Forcing vast swathes of the population to work from home has created a range of new cyber vulnerabilities, which banks need to be on top of to buttress their operational resilience.
As authorities grapple with the Covid-19 pandemic, unprecedented measures have been implemented which could last for months. Across the world, companies have had to rapidly redeploy entire workforces to work from home, presenting a range of security risks.
Banks face additional security challenges, as they adjust to servicing customers and clients without face-to-face interaction, and new mitigation actions may be needed to counter the cyber vulnerabilities this new way of working represents.
What are the risks?
As many countries move into a state of near-lockdown, the challenges faced by banks fall into three categories:
The vulnerabilities in home working
Many cyber security attacks are specifically designed to target possible vulnerabilities, and banks sending upwards of 95% of their global employees to work from home for months, creates a threat window. One risk is the lack of cyber ‘nudges’; subtle techniques employed by banks that guide employees away from risky behaviours such as posters and ID badges, which often rely on employees spending the majority of their time in the office.
Working from home also increases the likelihood of phishing emails being successful because employees aren’t surrounded by colleagues who can attest to receiving the same email or provide a check on the potential validity. Junior staff working in shared households may crowd around tables, sharing or overhearing sensitive information. As restrictions on home working lift, people may seek a change of environment and begin working from cafes, leading to insecure connections. In their efforts to collaborate more conveniently, people may download unauthorised third-party software, or begin using personal devices for work, leading to increased risk of data loss.
Attackers can capitalise on these risks, as they know that people aren’t surrounded by colleagues and reminder nudges and may be seeking to cut corners around inconvenient security controls.
More opportunities for fraud will arise, as banks are invited by financial regulators to adjust existing controls that prevent identity theft. In order to meet the demands of ‘customers at home’, regulatory bodies are relaxing some of the stringent controls that process financial transactions for businesses and individuals. For example, “Know Your Customer (KYC)” requirements are likely to be diluted, as traditional KYC checks rely on in person validation of identity documents. Whilst some banks are implementing digital identify confirmation such as the UK government’s Verify service, it is not widely used.
In addition, with staff no longer present in most branches, there is increased pressure on call centres. Call centres, which are struggling to maintain staff levels, are now required to process security checks at unprecedented levels, which increases the likelihood of less experienced or untrained call handlers making mistakes.
Lower supplier resilience
Another risk to be considered is the resilience of third-party security suppliers and vendors, on whom banks rely for various components of their security software and information management. Many security technology companies are small, specialist providers and are likely to suffer from cashflow issues as a result of slowed or paused payments from customer banks, as well as a drop in onboarding new customers. Small firms will also suffer more from staff being unable to update and maintain security software which, when provided as a service (SAAS) to banks, may lead to failing components. Even temporary failure of a supplier of that nature would lead to cyber-attacks going undetected.
Traditionally banks have taken a top-down approach to assessing their suppliers, where they examined the suppliers based on contract value. They now need to take a bottom-up review to ensure that critical suppliers have not been overlooked.
The current situation is a timely opportunity for banks to verify their cyber resilience and business continuity plans taking into account their “new” ways of working. Although it may appear counter-intuitive, it is important for banks to understand how they would cope with a cyber-attack, such as ransomware, under current circumstances. They should consider at least a virtual table-top scenario exercise, now or in the coming weeks, to test whether their cyber plans remain valid.
Balendra Elangco and Luke Vile are cyber security experts at PA Consulting