During these pandemic times, humans were the weakest link in security as they were vulnerable (psychologically) than ever before to social engineering attacks.
COVID-19 has brought about a fundamental shift in beliefs, attitudes, and behaviors. As a result, a majority of the Indian Banks had to consciously admit that several known risks became “acceptable,” which during normal times were clearly “not acceptable.”
Work From Home
Banks went the whole hog on “Work From Home (WFH)” as it was not easy to undertake WFH on such a massive scale. Quite a lot of Ad hoc fixes for security cordons like Secure VPN, Endpoint security and mobile device security, had to be provided for. Concurrent remote access licenses, bandwidth enhancements, gateway capacities, etc., were to be arranged urgently. While offering desktops/laptops/tablets, organizations had to ensure that they are all stripped down, plain vanilla systems. Preloaded only with required applications, with no USB port, and blocking download and installing any s/w, no printer connectivity, etc. Organizations had to compromise on several safety protocols. For example, the control concept of “no paper, pen, smartphone, recording devices, etc.” was not feasible to implement or monitor. They also had to leave open some risks knowingly, for example, copying data while working at home, poorly secured home networks, shared by several devices, including IoT.
During this lockdown period, technology systems were put to the test at unprecedented levels. Cybersecurity was the prime target of attack. Phishing attacks increased; also, sophisticated ones like malware, trojan attacks, ransomware, etc. Remote working tools/software like video conferencing software were the targets of attacks to take advantage of vulnerabilities. Sensitive data traveled along with games, music, TV content, Alexa, etc. Malicious COVID-based emails increased. The International Criminal Police Organisation (Interpol) warned countries about the marked increase of cyber threats connected with malicious domains, malware, and ransomware. The Financial Action Task Force (FATF) pointed to an increase in money laundering (ML) and terrorist financing (TF) risks stemming from COVID-19-related crimes. Remote onboarding and remote identity verification in times of social distancing and office closure came along with embedded risk.
As we move towards resuming normal socio, economic and other activities, organizations, including banks and financial institutions, will have to make significant changes to their structure, operations, and approach:
First of all, they have to pay more considerable attention to crisis preparedness, systems resilience, and access to healthcare.
Secondly, banks will have to make structural changes in terms of being — Flexible — COVID-19 dispelled the myth that banking being a customer-oriented industry is not suitable for WFH. Banks will now have to let staff work from home. Rules, procedures, infrastructure, compensation, etc., will need to review and reassessment
Redesigning Office Layouts — Banks have been forced to consider employee wellbeing more holistically — in terms of not only the physical but also mental and emotional wellbeing. Redesigning the office layout to take care of social distancing (between staff and even between staff and customers), commitment to hygiene, cleanliness, and safety, provisions for temperature checks, re-modeling conference rooms, video rooms, etc., will be needed to be completed on an urgent basis.
Ready to help staff redesign their homes and make them “Work Ready.” As many homes are not equipped for WFH, employees will need to be assisted in assisting them in building “office pods” at home with enduring cyber connectivity and security features.
Thirdly, the new mantra will be “Working securely while working remotely.” Banks will have to pay special attention to cybersecurity while enabling their staff to work remotely from home or on mobile spots.
Fourthly, banks will have to revisit their Business Continuity Plans (BCP). COVID has compelled us to visit certain BCP assumptions, like, “people can reach / air-dash backup centers.” In such events of pandemic proportions, the organization will not be able to reach its staff to the Data Centres.
Hence, WFH will be an integral part of BCP. Banks will have to quickly reorganize their data centers from “Active-Passive” centers to “Active-Active” centers. Banks will have to identify succession planning in much greater granularity — second, third lines for every function have to be ready.
Revamping Backup Centre will have to include not just its infrastructure, capacity, and licenses; employee safety, which was never on BCP radar, will now become an essential element of BCP.
Another area for special attention will be third party services and providers’ availability; banks need to get a high degree of assurance in this regard, including system audit certification.
Further, the current BCP locations have not been designed for an extended period of operations; typically, the recovery time objectives are within a day, and if at all, a couple of days.
COVID Pandemic has taught us that alternate locations may have to be on a full-function basis for even three to six months. This has enormous implications for the BCP infrastructure redesigning.
Fifthly, banks will now have to take cybersecurity to a new orbit. With increasing reliance on digitalization, banking has already been a fertile ground for hackers and cyber fraudsters, both organized and unorganized genre. With the virtual certainty of remote working and WFH being the new normal, the relevance and continued vigil on cybersecurity cannot be overemphasized.
Academia, researchers, and cybersecurity technology firms will have their hands full. End-to-end communication safety standards will need continuous enhancements.
Lastly, a strong element of cybersecurity will be to imbibe the security culture and security by design in the minds of every staff member.
The COVID-19 pandemic has taught several lessons for all organizations, including banks and financial institutions. It has compelled them to revisit certain assumptions based on which their IT Infrastructure, Business Continuity Plans, Cyber Security Framework, etc., have evolved in the past. Redesigning these in the quickest possible time is the need of the hour.