For years, examiners have pressed banks to incorporate pandemics in their GLBA risk assessment and provide appropriate planning to address a possible pandemic. Until this year, that risk seemed remote. It was difficult to imagine just how strongly a pandemic could affect not only the bank, but the entire community, region, nation, and world.
Community Bank Security & Compliance Issues
The pandemic forced many community banks to implement work from home procedures in a hurry. As restrictions are eased, and workers return to the office, it is very important to review how those work from home policies could have impacted bank security and compliance with rules protecting data and your client information. Community Banks must consider the security implications and recognize the risk of permitting network access from outside of the secure perimeter of their internal networks.
You must recognize that risk from remote access is increased by exposure to unmanaged home networks. A secured VPN connection to the bank protects against outside hackers but can also provide a conduit into the company network from a compromised home workstation attached to an unsecure home network.
Networks in bank offices are strictly controlled with strong firewall rules, web access controls, system logging, security event detection, antimalware, wireless restrictions, and policies to prevent unmanaged devices on the network.
A home internet connection is generally set up with minimal security controls and could be providing a shared network for phones, home computers, gaming stations, doorbells, thermostats, security systems, garage door openers, refrigerators, smart speakers, televisions, light bulbs and dozens of other possible “smart” devices, all which could potentially provide a route for infection.
Malware and hacking are a pandemic that spreads over the internet. The best protection is to practice strong social distancing for any workstation or laptop that will be accessing your network or systems from home.
Minimum Requirements
The most important aspect of working from home is making sure that the home workstation is safe, secure and pre-configured to work in the event of an emergency. At a minimum, workstations used for remote access should:
- Be restricted in use for business purposes;
- Have current antivirus or antimalware software;
- Be fully patched with the latest security patches;
- Be running a current, supported operating system;
- Be running on hardware with at least minimum resource requirements for the version and function;
- Have all of the necessary applications and tools required for the individual’s job or be configured for remote access to those tools.
Next, take necessary steps to isolate that workstation from all of the other devices on the home network.
Risk Levels of Remote Access Methods
This table illustrates the risks associated with different remote access methods and levels of control on the remote workstation.
RISK LEVEL | METHOD | ISSUES/RISKS |
---|---|---|
HIGHEST | Home PC with unrestricted VPN to office network. | No controls or visibility of home PC. No way to verify level of current security in place. Potential for transfer of malware, data leakage. Potential loss of data not stored on company systems or backup. |
MEDIUM | Home PC with VPN connection for Remote Desktop (RDP) to internal workstation/server. | Still no way to verify level of current security in place, but greater control over transfer of data/risk between devices. |
LOWER | Bank owned PC or Home PC with management agents and network access controls. | Full visibility and alerting on home PC. Able to verify AV, patching. Able to restrict local admin control, and application installation. Manage access with domain policies. |
LOWEST | Company owned PC or Home PC with management agents and locked down to only permit VPN Internet connection. | Full visibility and alerting on home PC. Able to verify AV, patching. Able to restrict local admin control, and application installation. Manage access with domain policies. No ability to access non-company internet. |
Social distancing for your network must also address the worker-from-home. As always, require security awareness training to keep home workers alert and aware of the dangers. It’s a great idea to include awareness training for everyone in the home as well. KnowBe4.com offers free security awareness courses for the home.
Finally, have a written work from home policy and require that your home users sign and acknowledge that policy.
Summary
We live in a world where technology makes working from home not only possible, but efficient and easy for many workers. It can continue to be a great option for banks, not only in an emergency, but every day if all of the risks are identified and controlled. Remember to apply social distancing to the home network to keep the office network infection free. Contact RESULTS for more information.
About the Author:
Mike Gilmore is the Chief Compliance Officer of RESULTS Technology and a Certified Information Systems Auditor (CISA) with more than 30 years’ experience in the banking industry. RESULTS Technology provides IT services to community banks across the Midwest. In his role as CCO, Mike provides compliance and risk assessments, audit and exam support and policy documentation. He can be reached at mgilmore@resultstechnology.com.