Protecting Data During the Pandemic – How Lessons Learned During COVID-19 Can Strengthen Security of Remote Work

By Scott Johnston06.15.2020

The pandemic quickly and forcefully disrupted credit unions’ day-to-day operations as employees from nearly every department had to determine how to work from home effectively and securely. Logistics such as obtaining enough laptops, securely accessing networks with sensitive data and navigating spikes in fraud have made this adjustment no simple task.

Even though states have started slowly reopening, health officials are cautioning all on the likelihood of a resurgence of the virus this fall. Plus, with today’s unpredictable weather patterns and the potential for other deadly outbreaks, it’s probable that situations will arise again that prompt part or all of a credit union’s staff to work in isolation. Savvy credit unions will take lessons learned from the pandemic and incorporate them into their broader disaster recovery or business continuity plans, with specific considerations for maintaining operations while social distancing. If there’s one thing that this crisis has taught us, it’s that preparation is key.

Security at the Center – Tips and Best Practices for Keeping Data Safe

Because credit unions are trusted with such sensitive data, including personal details about members, businesses and their financial livelihoods, it’s crucial that this information is properly managed and protected from wherever employees are working. First, on-premise controls should be extended to remote environments, with connectivity achieved solely through the credit union’s own certified Virtual Private Network (VPN). This ensures that the same security standards established in branch or in office are maintained from employees’ homes. Only the approved user should have access to the device – allowing spouses, children or friends to use the laptop, tablet or phone only introduces unnecessary risk.

Special attention must be paid to software; for example, continually patching laptops and devices significantly mitigates the risk of exploitation. Other security best practices that become especially important during remote conditions include regularly updating software on all devices, consistently backing up data, enabling multi-factor authentication and having strong, lengthy passphrases for each online account. And, don’t hesitate to collaborate with partners and peers; many credit unions have benefitted from tapping their technology providers for insight into the current cybersecurity landscape.

Proactive credit unions across the country have put these tips into action to help their employees stay secure during quarantine, ultimately better safeguarding members’ information. For example, Southfield, Mich.-based People Driven Credit Union implemented various procedures to minimize potential vulnerabilities for its 24 full-time employees working remotely during the pandemic.

“Properly identifying and classifying the risks on a regular basis has helped us understand where appropriately scaled mitigation is needed,” said Brian Howell, chief information officer/chief information security officer of People Driven Credit Union.  “On top of the normal third-party risk assessments and audits we go through, People Driven Credit Union has performed a vulnerability scan each day. We want to ensure that we have visibility into cyber risk and can effectively manage it.”

Battle Creek, Mich.-based OMNI Community Credit Union also prioritized their overall security posture when planning for an influx of remote work. First, the credit union closely collaborated with their technology partners on which safeguarding measures to apply. They were diligent with device setup and configuration for remote workers to reduce the possibility of exposure. Implementing password policies, installing antivirus software and firewalls and leveraging backups all contributed to better protecting the nearly 20 employees working from home.

“Credit unions should ensure that they have the necessary software solutions and partnerships to properly support this environment, as this is the last environment that you want to have usability outweigh your security,” explained Jason Cain, chief information officer of OMNI Community Credit Union.

Empowering Employees with Education

The credit unions that have best weathered the storm (and that will likely be most successful in future crises) are those that emphasize open, clear communication with employees. In fact, when the pandemic first began spiking, regulators urged companies to implement remote work security policies and guidelines while directly establishing expectations. Employees are often the first line of defense against fraud, so it is vital for credit unions to properly train staff on policies and best practices, as well as the established protocol should an issue arise.

Empowering employees with knowledge has been a focus for People Driven Credit Union. As part of their cybersecurity program, the credit union regularly deploys packages of protection that include situational awareness training, simulated phishing attempts and frequent knowledge sharing of relevant industry and community information to its employees. Such efforts proved especially beneficial in a crisis.

“My stance is that the investment in people is as critical as any other protection you can deploy,” said Howell. “Many risks don’t come to fruition because of a forced attack, but rather because a trusted asset opened the door to a completely avoidable situation. People are a critical line of defense, and often the greatest asset.”

Credit unions must have a detailed plan for how to respond to all types of disasters, including health-related events that require physical isolation. Learning from COVID-19’s successes and failures and applying those tips into broader disaster recovery plans will help position credit unions to more quickly, seamlessly and securely transition to remote work next time the need arises. This proactive stance will help credit unions continue to deliver exceptional member service without interruption, which is especially important during times of crisis.

Scott Johnston is chief operating officer for Member Driven Technologies, a CUSO that provides technology solutions to credit unions.