(#MBALive) Cybersecurity in a Remote-Work Environment

(Caption, clockwise from top: Thomas Clerici; J.T. Gaietto; Selim Aissi.)

Security worries have grown as more people work remotely due to the pandemic, so it is more important than ever to consider security considerations for the teleworking environment.

“There’s definitely been a transformational change in the way companies operate because of this pandemic,” said Selim Aissi, Senior Vice President and Chief Security Officer with Ellie Mae, Pleasanton, Calif., during the recent MBA Live: Technology Solutions Conference. “It’s not because no one has seen a crisis before, but not one as big as this one. The fact that we all are talking about our companies sending 100 percent of employees to work remotely is part of the challenge.”

Aissi noted the financial sector faces some unique challenges include geographically distributed teams, different regulatory bodies and changing regulations. “From a cybersecurity perspective, all of these changes plus people working from home and employees going through a lot of anxiety has created an opportunity for the bad guys to take advantage of the situation,” he said. “We are seeing some interesting trends because of this pandemic as more people work remotely.”

Thomas Clerici, Chief Technology Officer and Chief Information Security Officer with Freedom Mortgage Corp., Mt. Laurel, N.J., said the current circumstances require “a different kind of IT leadership mentality” than before COVID became a problem.

“There are two factors in play,” Clerici said. “First, market conditions in the mortgage industry. Rates are dropping, leading to higher production volumes. Simultaneously, there is a global pandemic where everybody has to go home, so you’re trying to lead your IT organization through all these challenges. It requires a leader who can operate in chaos and can prioritize and put assets where they need to be.”

IT leaders must maintain a “cybersecurity mindset” at all times–not just after an incident happens, Clerici said. “You’ve got to have a cybersecurity mindset as you’re making changes, not just saying ‘let’s throw everything out there as fast as possible and hope for the best.’ That mindset can really get you in trouble,” he said.

Clerici suggested several steps to enhance remote-work security:
-Ensure your firm’s remote access method is a secure standard. Virtual private networks and secured virtual desktop environments are the standard.

–Multi-factor authentication is a must, and many regulations mandate it.

–Secure your third-party apps–especially email–with multi-factor authentication.  

–The same controls that restrict PCs in your firm’s office–including blocking USB drives and filtering Internet browsing–should apply to remote workstations.

Basic security hygiene “will get you the biggest bang for your buck,” Clerici said. “If you haven’t prepared and you’re in June and still relying on the stuff you set up in March and not doing the basic tasks, I think you have to immediately pivot,” he said. “Do the basic stuff–patching, multi-factor authentication, secure remote access, blocking USBs and filtering Internet traffic and you’ll be in better shape.”