For many firms, a remote workforce is now a new reality. Even with many states’ shelter-in-place restrictions lifting, firms are continuing with their work-from-home strategies for the majority of their staff. This transition and the related challenges have forced firms to re-evaluate their current cybersecurity and remote policies and procedures. The following considerations are important to ensure that your remote staff has the tools in place to adhere to regulatory rules, firm procedures, and best practices.
Cybersecurity policies should include remote workforce considerations. Many firms may have strong internal policies, especially if most staff typically work in the office. If the firm has made the transition to remote working, then systems, hardware, training, and technology must be tested and reviewed. Any new elements put in place should be integrated into the firm’s cyber procedures and any other applicable sections of the manual, such as the Business Continuity Plan Procedures.
Training for Remote Staff
In the beginning, your staff may have been excited to work from home. It may have even felt like a vacation. Now that the reality has set in, it is important to ensure that your team has been trained on, and continues to receive training on, the elements of compliance while working remotely. This may include a variety of topics: telework productivity; privacy and safeguarding of client information; phishing and spoofing; hardware and software compliance on personal devices; prohibited activities; and more. It is a vulnerable time for many, and fraudsters may use this fact to employ phishing and spoofing emails, attempt to gain access to client information, and/or attempt to make fraudulent money movement requests.
Books and Records
Safeguarding client information and cyber threats are key issues with a remote workforce. Where and how your firm accesses its books and records while remote must be evaluated. Many firms have moved to cloud-based recordkeeping. For firms that have not, they may consider the use of virtual desktops, virtual private networks (VPNs), or cloud-based platforms. Additionally, the firm must consider what additional authentic measures may be put in place to prevent unauthorized intrusion. For example, multi-factor authentication is one valuable tool to implement for remote workers. Whatever the method, ensure that you work with vendors that have knowledge and expertise in these areas. If any updates are made in processes, update the necessary procedures.
Use of Personal Devices
Due to the stress on the supply chain, getting access to hardware, such as laptops, desktop computers, modems, to provide to your new remote workforce may not be practical at this time. Many firms have their staff using personal devices. Firms must inventory all hardware used and make any necessary changes so that personal devices have the same level of security as devices provided by the firm. For example, this could include firewalls, cloud server access, anti-virus updates, and malware updates.
Both FINRA and the SEC recently released guidance to aid firms in creating effective practices. FINRA released a Report on Cybersecurity with good guidance on risks found in the field. The SEC also released Cybersecurity and Resiliency Observations which also supplied valuable guidance based on recent cyber examinations. Cybercriminals may use this opportunity to try to infiltrate weak remote structures. Ultimately, understanding and mitigating the key elements of your cyber program is the best protection against cyber threats.
Please contact us today to learn how our expert consultants can provide additional guidance to your firm on this topic.