Reporting and Governance

Forcing vast swathes of the population to work from home has created a range of new cyber vulnerabilities, which banks need to be on top of to buttress their operational resilience.  By Balendra Elangco and Luke Vile, cyber security experts at PA Consulting

As authorities grapple with the Covid-19 pandemic, unprecedented measures have been implemented which could last for months. Across the world, companies have had to rapidly redeploy entire workforces to work from home, presenting a range of security risks.

Banks face additional security challenges, as they adjust to servicing customers and clients without face-to-face interaction, and new mitigation actions may be needed to counter the cyber vulnerabilities this new way of working represents.

What are the risks?

As many countries move into a state of near-lockdown, the challenges faced by banks fall into three categories:

  • New cyber threats emerge that take advantage of potential vulnerabilities in work-from-home policies, technologies and cultures.
  • Existing measures to prevent and identify customer and employee cyber-enabled fraud become less effective, because they rely on in-person controls.
  • Small to medium-size organisations that provide critical components of banks’ security ecosystem cease to function or go bust due to cashflow issues.

The vulnerabilities

Many cyber security attacks are specifically designed to target possible vulnerabilities, and banks sending upwards of 95% of their global employees to work from home for months, creates a threat window. One risk is the lack of cyber ‘nudges’; subtle techniques employed by banks that guide employees away from risky behaviours such as posters and ID badges, which often rely on employees spending the majority of their time in the office. 

Working from home also increases the likelihood of phishing emails being successful because employees aren’t surrounded by colleagues who can attest to receiving the same email or provide a check on the potential validity. Junior staff working in shared households may crowd around tables, sharing or overhearing sensitive information. As restrictions on home working lift, people may seek a change of environment and begin working from cafes, leading to insecure connections. In their efforts to collaborate more conveniently, people may download unauthorised third-party software, or begin using personal devices for work, leading to increased risk of data loss. 

Attackers can capitalise on these risks, as they know that people aren’t surrounded by colleagues and reminder nudges and may be seeking to cut corners around inconvenient security controls.

Cyber-enabled fraud

More opportunities for fraud will arise, as banks are invited by financial regulators to adjust existing controls that prevent identity theft. In order to meet the demands of ‘customers at home’, regulatory bodies are relaxing some of the stringent controls that process financial transactions for businesses and individuals. For example, “Know Your Customer (KYC)” requirements are likely to be diluted, as traditional KYC checks rely on in person validation of identity documents. Whilst some banks are implementing digital identify confirmation such as the UK government’s Verify service, it is not widely used. In addition, with staff no longer present in most branches, there is increased pressure on call centres. Call centres, which are struggling to maintain staff levels, are now required to process security checks at unprecedented levels, which increases the likelihood of less experienced or untrained call handlers making mistakes.

Lower supplier resilience

Another risk to be considered is the resilience of third-party security suppliers and vendors, on whom banks rely for various components of their security software and information management. Many security technology companies are small, specialist providers and are likely to suffer from cashflow issues as a result of slowed or paused payments from customer banks, as well as a drop in onboarding new customers. Small firms will also suffer more from staff being unable to update and maintain security software which, when provided as a service (SAAS) to banks, may lead to failing components. Even temporary failure of a supplier of that nature would lead to cyber-attacks going undetected.

Traditionally banks have taken a top-down approach to assessing their suppliers, where they examined the suppliers based on contract value. They now need to take a bottom-up review to ensure that critical suppliers have not been overlooked.

The current situation is a timely opportunity for banks to verify their cyber resilience and business continuity plans taking into account their “new” ways of working. Although it may appear counter-intuitive, it is important for banks to understand how they would cope with a cyber-attack, such as ransomware, under current circumstances.  They should consider at least a virtual table-top scenario exercise, now or in the coming weeks, to test whether their cyber plans remain valid.

This article is free to read, request a no obligation trial access to Global Risk Regulator.