Remote Working Strategy for Financial Institutions

In a post-COVID landscape, remote working will be more accepted – even in the banking and financial services sector. Just recently, Barclays CEO Jes Stanley said expensive city offices may well become a thing of the past, and indeed, it’s highly unlikely that the tens of thousands of workers that once filled our capitals’ skyscrapers will all return.

Remote working has a vast array of benefits, from cutting costs to increasing productivity, however, the sensitive nature of the finance industry’s data poses a serious challenge.

The key to successful, more permanent remote working strategies is secure authentication. This must start with a passwordless approach. Innovative technologies such as biometrics can help keep data safe and secure, especially considering the escalation of cybercrime and unprecedented levels of online fraud. Funded attacks on passwords worldwide have risen 667 per cent since lockdown began, and a recent report found that 1 in 3 users have fallen victim to phishing scams. This is no surprise considering millions of employees share common passwords across personal and business accounts. Furthermore,

passwords and PINs put pressure on already inundated IT helpdesks, which as well as costing $1.9 million a year in resets, severely impact productivity across the business.

Increasingly, businesses are realizing the benefits of taking a multi factor biometric approach to authentication to enable secure remote working, whilst delivering a streamlined user experience and enhancing productivity.

The pandemic has put pressure on businesses to adopt technology that they may be unfamiliar with, without subjecting it to the usual in-depth assessment. This has been essential in keeping businesses afloat, but these shortcuts places them at greater risk of fines and data breaches – likely to increase as we come out of the pandemic, and businesses adapt to the new environment.

As a result, this landscape is going to favour the agile. It’s going to lean towards the disruptors, who are bringing necessary change to sectors like financial services. Banks, for example, are already partnering with fintech firms, in order to provide more responsive loans that can support small businesses during the pandemic. Uniting with these nimble tech firms, who truly know what it means to take a well-established process and turn it into something innovative, will be the key for large financial firms to enable a remote workforce and achieve success post-COVID.

Digital banking channels may be moving many customer interactions out of the branch, but until recently, most bank employees still spent their days working in financial firms’ premises.

As the coronavirus lockdown plodded forward, banks have been forced to very quickly adjust to a new reality of having many if not most of their employees work from home—a shift many financial institutions have been ill-prepared to make. Many companies were not ready to deal with a large remote workforce. In a March 2020, social engineering and malicious and negligent insider incursions as security threats have been heightened with “a sudden work-from-home workforce.”

The financial industry has been forced to fast-forward telework arrangements for a wide and varied range of staff, from frontline employees who typically worked in the branch to top executives, who may need broad access to bank systems, data and files. For many financial institutions, who had up until recently allowed only a few select employees to work from home (or none at all), this sudden change has not only affected the logistics of their day-to-day banking business, but also how they handle information security across a distributed enterprise.

For banks, moving so rapidly to a remote workforce has forced a refocusing on the need to secure endpoints including laptops and mobile devices that employees are using for work, whether company-issued or otherwise
.
Typically, organizations focus primarily on securing their company systems and networks, with those endpoints getting a secondary focus because they’re operating within the system and are protected by multiple layers of security built into company systems. Now, teleworking employees and their endpoints are outside the companies’ fences, and also outside of those layers of security.

Take for example the State Bank Group, a $230-million-asset bank headquartered in Wonder Lake, Ill. With eight locations and 75 employees, described as a very traditional community bank—one that, until March, like many of its counterparts only had a very small percentage of employees working from home periodically, no one on a regular basis. Then with the onset of coronavirus concerns, in the space of just a few days the bank needed to rapidly move roughly 70 percent of its staff to remote working situations.

The Bank had to be able to quickly adapt because [before that] it had issued secure devices to connect remotely to probably 40 percent of the staff. What did the State Bank Group had working in its favor? It had developed specific pandemic and business continuity plans prior to quarantine mandates and had begun using a virtual server and desktop environment more than five years ago, and implemented more network infrastructure that allowed them to rapidly deploy more employee devices, test more effectively and secure disparate endpoints.

The big thing was that they were able to respond quickly with training and processes to people who had never connected remotely before. These new arrangements did require more employee education on heightened threats, on use of bank-issued hardware and RSA secure tokens for using these more– secure devices to access the bank network.

For financial institutions that want to secure work-from-home employees, it is most secure to use either virtual desktop-server technology or virtual private networks for allowing access to internal networks.

When an employee is using their own computer, IT has almost no control. That aside from not having the appropriate endpoint security built in, including multi- factor authentication, IT security professionals cannot track whether these employee-owned machines are properly patched and if they have visited fraudulent sites or have viruses on them. It is imperative that Bank deploy cyber education, patching and cyber-hygiene to its employees.

