More employees are taking their work home with them as businesses worldwide pivot toward remote operations. These moves have not been without their challenges, however, particularly in the cybersecurity realm. Firms are beginning to realize that the approaches that served them well in the office are ill-suited to help them tackle fraud and other cybercrimes as employees and processes stay digital. This realization pushes many firms to reevaluate how they protect the flow of sensitive information and funds between employees and vendors, said Leon Brockway Jr., information security officer at financial services provider Tompkins Financial Corporation, in a recent interview with PYMNTS.
“Traditionally security and cybersecurity have relied on boundary or perimeter detection and protection,” he said. “That was broken down from a scalable and sustainable primary protective approach. Companies and organizations built programs to protect and keep things inside their trusted network. … The paradigm shifted — really, [problems were] exacerbated because the majority of the workforce are now remote. Shifting that paradigm primarily forces security organizations to contemplate and rethink, ‘Well, if the perimeter does not protect everything, how are we going to maintain our level of security protection?’ and perhaps [they will] enhance [their] security architecture for a highly remote workforce and digital customer base.”
Businesses must move swiftly to respond to these new cybersecurity considerations, Brockway added, as the working world is unlikely to completely revert to its former state. Robust online security processes will become paramount as a growing number of employees work remotely — especially those who require access to protected data or company funds.
Responding To The Digital Security Shift
Many businesses have fundamentally changed how they think about the digital workplace over the past year. They secured their data by creating firewalls or other barriers in their attempts to prevent fraudsters from attacking their systems. Still, the rising number of remote workers has shed new light on some of the risks associated with this strategy, he noted.
“Those barriers of protection — firewalls, intrusion prevention systems that protect everything on the inside, the trusted zone — no longer provide the same level of scalable security protection, given there are so many company assets that are external now, that are in people’s homes at remote locations,” he said. “The border that we relied on for our security controls did not go away or break down to a degree where it was not useful, but people and security professionals need to understand that [the legacy practice] is not protecting assets to the same degree it used to.”
Businesses must thus retool their fraud protection strategies to guard data and connections that originate outside of their trusted networks. This means upgrading not only how they protect money and funds but rethinking how they go about completing daily tasks or money transfers in the first place. Firms must implement security measures that can quash scams that prey on employees’ distance from other team members, including internal fraud attempts, business email compromise (BEC) or phishing schemes.
“Oftentimes, BEC [fraudsters are] going to want to monetize the process,” Brockway said. “They are going to want to find a way to get money quickly and efficiently. ‘Who do I talk to? How do I get money?’ In the back office, having robust controls with dual control or dual authorization — meaning if somebody gets an email and is being asked to move money — is there another person in the process to authorize that movement? Maybe one person can request it and another person can authorize it. That will help minimize or mitigate the risk of BEC in which somebody is asking for money movement, a wire, an ACH — [just] making sure there are dual controls [in] the back office will go a long way to prevent many BEC fraud scams. [It requires] more than one person to get duped, as an example, to move that money. Additionally, requiring a second line of verification such as required call back process to verify the legitimacy of email requests is a simple but effective tool for protecting against BEC.”
Integrating tools that can provide those kinds of checks and balances on digital money or data transfers will be essential to keeping fraud at bay as firms operate remotely. The key factor involved in these checks lies in determining whether employees attempting to move these funds are who they say they are or whether they have legitimate reasons for conducting transfers. This places robust authentication at the center of firms’ cybersecurity strategies.
Moving To Multifactor Authentication
Advanced verification and authentication measures are critical components in the fight against digital fraud, and multifactor authentication (MFA) is coming to the fore as an essential tool for many companies. MFA requires firms to verify employees’, vendors’ or customers’ identities using at least two of three distinct factors: something an individual is — including fingerprint or facial recognition tools — something they have or something they know. Many companies already employ a single factor, typically something known, or in some cases are using dual authentication, which requires the authentication of two types of the same factor — such as asking customers for passwords and memorized PINs, for example. Brockway said this is no longer adequate to protect systems and customers, however.
“Whenever possible, you should be using [MFA],” he explained. “Many organizations, and even, in some cases, security vendors, say, ‘We do multifactor authentication,’ when, in reality, they are doing dual authentication — they are doing two of the same thing, not gaining the full benefits of MFA.”
Businesses that continue to operate remotely need to be prepared to invest in the technologies and procedures that can keep their data and funds secure. Establishing checks and balances and incorporating MFA solutions could go a long way toward keeping them free of fraud from the inside and outside.