Approaching Remote Worker Information Security From a Business Risk Perspective

by | May 19, 2020

Organizations of all types, including credit unions, are leveraging remote work environments more than ever.  The brick and mortar workplace, as many of us have known, may never be the same.  Some large corporations have gone so far as to state employees can work remotely indefinitely, raising more questions about what the future of work might look like.

As we’ve considered the various topics and decisions facing credit union management teams throughout the coronavirus pandemic, we at Rochdale Paragon have offered a variety of tools to help identify and assess various topics that should be considered, identified implications of a remote work strategy and provided various considerations on what returning to the office might entail.  In this latest discussion, we wanted to offer some thoughts and ideas specific to information security considerations related to a remote workforce strategy.  Regardless of whether your plans include moving back to brick and mortar headquarters and branches in the near future or if you plan to take a slower approach and consider alternative work arrangements, there are a variety of information security considerations you should discuss around an increasingly large remote workforce.

None of our continuing responses to this current situation can prevent future similar events from happening. However, ERM processes and the proactive identification and assessment of various scenarios undoubtedly help ensure organizations are diligent in anticipating potential risks and more prepared to face issue should they arise

Like Rochdale Paragon’s previous articles, the following risk assessment components are intended to provide ideas and direction for organizations to consider as they discuss information security risks associated with remote workers.  The list certainly is not exhaustive, but hopefully provides at least a starting point.  If your organization has any questions on the list below or ideas you are willing to share with others, please reach out to any of us at Rochdale Paragon.

RISK CONSIDERATIONS

Transaction Risk

  • Use of employee devices by family members and third parties to access credit union assets and member information
  • Audio conversations with members being overheard by third parties
  • Webinars with members being joined by third parties
  • Increased theft of member information by employees
  • Unsecure internet connections at employee homes
  • Unsecure wifi routers used by employees
  • Theft or loss of member information on paper documents in employee homes
  • Third parties threaten employees to steal member information or initiate transactions
  • Theft of mobile devices holding member information
  • Use of unapproved or unmonitored devices to access credit union applications
  • Increased opportunity for malware and other viruses on PCs
  • Unauthorized administrative changes to remote devices and software
  • Employee browsing of high-risk web sites
  • Loss of credit union data stored on personal devices
  • Conversations being heard by other devices (e.g., Alexa, Google Home, etc.)
  • Increased exposure to phishing
  • Unsecure wireless peripheral equipment
  • Failure to apply patches as well as system and application upgrades
  • Unauthorized sharing of sensitive information via unauthorized Bluetooth connections to remote hardware
  • Credentialing risk with remote workers (e.g., inability or failure to change passwords)
  • Use of unsecure internet channels in sharing information
  • Challenges in responding to cyber incidents with remote workers

Like the items outlined above, the possible responses described below are intended to provide ideas that organizations should consider specific to their individual situations.

RESPONSE CONSIDERATIONS

Transaction Risk

  • HR background checks on prospective employees
  • Cyber and bonding insurance appropriate for increased remote working
  • Internal Audit reviews of activity in employee accounts
  • Third-party information security reviews
  • Remote working only allowed for well-tenured employees
  • Mandatory five consecutive business day vacation policy
  • List maintained of hardware used by remote workers
  • List maintained of software on remote devices
  • Vulnerability, patching, and application update tools
  • Intrusion detection software
  • User access restricted to lowest possible levels
  • Periodic review and approval of user permissions
  • Restrictions on users making changes to devices
  • Reviews of user logs to detect suspicious activity
  • Email and web browser DLP software
  • Antivirus/anti-malware software on devices
  • Porting, protocol, and service restrictions on remote devices
  • Automatic backups of remote devices
  • Tested processes to recover data from backups
  • Restrictions on sites and applications that users can access from remote devices
  • Encryption of data in transit and at rest
  • Restrictions on user access to internal shared drives
  • Wifi routers must have strong passwords and encryption keys
  • Mandatory employee info sec training
  • Employee phishing testing
  • Security and updating standards for remote applications
  • Tested incident response process
  • Intrusion testing by third party
  • Prohibition on voice-activated devices near workstations
  • Multi-factor authentication for critical applications
  • Training for proper information security hygiene of personal devices used to access systems
  • Central coordination and support for video conference software
  • Assurance that employees have non-expired, valid credentials

Regarding remote workers, it is important to engage your information security and risk management teams to ask the right questions and consider all relevant information to make the best decisions possible on the risk and reward trade-offs of the remote work arrangements.  Our continued hope is that this information will help position you and your organization for a safe and prosperous working environment, regardless of your decisions related to work locations.

We currently are developing a new module in apogee iQ™ to assist credit unions in improving their operational and compliance risk assessment capabilities, and making their processes easier and more efficient. In addition to providing a variety of process, product, project, and compliance-related risk assessment templates and reporting, it will include various calendar and workflow functions to help manage the overall risk assessment process. We expect to release this new module later this year and, in the meantime, our commitment is to do all we can to provide you with the tools your organization needs to maintain a robust risk program. Thus, we’ve made an Excel risk assessment tool with the information discussed above available within the apogee iQ software tool.

If you have any questions regarding the above information or there is any way we might be able to assist you, please don’t hesitate to reach out.  Also, be sure to visit the Rochdale Paragon blog at https://rochdaleparagon.com/insights/ for more information and insights on ways to better manage through the crisis.