Since the start of the first UK lockdown in March 2020, many banks have scrambled to shift their physical offices to remote working. With limited resources available, many firms quickly – and somewhat hastily – adopted a Bring Your Own Device (BYOD) policy, where their staff’s own endpoint technology was utilised in an attempt to maintain business as usual.
This means banks are now allowing their employees to access enterprise networks from their personal devices. For many employees, the lines between work devices and personal devices have now blurred, creating vulnerability to financial institutions and bringing further risks to data security.
For many financial services firms, the management of their staff’s devices now hangs in the balance. So, what should firms be doing to deal with these risks?
What is endpoint technology?
Endpoint technology usually refers to the devices used to operate applications and services, most often by human interaction, at the furthest point from the network – hence “end point”. In the case of servers, they may not be furthest away from the network, but they generally serve applications or databases, and can be thought of as an endpoint. The devices can be anything from laptops, desktops, mobiles, servers, to new Internet of Things hardware (IoT)
Who uses endpoint technology – and why?An endpoint is usually the device used by the person it is assigned to, to access their work applications and services: think corporate laptops used to access work spreadsheets and the internet. Endpoints can also be on-premise or cloud-based. On-prem refers to services, infrastructure and/or applications delivered, supported and maintained from and within the corporate domain, whereas cloud-based technology is delivered by a 3rd party provider, which can be as a service, as a platform or as an infrastructure.
Consumers are massive users of endpoints; for example, every iPhone, Android device, Alexa, home PC etc, is an endpoint. However, with the shift to remote working, many consumers are also using their personal devices to access work technology; reading emails, taking video calls or replying to messages on software such as Slack, for instance. The positives of using this type of endpoint usage – often referred to as BYOD – include flexibility, agility and infrastructure cost savings. However, the negatives can be a lack of a coherent security posture and a lack of control of corporate data.
Remote working and BYO devices
So, what’s the overall impact of remote or hybrid working and BYO devices? The answer to this one question could fill a whole book, such are the variations of service and security in play today, from the smallest companies up to the very largest. However, whatever the size of the business, there are many vulnerabilities to watch for. In order to mitigate these risks, maintaining a coherent security posture is key. There’s little point back-hauling everybody back through a VPN when there are much more flexible solutions that provide better visibility and security, such as SASE or Secure Access Service Edge.
Similarly, there’s huge risk in letting employees use their own devices without any corporate control. The issue is how to control this without a “Big Brother” approach while people work from their home, using the same broadband and routers that they likely use for personal TV and download services.
BYOD: managing risks
How are the risks associated with BYODs best mitigated?
Firstly, financial institutions must establish a robust device policy, including BYODs: the management of the device estate is vital.
Secondly, through aligning the best security software to defined and regularly tested processes and procedures. For example, IT teams should consider making sure that both devices and software are up to date with the latest patches. The best security software in the world won’t stop a breach if it’s “left to its own devices”! Upskilling and re-skilling staff is an area that banks will need to significantly invest in as they move to a remote and largely more digital environment. Awareness of cyber security protocols and best practice will be vitally important to protect banks from cyber attacks.