Steve Koinm, VP Professional Services of Pure IT Credit Union Services, responds to the NCUA remote guidelines.
The NCUA recently put out 20-Risk-01 / April 2020 addressing Cybersecurity Considerations for Remote Work. This is a useful document for the Boards, CEO’s, CIO’s, and CISO’s of credit unions. The basic premise is that technology now affords opportunities for remote work, but now each employee has a responsibility to ensure the security of the credit union while doing that remote work. Though that has always been the case, many more staff are working remotely than ever before. Each of them now must give new thought to how they participate in the security of the environment.
The NCUA guidance provides a list of policies and procedures that should be in place to address employee expectations while working remotely that may not currently exist in many credit unions today. Most policies and procedures do not consider using the remote worker’s personal hardware, software, systems, and networking equipment. We must take care to make sure that other family members who might be used to sharing a device with someone are unable to access any private data. Most individuals set up their personal devices so that they log in with administrator privileges rather than a user account. The passwords on our personal Wi-Fi routers and other devices may not be at the same strength as our corporate devices. The Wi-Fi router could be older and have known exploits that are not or cannot be patched.
Additionally, how we respond to security incidents will now change. Typically, we have incident response plans that would include actions such as taking systems off the network, preserving the computer in a powered-on state for forensic evidence/investigation, and calling IT support to come work gather the machine to investigate. Now those systems are at a remote worker’s home and we cannot respond in the same way we did before. A new strategy for incident response must be put into place.
To combat some of these issues, we are seeing many of our clients moving to a Virtual Desktop (VDI) solution of some sort. Whether that is a full blown on-premises VDI solution, a cloud VDI solution inside a Hyperscaler, or simply providing remote access to the desktops at the office through a presentation solution, keeping the systems within the full control of the IT Department greatly reduces the technology risks.
But this remote work still increases the opportunity for social engineering attacks. The effects of the pandemic on our lives today leaves our remote workers more stressed and distracted. In turn, that leaves them more vulnerable because they are not 100% focused while remote during this pandemic. Kids are home from school, spouses and roommates are also working from home, and people that they are close to may be affected by this virus.
We must ensure that we have the proper technologies, policies, procedures, and support in place to manage through this situation. Be sure to read through the NCUA Guidance Letter and reach out to Pure IT if you need assistance in meeting that guidance.
The full NCUA Remote Guidelines mentioned in this blog can be found: