Insights from Catalyst

Welcome to Catalyst's blog, where thought leaders share their insights on news, trends and events. Have a blog idea? Contact the Communications Team

Home Sweet Home…Office? Assessing Enterprise Risk Beyond CU Walls

December 11, 2020

By Brad Cooper, CUERME, Director of Enterprise Risk 

The concept of working from home was foreign to many until March 11, 2020, when the World Health Organization officially declared the COVID-19 outbreak a pandemic. Organizations across the world were forced to enact their pandemic preparedness plans and send their employees home for an indefinite period. 

Assessing your CU's work-from-home enterprise riskNine months later, what was once a culture shock has slowly become “normal” and, now, even a newfound preference for some portion of the nation’s workforce. Among the many benefits, employees are enjoying the freedom to work from anywhere and the added flexibility that provides. Other notable advantages include a decrease in transportation costs (i.e., fuel, tolls and vehicle maintenance) and, ultimately, lower risk of exposure to airborne viruses, like COVID-19 and the flu. Organizations are also realizing cost savings on office supplies, utilities and commercial office space.

However, working from home comes with its own set of risks. Credit unions are service-oriented organizations that deal with highly confidential data and transactions daily. Only now, the same responsibilities of availability and confidentiality carry over to the work-from-home environment.

For these reasons, it’s important credit unions recognize – and account for – the various risks associated with an expanded remote workforce. Here’s an overview of these risks and helpful tips for addressing them.   

Security risks

  • Physical security – Most homes are not equipped with the same level of physical security measures (electronic access and monitoring, security guards, etc.) that are found within financial institutions. Should a home burglary occur, a credit union may be more susceptible to losses incurred from theft of confidential data and/or making breach disclosures under newly enacted state laws.
  • Cybersecurity – Information security controls within the walls of a credit union, such as endpoint malware protection, vulnerability management and patch management, may not exist on the home workstation. Furthermore, employees may store data on their system in a manner inconsistent with in-office best practices, making them more vulnerable to a data breach or attack. In an August 2020 Malwarebytes survey, 20 percent of organizational respondents reported experiencing a security breach as a result of a remote worker.

The credit union should conduct a risk assessment to determine if job functions requiring enhanced security measures are acceptable and deployable in a work-from-home environment. Higher risk departments, like payment processing or wire services, may warrant employees working in office – or at least until additional controls can be implemented to secure daily operations.

For job roles and functions suitable for remote work, credit unions should ensure that employees have adequate means to store and/or destroy confidential data. This could even include disabling the ability to print outside the office, except in limited cases. Enhanced security training should also be provided to further educate employees and address critical new work-from-home considerations. Additionally, credit unions should consider rolling out a mobile device management platform that enables enhanced organizational control over the remote devices connected to the corporate network.

Business continuity risks

  • Weather event/power outage – Regional disasters, such as ice storms, tornados, fires and hurricanes, can significantly impact credit union operations. Although most organizations usually have a plan for these types of events, employee residences are not likely equipped with the same measures of protection and redundancy.
  • Internet service providers (ISPs) – Typically, a limited number of ISPs are available for residential use in a given city/region. That means a potentially large portion of credit union employees could be using the same ISP at home. This could pose a significant risk to operations during an ISP outage caused by weather, cyberattacks or any other instance in which service is down for an extended time.

To address such risks, credit unions should assess job responsibilities based on geography, in case a weather event or accessibility issue disables an employee’s ability to work from home. Uninterruptible power supply (UPS) devices, or hotspots, can also be distributed to critical employees for contingency support.     

Furthermore, credit unions should develop and maintain updated business continuity plans for employees in the event they are unable to connect to the corporate network. Please note: if any of these plans involve returning to the office, social distancing measures should be accounted for until the COVID-19 pandemic is resolved. 

Today’s remote work environment has presented new challenges, but also new ways of serving members during this unprecedented time in history. A thorough assessment of security and business continuity risks, like those listed above, can help ensure your credit union puts its best foot forward…house slipper and all!

Additional tips and pointers for adapting to a remote workforce can be found here. And, be sure to check out these cybersecurity best practices for credit unions.

 

Contact

We are Catalyst. Your Gateway to FedNow and Faster Payments Catalyst Corporate's training & events calendar Is now the time for Sub Debt? Catalyst's Annual Meeting LPX: bringing loans together.