For many financial institutions, remote access was limited before the pandemic because this technology either didn’t support critical functions or wasn’t a priority at the time. Now, remote access is very important to continue business operations efficiently, and many community banks and credit unions are evaluating options for larger-scale use. To do this effectively, you first need to consider all the risks associated with remote access and the potential impact on your organization. For instance, some of the critical control factors with remote access might be the encryption of the data while it’s in transit, or while it’s passing through the tunnel; the ability to enforce MFA; clear reporting on the remote access sessions for future oversight; etc. This helps you get a quick baseline of the controls you’re going to require, which will then inform your vendor review.

While some institutions may be in a rush to get remote access tools up and running, it is important to stick to your normal vendor review process and take the time to thoroughly evaluate third-party risk. If you do have to sacrifice the integrity of your normal due diligence process and cut some corners to choose a vendor quickly, understand that there will be a resulting change in your institution’s risk appetite, or your acceptable risk. Make sure this is updated and that the executive management team including the Board sign off on the new risk appetite.

Here’s the key to a successful remote access policy: there’s absolutely no difference, security posture-wise, between a device (PC, laptop, phone, etc.) that exists within your trusted infrastructure, or one that exists at the other end of a remote connection. You should not have two separate policies – one for devices that are physically located at the remote user’s location and one for those that are in your infrastructure. As employees are trying to do their jobs from home, they should be covered under the same umbrella as your normal information security program. Essentially, a remote access policy says that we’re going to treat information exactly the same regardless of where that information is stored, processed, or transmitted. At the end of the policy there should be an acknowledgment by that remote user, whether it be an employer, contractor, or whoever you’re allowing access to your system remotely, that they have read and agreed to all of the policies and procedures that you put in place to secure that information.

It can be difficult to determine which remote access tool fits best with your institution’s unique security and regulatory needs. First, you should identify the best way for your staff to access the network whether it’s through a virtual private network (VPN) or an application for remote access, like a telecommute remote control tool. A VPN is a piece of software that lives on a computer that your user has at home — preferably a bank or a credit union asset and not their personal home PC. When a user connects through a VPN tunnel, typically the computer gives access to the local network at the institution.

With telecommute remote control tools, like LogMeIn and Splashtop, the user can remotely access a computer/device that is at the imitation. These tools limit the abilities of the device from interacting with the institution’s local network and have controls in place to disable functions like file sharing. This makes it a secure option for organizations that don’t want employees to have direct access to the network.

Because each tool achieves a different goal, you will want to determine exactly what your team needs to conduct remote work efficiently, effectively, and securely. There are also several collaboration tools and meeting tools to consider which can help different teams within your institution communicate and collaborate on projects internally and meet with each other or speak with external users outside of your organization.

While risks are heightened for remote users, you can still perform a lot of oversight using reports that should be available to employees working from home. However, a disruptive situation like the pandemic can cause some of your oversight mechanisms to break down. One way to combat that heightened risk is to remind people of your remote access policies. Communication is key here, especially for those people that are working remotely for the first time. For example, you may not have had a lot of time to perform comprehensive training on new technologies you’ve had to adopt to support remote working. Are people using the technologies correctly and securely? It’s going to require more training from the managers to ensure remote workers understand the expected behavior. There’s a lot of challenges to overcome when the way you normally do business has been disrupted. Your Remote Access policy will have to be expanded to cover those areas.

The 40 percent number comes from the guidance that states you should plan for 40 percent of your workforce to be unavailable at the peak of a pandemic. However, this number may be higher when you consider that many of your employees are now working from home and may not be used to it. And many have small children to tend to because schools have closed. There are a lot of disruptions that can cause remote employees to be less effective in their job duties. So, the 40 percent number bumps up to 50, 55, maybe even 60 percent. When you put succession plans together, ideally you want to have three levels of resources that are available for critical functions. Some institutions are lucky to have one or two, let alone three. One of the lessons that we’re learning in real-time as we go through this event is that your succession plan may not be deep enough to make sure that all your critical functions will continue as they normally would under a non-pandemic event.

We’re seeing that all examinations have either been pushed back to a later date or changed to a remote visit. In the climate that we are in, examiners are expecting institutions to make accommodations to customers that may be negatively affected by this pandemic and ensure they have access to other critical products and services.

But what happens when we go back to a more normal set of circumstances? What will examiners expect then? Most likely, they will be looking for a mature document that financial institutions have created to show the “lessons learned” throughout this pandemic event. We can certainly see guidance changes coming out of this, with regulators having a new set of expectations for financial institutions going forward. Right now, we are all concerned with just getting through this challenging time, but all financial institutions need to document what they are doing and the lessons they have learned along the way. They also need to create a report for the Board and the executive management team recommending any necessary changes to mitigate the impact of a pandemic, should one happen again in the future.

