The Security Illusion in the Face of COVID-19
By Scott Rhodes and Todd Sloan
When we think about the transition from office worker to home worker, we think first about IT security: “lock it down!” Unfortunately, that mantra misses the big picture. McKinsey & Company says the most valuable asset of a firm is its people, and it is the operations-intensive environment of investment management reconciliation that underscores this sentiment. The role of skilled people and automation at the center of mission-critical, post-trade processes is apparent from both the standpoint of security and business continuity to eliminate single or multiple points of failure. That means not only protecting the business from being harmed by others; it also means ensuring business operations remain robust and efficient.
Ensuring Remote Workforce Security
For many of us, working from home has become the new norm as the COVID-19 pandemic forces investment management firms to quite suddenly implement aspects of their business continuity plans (BCP). Historically, the financial services industry has been reluctant to allow employees to telecommute given the immense amount of confidential client information that could be exposed in remote work settings. The COVID-19 pandemic has forced firms into an environment that places significant pressure on remote access as many employees are not properly situated at home to accommodate this unprecedented situation.
When a firm shifts to a remote work model, firms are taking a number of crucial security steps including:
- Making sure employees are using non-stored passwords when connecting to the corporate VPN
- Establishing sensible session time-outs for all applications holding client- and company-sensitive information
- Restricting user access to only areas necessary for employees to complete their work
- Promptly removing employee access to systems when needed
- Providing employees with access to the company’s SFTP file storage rather using personal storage devices
- Enforcing encryption policies for sensitive data found in emails and on both corporate and personal devices
- Ensuring IT staff remain on high alert when supporting employees who work remotely
In addition to taking these actions at the corporate level, employees who are now working remotely should incorporate responsible measures to ensure the security of their data by:
- Only using secure, encrypted internet connections
- Making sure family and friends do not access work devices
- Keeping the home office space secure
- Ensuring computers use the latest virus definitions with regularly scheduled scanning and updating
The Cybersecurity and Infrastructure Security Agency (CISA) encourages firms to implement more aggressive cybersecurity policies to curtail an increased number of COVID-19 scams which have been identified over the past few weeks. Their suggestions include:
- Preparing IT staff to provide VPN support to employees
- Testing VPN bandwidth to prepare for greater usage
- Making sure VPN software has the latest patches and security updates
- Establishing two-factor authentication on all VPN connections
- Ensuring staff are aware of phishing tactics
- Reporting incidents such as phishing, malware and other potential threats to CISA
Keeping Business Operations Robust
An investment manager’s people are a key part of the security equation. A business is not secure if its people are anything less than 100 percent productive, or operational workflows and efficiencies suffer as a result. In this climate, firms must not only be prepared for worst-case scenarios, but also operate efficiently as trade volumes explode in a highly volatile market environment.
While many firms have implemented most or all the security steps above, significant dangers still fall outside of their control. There are no guarantees that staff will not get ill, placing strain on remaining staff. One of the ways firms can prepare is to have a contingency plan to outsource key functions. But as firms know all too well, the hiring of temporary staff is not often the best substitute for experienced IT, operations and reconciliation professionals. Not only is operations talent hard to find, specialized process knowledge often resides with individual employees, and valuable time can be lost training temporary staff.
A managed service option can offer an important backstop to eliminate the challenges associated with acquiring and retaining experienced staff who understand data security, continuous system access, and buy-side best practices. This type of “right sourcing” model ensures qualified IT and reconciliation staff who understand the firm’s security needs, data aggregation relationships, reconciliation processes, and specific application configurations can quickly provide support when a firm’s operations function becomes too strained.
Following Best Practices
Conventional wisdom says investment management firms should tightly secure their computing environments. But aside from that, it is people the firm relies on the most. With the high level of disruption, volatility and uncertainty today, firms must have a plan for dealing with single points of failure across its people, processes and technology. After all, total throughput does not add up to success if that throughput is not managed properly and ends up adding more risk and cost.
We’re all in this together, and at Electra, we stand ready to give firms the support they need during this tumultuous time.
# # #
Scott Rhodes has been chief operating officer (COO) of Electra since 2014 and served more than 10 years prior on the company’s board of directors. Before joining Electra, Scott was a managing director at HedgeServ, president and founder of internet video company Veotag, and held executive positions at Multex Systems and Information Builders.
Todd Sloan is a results-driven executive who has spent more than 20 years helping the investment management community connect with automation in the areas of reconciliation and exception management workflow. He drives Electra’s buy-side industry engagement and solution strategies.