Financial Services
Cybersecurity in the Age of COVID-19: Protecting Your Distributed Workforce and Preparing for the Future
Over the past six months, the cybersecurity landscape has undergone a seismic shift. Nearly overnight, corporate network perimeters expanded to include employees’ homes, new virtualized infrastructures and far more widespread usage of cloud applications. New challenges emerged. From how to keep newly remote teams engaged and collaborating productively to how to repair devices when many IT service providers weren’t able to offer field support, there were far more questions than answers.
By now, we’ve begun to adjust to this so-called “new normal,” and alternative investment firms are beginning to look to the future. A clear majority of employed Americans worked from home during the global pandemic, and 80 percent report that they enjoyed the experience. 69 percent say they were at least as productive if not more so when telecommuting.
From Google and Facebook to small asset managers seeking to reduce the expense of renting office space in dense urban centers, many companies will never return to the ways of working they’d adopted prior to the pandemic. Some will reopen their offices but continue to rely on more flexible hybrid infrastructures and agile business processes in order to be better prepared to weather upcoming uncertainties; others may permit or even encourage increasing numbers of employees to telecommute while they maintain physical workspaces.
This means that the security concerns that arose during the initial lockdown period are being supplanted with more complex, longer-term questions. Microsoft Teams, for example, had 25 million users in March, and by late May this number had soared to 75 million. Such a rapid transition to a distributed workforce simply couldn’t have been accomplished without the cloud, but many cloud services are thin on security features, especially if default configurations are applied. And many users simply haven’t been educated on how to work securely from their home networks, how to evade phishing attacks, or how to follow best-practice remote access protocols. It’s also unclear what kinds of regulatory changes the global financial services industry can expect to see in the months and years to come.
What’s needed is increased attention to building resilient infrastructures that can stand up to the ongoing change that likely will be the only constant in tomorrow’s distributed and hybridized world. Security must become multi-layered, user education must become ongoing, and compliance must shift from preparation for a point-in-time certification to proof of diligence over a longer period through continuous logging and configuration management. It’s challenging to design and implement security plans that allow users to work from home safely without adding roadblocks or inhibiting their productivity, but it can be done.
Let’s take a closer look at what securing cloud-based environments in the “new normal” will entail.
Multi-layered security will become essential.
No single physical or logical access control measure is adequate to secure today’s complex, perimeter-free computing environments. Multi-factor authentication (MFA) can be circumvented by a determined attacker or foiled by a careless user’s thoughtless click on a text notification. Even the most complex passwords can be compromised in brute force attacks. And remote desktop protocol (RDP), often thought to be highly secure because it doesn’t allow files to be downloaded or executed locally, has recently been used as a vector for ransomware attacks.
Multi-layered security relies on redundancy to extend coverage from the endpoint to the cloud with consistent rigor. Multiple security measures should be configured to control access across every entry point into your cloud environment. This includes conditional access policies that ensure that passwords are complex and are changed regularly. It should also include MFA as well as blocking of unauthorized applications and unregistered devices. Device registration allows you to ascertain that all patches for applications and operating systems (OSs) are up-to-date on end user devices before they’re permitted to connect to corporate resources.
Solutions like data loss prevention (DLP) or properly configured remote access protocols can automatically block copy/paste, printing or file transfer from in-office computers or corporate virtual machines to end users’ personal devices. And containerization can greatly increase application-level security.
Here at Thrive, we designed our CyberSuite service portfolio with the specific needs of alternative investment firms in mind. We understand what it takes to secure data and assets, and know how to bolster investor confidence, ensure regulatory compliance, and provide peace of mind. Our cybersecurity consulting and solutions have always been grounded in a multi-layered approach, which has long been a best practice in information security. Today, it’s imperative.
User education will become an ongoing process.
No matter how comprehensive and robust your policies and security controls, your financial firm will remain vulnerable as long as your employees don’t know how to use systems properly or can’t recognize the signs of an attack. Human error remains the second leading cause of disruption to cloud services, and is often the enabling factor that permits malicious activities to succeed.
Security awareness training programs can do a great deal to close this gap. If your hedge fund, private equity firm or other alternative investment firm adopted new cloud applications or altered remote access or authentication procedures during the unexpected shift to remote work, it’s especially important to educate your users on security best practices for unfamiliar tools and solutions.
The best cybersecurity education programs incorporate a variety of mediums and methods (videos, email reminders, test “phishing” attempts, etc.) to boost end user engagement and encourage long-term retention of the material. Training should be ongoing and provide additional reinforcement to employees who struggle.
Organizations will move beyond point-in-time compliance.
In the wake of the COVID-19 pandemic, regulators around the globe have had a range of different responses. In the U.S., the Securities and Exchange Commission (SEC) hasn’t pushed out any new rules yet, while the Cybersecurity and Infrastructure Security Agency has updated only their Office 365 security recommendations. In the U.K., the Information Commissioner’s Office (ICO) has updated its guidelines for data storage in contact tracing applications as well as on customer log retention. More frequent advisories and notifications have been issued, with a particular emphasis on security awareness training for employees.
Going forward, regulators anticipate an increase in the number of organizations adopting 100 percent remote work models. The likely responses will include changes in audit processes to better support virtual auditing and a shift in emphasis from point-in-time certifications to more longer-term oversight to ensure that processes are adequate and there aren’t gaps in due diligence. A more modern approach to risk management will attempt to mitigate vulnerabilities iteratively on an ongoing basis rather than merely preparing for audits since this emphasis results in more robust security overall.
We’re proud of the early and frequent successes we’ve had in helping our clients navigate the transition to distributed workforces with ease. Our field engineers continued to provide vital on-site support throughout the lockdown period, and our 24x7x365 help desk maintained its commitment to industry-leading white glove customer service for clients around the globe. The agile, diverse and highly customized cloud solutions we create for CloudSuite Platform clients made the adjustment smoother, easier and more secure.
We see these successes as a harbinger of things to come. As we look to the future, we see alternative investment firms not just surviving but thriving as they support fully or partially remote work environments. We know that many challenges are still to come, and we look forward to partnering with our clients to overcome them together.
Would you like to learn more about how cybersecurity risks are evolving in tandem with the transition to remote work? Our subject matter expert for Cloud Architecture and Security, Michael (MJ) Laudenslager, teamed up with a group of leading experts from Thrive our partner, eSentire, to present an informative panel discussion on the future of security and regulatory compliance in the cloud.
View the panel discussion now: Digital Distribution and the Regulatory Landscape: Key Learnings and the Path Forward.
Participants include UK Information Security Manager Ian Bowell at Thrive, Christopher Tiu, Managing Director and Head of Asia Pacific at Thrive, Chris Bradden, Vice President of Global Channels and Alliances at eSentire, and Eldon Sprickerhoff, Founder and Chief Innovation Officer at eSentire.