BLOG

IT Security Controls in the Wake of Covid-19

April 9, 2020 BY MQMR Blogger

Question:

With so many companies moving to a remote work environment due to COVID-19, what IT security controls should my organization implement to protect our data and our clients’/customers’ information?

 

Answer:

Working from home or another remote location has become the new norm for many in our industry. Now, more than ever, the prevention of data breaches and data loss is vital to lending organizations. From the all-too-common grasp of ransomware (when a hacker encrypts your business data for a monetary ransom), to the lack of appropriate IT controls and vendors, business critical data, PII (Personal Identifiable Information), and NPI (Non-Public Information) are clearly susceptible to risk. To best avoid exposing your critical business data to risks in a remote work environment, start with implementing these important prevention steps:

  • Use Up-to-date and Reputable Enterprise Grade Anti-Malware Software
    • Ensure that all business assets have reputable, and up-to-date, anti-malware solutions installed and managed across the organization.
    • All assets should be remotely monitorable and regularly scanned for malware
    • If employees are using their personal device for work, reputable anti-malware software should be installed on those devices as well, and any pre-existing malware software on those personal devices should be disabled and/or removed to ensure the efficacy of company-approved anti-malware software.
  • Install the Latest Operating System Updates
    • Ensure that all assets are scheduled to install the latest security patches from their respective vendors, especially for operating systems. To go a step further, have a test group of workstations that receive the patches first, in order to rule out any incompatible patches before installing them on all assets. Also, only use operating systems that still receive security updates (ex. Windows 10 and above or MacOS Mojave and above).
    • Ensure that patch management for all assets can be remotely monitored, so that any assets without patches can be identified and addressed
  • Establish Secure Mechanisms for Accessing Company Data Remotely
    • A secure Virtual Desktop Infrastructures provide the most secure means of providing remote access to company data, though remote desktop over a virtual private network is the next best option. Regardless of the method deployed, companies need to ensure their chosen remote access solution is SOC-1 compliant and utilizes at least 256-bit encryption or higher. Further, companies should also leverage secure cloud-based data repositories for storage, rather than locally-storing data, as these allow employees to access needed materials in a secure environment that backs up to redundant site – whether on-premises or in the cloud – to maintain data integrity.
  • Clean Desk Policies
    • Ensure that your staff members are not writing down their network credentials (user name and passwords) on post-it notes at their desks or, in this case, their dining room tables, home offices, or other communal spaces.
    • If employees choose (or are allowed) to print materials (we recommend against this) for use in their home office, said materials must be secured and/or destroyed in accordance with established company guidelines to protect company data and/or any PII, NPI contained within those materials.
  • Off-site Data Redundancy
    • Ensure that your critical business data is backed up to an offsite location, whether that be to a reputable cloud-based storage solution, or to a redundant, secondary site owned by your organization.
  • Create and Update Policies and Procedures
    • Having an up-to-date Disaster Recovery/Business Continuity Plan, Acceptable Usage Policy, and other Policies and Procedures could make or break a business when it comes to recovering from a disaster, or preventing one. Create formal policies, update them regularly, and test them to ensure they are functioning properly.
    • Be sure to communicate any updates made to these documents as it relates to a remote work environment to employees, especially those that impact day-to-day operations, and provide additional training when and where necessary. Simply posting updated copies of these materials to a company intranet is not enough to ensure these materials have been received and understood.
  • Seek Reputable Vendors
    • Ensure all of your vendors have the appropriate IT Security implementations in place. Ask your vendors the necessary questions and request evidence to determine how robust their IT Security is.
  • Assets
    • Ensure all company assets (laptops, phones, tablets), which contain company or consumer data, are tagged and encrypted.
    • Force password changes at a frequent basis (minimum every 90 days).
    • Force lock computers when idle for a certain time period.
    • Remove local admin rights so that employees cannot install software without IT staff intervention.
    • Implement multi-factor authentication.
    • Use encryption for in transit and at rest.
  • Train Staff
    • Train your staff on the importance of phishing, ransomware, and IT security awareness, with emphasis on these elements in a remote work environment. Basics, such as locking the computer when away or not leaving laptops in plain view, are just a few common sense reminders to train your team.
    • Keep employees informed of new discoveries and helpful awareness tactics, including the prevalence of scams related to COVID-19.
    • For lenders and title/settlement providers, reinforce adherence to standard wire transfer protocols to protect against fraud.
  • Internet Connections
    • When possible, have employees use a hard-wired ethernet connection to access the Internet.
    • If WiFi is the only option, make sure employees are using at least WPA-2 encryption and only using their 2.4 GHz network to ensure optimal security and latency.
  • Compliance
    • Many states have issued guidance on temporary remote work environments. The NMLS has begun tracking these changes as part of its COVID-19 resource page. The document, which is being updated on an on-going basis, can be found here.

You can never be too secure but starting with the short list above is a great step in the right direction.