The Personal Investment Management & Financial Advice Association (PIMFA) has warned firms about the cyber vulnerabilities they may face as a result of changes they may have made to adapt to the coronavirus outbreak.

The paper, entitled ‘Cyber Resilience in Extraordinary Times’, begins by mentioning a “momentous shift in working practices” now that so many employees of financial services firms are working from home. The principal concerns of the authors of the paper can be summarised under two headings: lack of preparation and an increase in the number of ‘endpoints.’

Firstly, the paper says that many firms were forced to purchase a number of laptop computers in a very short space of time, as many employees did not have a home computer – for many people a smartphone or a tablet is sufficient for their non-work tasks, so they don’t need a computer.

Where staff do their own computers, their security arrangements may be less stringent than those on the office PCs.

Secondly, while an office-based work environment requires firms to protect a limited number of endpoints (or even one endpoint for smaller firms with just one office), now some firms are faced with the prospect of having hundreds of remote endpoints.

Many firms record their telephone calls, but while it may be relatively easy to redirect an internal telephone to an employee’s mobile device, it is harder to ensure that these calls are recorded. Some firms have addressed this by using softphone technology, but this requires a reliable connection and a high level of IT expertise to install.

The National Cyber Security Centre says that hackers and fraudsters feed on uncertainty and fear. Not only might there be little in the way of security features on a personal laptop, but cybercriminals may see the coronavirus pandemic as an opportunity to induce individuals to do something on their computer that they would not normally do. The Centre is warning firms of a significant increase in cyber-related crime, particularly fraud and extortion.

Sensible precautions firms can take include:

  • Posting warnings about the cyber threat on their intranet pages
  • Sending emails to staff warning them of the dangers
  • Adopting a policy that the laptops can only be used for work purposes, i.e. they should not be used by the employee for personal matters, and should not be used by other members of the household
  • Issuing guidance on passwords to employees working remotely, emphasising the importance of having a strong password, such as one that mixes upper-case and lower-case letters, numbers and keyboard symbols
  • Making use of two-factor authentication, where an access code is required in addition to a password. This authentication can be installed on a laptop free of charge
  • Explaining to remote workers how they can download security updates, such as patches and anti-malware applications
  • Asking remote workers to back up their files regularly
  • Ensuring staff working at home know where to seek IT assistance and where to report any suspicious activity on their computer
  • Training staff on what they need to be aware of, such as phishing attacks, suspicious attachments etc.

Finally, the report calls on firms to consider whether their remote working arrangements are working effectively and whether the firm’s business continuity strategy needs to be updated. Firms should remember that the pandemic may usher in some longer-term changes in the way people work, so it may not be the case that everyone will be back in the office in a few months’ time. The challenges of managing remote working that firms are currently facing may become commonplace.

The information shown in this article was correct at the time of publication. Articles are not routinely reviewed and as such are not updated. Please be aware of the facts, circumstances or legal position may change after publication of the article.