There is both the short term and long term to consider. When this whole thing started, equipment supply chains from vendors like Dell were completely backlogged. People were not able to get the laptops they needed to support operations during this pandemic. We heard stories of multiple bankers who jumped in the car as soon as this broke and ran to the nearest Walmart to buy every laptop they could. That’s not the position you want to be in for the future.

Although supply chains are catching up, there’s an expectation that the COVID-19 virus will spike again, and we may be working from home in another round of the pandemic by the end of this year. So, there’s a lot more catching up and planning that needs to be done for the long-term. People are going to want a solution that enables their workers to work seamlessly regardless of whether they’re in the office or remote.

It will take a significant investment to implement these kinds of platforms—not just from a financial perspective but also from a user experience perspective. Executives must buy-in to these investments because it’s going to be a significantly different way of doing business.

Virtual Desktop Infrastructure (VDI) is evolving as the next generation of cloud computing. Last year, Microsoft released its desktop-as-a-service offering, Windows Virtual Desktop, and has seen a 3X increase in the adoption. However, these technologies are not the simplest to consume. Users can’t just run over to the website and turn them on. It’s still a project that has a significant impact on the users. On the other hand, these technologies make remote working more achievable than it was just 2 years ago… Even one year ago. Consider your willingness to undergo pain now to be better prepared should we have another Pandemic. Freedoms that users are used to in a traditional environment now must be applied to corporate policies that dictate some hard-new approaches.

Finally, the network perimeter has traditionally been considered as the firewall at the edge of the network acting as a perimeter between what’s safe and what’s not safe. Today, those lines are blurring. We care about the user wherever they are and the endpoint that’s in their hands. How do we apply the same security profile and risk management approach to these endpoints? It must be the same regardless of whether that asset is at the office or at home. Endpoint protection technologies have existed but now there is good reason to put the effort and investment into adopting them.

The short answer is yes—if it’s well documented. You must document the beginning of it and show what your current policy says, then show what you did, at what frequency, and provide the reporting to prove it. Of course, you’re going to have to wait until we’re at the other end of the pandemic to document the “lessons learned” and the changes that you’re going to make to your policies and procedures to adapt to what you went through and be better prepared for the next one.

With the pandemic already underway, it can feel counterproductive to conduct a pandemic test for your financial institution. However, we’ve found it’s never too late to test and update your pandemic plan as needed, even in the midst of a crisis. Make sure you are validating your succession plan and cross-training measures by purposely excluding certain key individuals from actively participating in the testing exercises you conduct for your institution. During a pandemic, important individuals may not be in the branch or available every day, so it’s important that you test your plan to make sure the institution can still operate efficiently.

On Monday, March 24th, the Federal Reserve provided additional information to financial institutions on how its supervisory approach is adjusting in light of the coronavirus. According to a summary from the ABA Banking Journal:

Stay tuned for insights and analysis on this update and other regulations changes from the Compliance Guru, Tom Hinkel.

If your institution would like to buy and control the devices used by your employees at home, you will need to consider laptops. With company-issued laptops, the institution can control the security and cyber health of the device while at the user’s home. The downside may be the cost of buying new devices which increases the overall cost of ownership. However, when you buy laptops for remote users, this can allow you to repurpose current computers at your branch/office locations for another user with an older machine. Or, you can turn the laptops into the remote user’s office device to limit extra expenses long term. There are a few extra costs to laptops because at a minimum these devices should be encrypted by default, unlike desktops.

If you are allowing an employee to use their home device, then make sure you do a risk assessment. Consider creating a remote access policy if you do not have one already. This should include rules for the appropriate cyber hygiene of the remote device (patching, antimalware, etc.), and should be signed by the end-user. OpenDNS offers free security options for DNS lookups on home computers, which is also a good consideration when developing your home PC access policy and requirements. You may also require multi-factor authentication as an additional precaution to keep the network secure.

Cyber hygiene is a reference to the practices and steps that users of computers and other devices take to maintain system health and improve online security. Cyber hygiene should be heightened during this time of the pandemic. Cybercriminals are launching phishing attacks by claiming to be from legitimate organizations with information about the coronavirus disease (COVID-19). For example, these email messages may ask you to open an attachment to view the latest statistics on the virus. If you click on the attachment or an embedded link within the email, you will most likely download malicious software onto your device and allow cybercriminals to take control of your computer, log your keystrokes, or access your personal information and financial data. Your cyber hygiene practices should entail reminders to avoid social engineering tactics, such as:

• Don’t open emails or click on links just because they say “re: coronavirus”
• Remind employees of telecommuting standards:
• Do not allow family members to use your laptop;
• Lock your PC when leaving your workspace;
• Be aware of login time and day restrictions;
• Enforce password protection and remind remote employees not to write their passwords down. If multi-factor authentication is available, then use it!
• Set expectations for more regular check-in opportunities and emails updating staff on the health of other team members to keep everyone connected and engaged.

For more best practices on cyber hygiene at home, read our checklist, “12 Tips for Remote Workers in the Banking Industry.”