March 26, 2020
Marshall composed this piece with the help of the Beacon Team
The COVID-19 pandemic has thrown many of you headfirst into establishing a remote work environment for large parts of your organization. Although these are temporary solutions at the moment, we believe Wealth Management firms will increasingly adopt alternate workplace options as a permanent component of the new normal.
The technology to support alternate workplace options is mature and proven. However, by definition, remote work physically removes employees, their devices, and their access to highly sensitive personal and financial information from the physical and cultural security perimeter provided within an internal corporate environment.
To help kick-off your internal conversation about establishing a broader, permanent alternative workplace strategy, we have put together this short list of critical considerations based upon best practice experience of larger organizations, cybersecurity professionals, and CISA (The Cybersecurity and Infrastructure Security Agency). Interestingly, CISA has some of the most substantial experience in financially sensitive alternative workplace security as so many of the federal agencies, including the Social Security Administration and Internal Revenue Service, have migrated large numbers of their employees to remote work environments.
BYOD. The policies and practices utilized for current Bring Your Own Device programs will need to be reviewed and strengthened. Current best practices of approved software and hardware (50% wealth management firms in a recent Beacon Cybersecurity survey have a restricted list of approved applications for their advisor technology stack) should be adopted. This goes beyond the current best practice table stakes of ensuring all devices have properly configured firewalls, anti-malware, and intrusion prevention installed and require multi-factor identification. Based on the size of the organization, managed service providers should be considered.
Infrastructure. The decentralization of organizations and their governance processes makes it challenging to coordinate the remediation of vulnerabilities. Wealth Management firms need to be aware of who is operating the networks utilized by their alternative worksite employees, including any VPN operators. Selecting a single vendor may not always be feasible. It is essential to have a procedure and responsible party for the coordination of risk mitigation/remediation. The strength and security of the network which workers use, is the most critical factor. A VPN should be a strong consideration in a world of the internet of things and porous home networks.
Data Access. Mission-critical data is often highly sensitive personal or financial information that must be readily accessible. Access permissionsing may require coordination with and meeting higher security standards of partners like custodians. The permissions function needs to be strengthened and streamlined.
Deeper Vendor Due Diligence. Alternative workplace strategies place a higher demand on tools like remote conferencing and file collaboration. The applications and networks involved require rigorous due diligence to ensure sound cyber practices, the ability to be easily and rapidly implemented, and maintained.
Technical Support. Workforce changes in a distributed environment create more urgency for identifying and addressing vulnerability issues. A combination of vulnerability scanning services and dedicated human resources are required to ensure well-coordinated response/remediation.
Education. Extensive assessment, education, and training are required to implement a remote work strategy. Critical topics include:
• Personal and worksite protection strategies
• Awareness of information technology support mechanisms for employees who work remotely.
• Understanding of revised/expanded incident response plans in a distributed environment
Beyond the above security, robust remote subject matter training should be established to ensure the smooth operation of business processes.
We want to thank Sid Yenamandra, CEO of Entreda and Richard Detrick, Managing Director of Risktool Technologies, for there contributions to this article.