Bank CIOs confront challenge of so many employees working at home
The outbreak of the novel coronavirus has been a test on multiple levels for banks’ technology departments.
Chief information officers at several regional and community banks say their departments are doing the best they can to help employees make the abrupt transition to working at home. Yet the relocation off-site of so many workers is straining networking capabilities and business-continuity plans and will even challenge cybersecurity defenses.
“It's very busy,” said Bruce Livesay, CIO of First Horizon National in Memphis. “All things considered, we're doing pretty well.”
Supporting the home office
The IT department at M&T Bank in Buffalo, N.Y., is coping with all the work-from-home demands on its services, CIO Mike Wisler said. However, “it hasn't been easy for sure,” Wisler said.
“The degree to which we need to be remote-enabled now is much higher,” he said.
One thing the $118 billion-asset company had going for it: Most employees already had company-issued laptops with access to virtual private networks, he said.
And about two weeks ago, Wisler’s team took stock of the entire company, to see who was set up to work from home and who was not.
“We were pretty well covered,” he said. More than 10,000 employees were already remote capable, though they were not working remotely on a day-to-day basis. The IT team enabled another 3,000 employees in the course of a week. The remaining employees are in roles that cannot be performed remotely, such as branch staff, cash lockbox operations, mail handling and building security. M&T has 17,000 employees.
A lot of the strain is on the providers of technology everyone depends on to work from home, such as telecommunications networks and videoconferencing tools like Webex, Zoom and Google Hangouts, Wisler said.
“We're a pretty resilient group,” he said. “We tend to be a pretty mobile group. We tend to work all hours of the day and the night, generally. I think much of the anxiety and the tension that exists is as professional as it is personal, with everybody’s lives getting turned upside down.”
At the $43.3 billion-asset First Horizon, about 30% of employees had the capability to work from home, and now it has passed 50%, according to Livesay. Some operations people who process paper and staff running drive-throughs or taking branch appointments need to come in.
The bank already had a VPN, but it has been adding additional tools such as virtual desktops.
“We instituted our business-continuity plan,” Livesay said. “We declared a crisis, got the crisis committee going and started having everyone use their remote-work capability.”
Having its data centers in-house has been an advantage for First Horizon, Livesay said, because it gives the bank options for remote work.
“We had our data center people working all weekend, expanding our different types of remote-connectivity options,” he said.
Most data center staff can now work from home.
“It’s rare that you have to physically touch a machine these days because everything is virtual,” Livesay said. “We do have a skeleton crew coming in.”
Keeping an eye on things
CBW Bank in Weir, Kan., already had a disaster-recovery office in Lawrence, Kan., with a lot of space. Some people who lived near that location have begun working there. Other employees, especially those with children, are working from home. Only a few people remain in the corporate office to handle critical operations.
The $87 million-asset bank was uniquely situated to have people work from home, according to Suresh Ramamurthi, chief technology officer. All employees have used laptops for the past ten years.
While employees work from home, they have their laptop video cameras on all day long.
“It’s like being in the office, everybody can see you and hear you,” Ramamurthi said. “You don't have a choice.”
This is not being done for spying purposes, he said.
“The reason we did this was to give people a sense of belonging," Ramamurthi said. "They are all working at the same time, and they can share it and talk,”
Ramamurthi himself is not on camera. But everyone else is, including senior managers.
One of the top things companies do to prevent cyberattack is monitor all network activity, blacklisting all known bad actors and red-flagging or blocking suspicious activity.
But having everybody working from home can throw a monkey wrench in this effort, because activity from home will look different. Models used to discern good behavior from bad may have to be adjusted.
“The challenge we have is that we’ve scaled that up, so your ability to monitor and inspect anomalous behavior may be stressed,” M&T's Wisler said. “When you move 50% of the community into a different network posture, some of those models may take a little bit longer to learn these new behaviors. You might have more false positives.”
First Horizon is also carefully monitoring network use as employees are coming in from different locations, and putting in extra protections.
“We've had a lot of talk with our internal auditors looking at, as we've moved more and more people to this remote work model, trying to make sure that we maintain our controlled environment,” Livesay said. “What’s been keeping everyone pretty busy is figuring out the right way to do this in a secure fashion that maintains our control environment. It's a different world. There’s no doubt hackers are out there looking for ways to take advantage of this.”
Some of First Horizon’s bank customers were affected by the Finastra ransomware attack last week.
“We had to work through how to make sure those customers were taken care of,” Livesay said, especially with wire transfers that did not go through as they normally would.
“It's extra tough knowing the bad guys are going to be out there and looking for ways to poke holes in things while there's all this confusion going on,” Livesay said.
Former security analyst Al Pascual, COO of Breach Clarity, warned that employees working from home could feel emboldened to commit fraud, especially if they are disgruntled or feel underpaid or mistreated.
“People are going to be home alone, maybe for the first time having access to all this information,” Pascual said. “If they're concerned about their job, especially if their spouse has lost their job, that temptation to do something that they shouldn't is going to be higher than it normally would.”
There are ways to minimize that risk, he said: Treat employees well, while at the same time making it clear that the company is being vigilant.
“I really like seeing that banks are paying their front-line employees more, and I think they need to take that a step further,” Pascual said.
Amy Mushahwar, a privacy and data security partner at Alston & Bird, pointed out that honest employees could also be more susceptible to security threats when they are working from home.
“They might be working more casually,” she said. “They might be more likely to multitask and fall for phishing campaigns. Many clients are getting flooded with client requests right now. So simply in the urgency of dealing with the necessity of this situation, they have less time. And that breeds a ripe environment for hackers to exploit companies and to exploit employees.”
Hackers see opportunity in the coronavirus pandemic atmosphere.
“The bad guys don't take days off, regardless of what's going on,” Wisler said. “We do have to raise our vigilance. We've upped our posture of observing and protecting our VPN and network capabilities. We've definitely used this opportunity to refresh everyone on the best practices, to heighten our awareness around those things that have the potential to compromise, regardless of where you might be, inside or off our network.”
Like most banks, M&T monitors for and defends against phishing attacks every day.
“We're just taking a really prudent, thoughtful approach to watching certain things with a little bit more attention, moving some of our capacity to observe and respond to certain things in different places because of the posture that we're in,” Wisler said. “History has shown us that the weakest link is not technical. Human behavior tends to be the weakest link, which is why we put many layers of technical controls around everything.”