Before the pandemic shut down many workplaces forced all but the most essential employees to work from home, only about 5 million people worked remotely in the United States (not including independent contractors or micro- businesses). For banks, contending with stringent privacy and security regulations and protocols surrounding access to internal information, permitting work from home arrangements has not been nearly as widespread as other sectors.

In the remote workforce, the first area of focus needs to be your operational workforce and the first line of defense is to ensure operational compliance. In most cases, that responsibility falls to the people who are running the day-to-day operations because they are the ones that are interacting with customers and handling sensitive information. With their own core processing clients, FIS can let banks set business rules and limits around every process and program, which will lock out remote as well as on-premise users if rules are not followed and require supervisory permission from compliance to proceed.

Indeed, beyond just being able to connect securely, banks need to be able to insure that their employees have secure hardware as well—and the sudden shift to remote access has definitely created some short-term equipment challenges. Institutions need to make sure employees have corporate–owned and managed devices, which are secured through corporate malware protections, vulnerability detection, AV, patching, and local firewalls, they need to make internal applications available to external remote workers so they do not use their own uncontrolled equipment or applications.

Applications that historically have been protected by the nature of their architecture as internal enterprise applications are now being used outside that walled garden via internet access. That brings about a series of unknowns and potential unidentified application security vulnerabilities. Banks may be forced to shortcut their hardening processes or ensure appropriate cybersecurity testing has been conducted on these apps.

A lack of availability to adequate VPN bandwidth and VPN licenses for employees have also been issues. While many institutions scaled their

connectivity infrastructure to allow a handful of remote users to log into the bank’s internal network at one time, their plans typically did not account for having to offer virtual private access to the entire workforce all at once.
We break banks into three camps (based on how they have handled the abrupt move to distributed workers):

1. Most big banks, with over $10 billion in assets, had a thorough, adaptable plan in place with enough equipment, bandwidth and VPN licenses to accommodate their pandemic reconfiguring.
2. A second group has scrambled to quickly fill in the gaps, accelerating their use of cloud services, adding VPN licenses, bandwidth and hardware if necessary, to enable a secure remote workforce.
3. Finally a third group of banks is allowing employees to access internal bank networks with their own PCs and mobile devices and use their own home internet access—essentially, to do their jobs any way they can.

That last group is where the most risk exists right now.

But the changing working arrangement is not the only factor affecting employee risk during this quarantine time. Fraud historically increases during disaster- related events, and the COVID-19 pandemic is not an exception.

According to recent Aite Group research, 94 percent of attacks on banks originate through phishing emails sent to employees. As soon as we move employees to remote connections, during a time of high stress, people are nervous and looking for news [about the pandemic and quarantine]and less likely to look closely at

emails. Financial institutions are seeing as much as a 500 percent increase in phishing attempts on customers and employees since early March.

Added to this human factor is the fact that the technology used to distinguish “normal” employee behavior from the disparities that typically point out bad actors or fraudulent is not as effective when employee activity is far from normal—they are logging in through different devices, potentially handling different tasks and perhaps working non-standard hours to accommodate home-schooling children or other WFH issues.

Hence, the machine learning or AI technologies, geo-location, IP or out-of-band authentication tracking or other cybersecurity measures based on gauging normal activity may be “thrown out of track.” And bad actors are taking full advantage. Banks are experiencing three times as many cyber-attack attempts on their systems and their employees in recent weeks.

In the meantime, bankers are doing their best to get the word out to employees (as well as customers) about heightened risk for phishing and fraud scams, as well as to revisit education about good cyber-hygiene practices. The banks that have already implemented multi-factor authentication for employee access have an advantage, and more banks that do not have employee MFA have moved it to the top of their to-do lists.

Managing a remote team also comes with its own set of challenges. While there are various issues bosses have stated as the reason they don’t like having

employees work from home, it often boils down to a couple of simple facts: they want to know that their employees are working and that they’re doing OK. In a traditional office environment, it’s easy to walk by an employee’s desk and gauge attitude and productivity. It’s obviously not as easy when someone is miles away.

– Metrics Based Management

Measuring productivity based on results requires quantifiable metrics, which can be challenging for businesses to define. Just because an employee is connected to the office by a VPN doesn’t mean they’re working. And it also doesn’t necessarily mean they’re not. In job functions like a call center representative, a simple metric of calls per hour can be used. However, when you have employees with varying responsibilities, creating metrics for each person will be required, with some degree of frequent revision.

Keep in mind that meeting a defined goal doesn’t necessarily equate to productivity. If goals are set too low, an employee accomplishing the desired result may not be working at full capacity. Additionally, if a goal is set too high, an employee missing a target may be wrongly interpreted as “they’re not working hard enough.”

– DATA DRIVEN MANAGEMENT

Holistic View: An employee can’t be measured on a single activity or action. They need to be measured on the entirety of their work. Depending on the job function, an employee’s day is made up of a mixture of corporate, local and internet-based applications, internet-based data and resources, email, chat, and even social media.

To effectively measure productivity, you need to be watching each activity individually, as well as their summation, to determine an employee’s productivity.

– Individuals & Their Groups

Additionally, measuring one employee against a peer group provides perspective as to whether they are spending too little, just enough, or too much time performing an activity.

Viewing the productivity of a group allows you to identify the best practices of your top producers, creating a benchmark of efficiency standards. Cross group comparison can also help identify employees requiring additional training.

– Being Proactive Not Reactive

Lastly, measurement should be done using a proactive methodology where standards are defined, and a proper review of activity can be done quickly and efficiently.

Employees are the lifeblood of every organization, so it’s the responsibility of executive management to proactively address the new issues surrounding a remote workforce, including data-driven visibility into employee activity, productivity, levels of engagement, and employee satisfaction.

– THE ROI IMPACT OF TRANSITIONING TO A REMOTE WORKFORCE

The Danger of Disengagement Without visibility into a remote employee’s behavior, it may be challenging to determine their level of engagement. According to HR specialists CBR, five warning signs of disengagement are:

1. Decreased productivity
2. Social withdrawal
3. Attendance problems
4. Negativity
5. Lack of initiative to improve

When workers are remote, it’s often difficult to observe the actual levels of productive activity, attitude changes, and social withdrawal from colleagues.

– Visibility is Key

The ability to see productivity drops is invaluable, whether it’s disengagement, a training issue, or someone struggling to work in their new “work from home” environment.

Additionally, the ability to identify changes in attitude, early on, can keep a valued employee from leaving the company or stop the growth of a toxic team environment. Luckily technology can help.

ADVANCED MONITORING FOR EMPLOYEES WORKING FROM HOME USER ACTIVITY MONITORING & ANALYTICS

We are able to provide access to white label software tailored to your specific needs, that provides user activity monitoring and analytics solutions to measure employee productivity with incredible levels of detail.

The software provides productivity metrics and the specific activity behind those metrics. This empowers businesses with the visibility and context necessary to identify employee productivity issues and address them rapidly.

– REMOTE DEPLOYMENT

Applications can be deployed to all PCs, Macs, and Android devices on your network. The software agent is deployed from a centralized management console to computers in the office or at remote locations (home offices).

The software has the option to be deployed silently so that end-users don’t know they’re being monitored. This is an important feature for some companies when monitoring is used as a security tool or for investigations.

– SEE EXACTLY WHAT EMPLOYEES ARE SPENDING THEIR TIME ON

Running on the employee’s computer, the software has the ability to analyze and record all onscreen activity. Although the software can monitor all computer activity, you have control over what will or will not be monitored. The software aggregates the employee activity data and provides several ways to review the information.

The activity can be reviewed at a company or department level, and you also have the ability to drill down into the details, based on a specific user, activity type, or through a keyword search. The software presents the data in easy to view reports and within its dashboard, making it quick and efficient to see exactly what your remote employees are doing on a daily basis.

– PRODUCTIVITY METRICS AT A GLANCE

The software’s dashboard lets you quickly see daily and weekly metrics. You’ll see a weekly view showing who’s productive, who’s not, and the people that are barely using their computer. Not only can you see what an individual is doing, but you can also see how they are doing in relation to their peers.

Drill down and see by daily or by the minute details on any individual in your company. See how many minutes they were active in each application during designated work hours.

– REACTING QUICKLY

Psycholinguistics

The software analyzes written language in emails and can detect changes in employee sentiment. Its artificial intelligence (AI) specifically looks for signs of employee disengagement. The software will send an alert when it identifies a significant change in an employee’s sentiment.

The Power of Early Intervention

Change in sentiment along with a drop in productivity are critical warning signs of disengagement from the company. This information allows management to take corrective action early on. By understanding and addressing the employee’s issues, it’s much more likely that a valued employee can be kept from leaving the company.

Additionally stopping disengagement in the beginning, can head off the spread of a toxic attitude that could infect an entire team.

Determining the Cause of Disengagement

Under normal circumstances a highly engaged employee is usually highly productive. However, the coronavirus has turned everyone’s world upside down. Identifying those that are struggling in this new environment is critical during this transition period and will remain important as more companies move to a remote or hybrid workforce. Issues include:

– Isolation from peers
– Lack of communication
– Lack of self-discipline/self-direction/self-motivation in a remote work environment
– Managers inexperienced at supervising remote teams

Speak to one of our partners about a consultation and cost offering
Our full implementation plan and training package can be accessed for US$350,000.00 plus software implementation costs.