2020 was a year like no other in recent memory. For years, regulators have required that annual risk assessments include rating the risk of pandemics … now we know why. Banks, like all businesses were largely caught by surprise with minimal plans in place when the shutdown happened. Banks are required to provide essential services to their communities, but also required to protect the health of their employees and customers.
Like many essential businesses, banks turned to a work-from-home model when circumstances permitted.
One surprising discovery from this year is that working from home … works! Brick-and-mortar is not as important as it once was for the service industry. The right technology has peaked at the right time with readily available high-speed home internet allow ready connectivity. Zoom, Teams or other conferencing software permit face-to-face communication with co-workers and clients, and available secure VPN and multi-factor authentication tools can help ensure security over the internet.
Most banks already had some level of web or mobile banking, ATM networks, bill payment and other hands-off technology in place. The forced closure of lobbies and social distancing measures helped reinforce the importance of that technology to modern banking.
We live in a world where technology makes working from home not only possible, but efficient and easy for many workers. It can continue to be a great option for banks, not only in an emergency, but every day if all the risks are identified and controlled. Most banks have proved that they are well equipped to handle pandemics or other natural disasters in the future.
But working from home, and the existence of the virus, increase cybersecurity risk as well. In addition to the risk of viral infection, banks were at much greater risk of malware infection in 2020. The Boston Consulting Group in 2019 found that banks were 300 percent more likely to suffer cyber-attacks than the average for all industries. VMWare’s Carbon Black Cloud further found attacks on banks and other financial institutions spiking an additional 38 percent in February and March alone and accounting for 52 percent of all observed attacks.
They stated that “cyber criminals often exploit fear and uncertainty during major world events by launching cyber attacks. These attacks are often performed with social engineering campaigns leveraging malicious emails that lure victims to install malware that steals financial data and other valuable personal information or, in some cases, turns a user’s computer into a crypto-mining zombie.”
Another group, ZeroFOX found that cyber scamming incidents have increased by 519 percent in 2020 compared to last year, including a 423 percent spike in scams targeting financial services.
While attacks on banks increased, working from home also has the potential to increase risk. Networks in bank offices are strictly controlled with strong firewall rules, web access controls, system logging, security event detection, antimalware, wireless restrictions and policies to prevent unmanaged devices on the network. A home internet connection is generally set up with minimal security controls and could be providing a shared network for phones, home computers, gaming stations, doorbells, thermostats, security systems, garage door openers, refrigerators, smart speakers, televisions, light bulbs and dozens of other possible smart devices, all which could potentially provide a route for infection.
Banks in 2020 have had to treat home workers as part of their extended network and extend cybersecurity controls and management outside of traditional bank walls.
Federal regulators recognize the increased risk to cybersecurity in 2020 as well. The new cycle of exams and InTREX document requests have added a new level of scrutiny on protections against cyber scams, malware and authentication for remote workers. They recognize that no institution, no matter how small or technologically limited is immune from the threat of ransomware.
In 2020 the program has adopted a focus on the five basic controls established by the Center for Internet Security. These controls are:
- Inventory and control of hardware assets (How do you manage and allow only authorized devices?)
- Inventory and control of software assets (How do you assure that only authorized applications are allowed?)
- Continuous vulnerability management (Once a year vulnerability scans are not enough!)
- Controlled use of administrative privileges (How do you know when admin accounts are established and used?)
- Secure configuration for hardware and software on all devices (Have you established and enforced standards for “hardening” on all devices?)
What lessons can we take from 2020 to ensure safe and secure operations in the future?
- Work from home and extended networks are here to stay.
- Risk and vulnerability assessments must include the new extended networks including home workers.
- New tools and new controls must be put in place to meet both the increased risks from extended networks and the ever-increasing rate of attacks.
- Secure the home network.
- Secure all remote devices.
- Keep up the security awareness training and phish testing.
- Add multi-factor authentication for all network access.
- Add tools to help you monitor and alert to any unusual activity and all administrative activity.
- Conduct frequent internal and external vulnerability scans.
2020 may have been a new and unique experience from recent years, but it may also be a harbinger of the future. Take the lessons of the Year of the Pandemic to heart and prepare for a safe and secure future.
Mike Gilmore is the chief compliance officer of RESULTS Technology and a Certified Information Systems Auditor with more than 30 years’ experience in the banking industry. RESULTS Technology provides IT services to community banks across the Midwest. In his role as CCO, Mike provides compliance and risk assessments, audit and exam support and policy documentation. He can be reached at [email protected]