliance on cloud services need additional security safeguards.
For a start, check if sensitive data is held in the cloud. Confirm the data is held securely and that the vendor is managing their risks appropriately. Vendors, consultants or other personnel may have access to cloud data, and you should ensure proper steps are being taken to keep your data safe.
Your internal audit team may want to evaluate cloud programmes, and most firms have the contractual right to audit the firm’s cloud data and the interfaces between its web applications.
Other items to consider for ensuring remote working cyber resilience:
- What is the review cycle for contracts with business resiliency partners and how are vendors and emergency responders currently engaged?
- Are there business-critical processes or activities that will have regulatory implications if changed or disrupted?
- If there are business-critical activities that are automated, do you have the resource and ability to perform them manually?
- Are you assessing the ongoing effectiveness of supply-chain cyber security requirements for your business and third parties?
- Is there supplier attestation in place on controls for logging, patching or multi-factor authentication?
- Can you cope with staff absences or lack of access due to connectivity or bandwidth issues?
Despite all the planning and preventative processes in place, cyber incidents occasionally still happen. Effective cyber incident management, combined with good resilience, can reduce the impact and help keep your new remote working processes on track.
While the current circumstances have shown that remote working is effective and relatively safe, there are still some risks to consider.
In the office, shredding bins are readily available, printers have individual logins, and employees generally use managed devices. Protecting data in your employees' homes while they're remote working is still possible, but requires some new processes and measures.
Be sure to answer the following questions in your remote working policy:
- If people are using personal devices, are they saving work information to the cloud and avoiding using their personal computer for storage?
- Do people have somewhere at home to make sensitive phone calls?
- Are screens or papers visible to others in the household?
- Have work-related papers been stored securely and shredded, if no longer needed?
- Are cameras and microphones disabled when not in use?
- Have the rules around encryption and data sharing been applied?
Cyber resilience for the new normal
Effectively managing information security, data protection and cyber resilience processes can support your business while your employees are remote working during lockdown. But looking across these three strands, lessons learned now can help businesses prepare for a shift in working patterns in the long term.
By: Manu Sharma, Partner, Head of Cyber Security and Resilience at Grant Thornton UK
How can Grant Thornton support your company's cybersecurity?
You can count on our experts for more information and guidance on the steps your organization should take to mitigate risks, deal with digital threats and increase the resilience of your business.