Part 1, Equipping Staff and Securing the Environment
In what has been called a mass experiment in remote work, attempts to mitigate and slow the spread of coronavirus have led many companies to ask or allow their employees to work from home for the first time. Remote work, however, involves different considerations for different departments. Treasury’s considerations are complex, and neglecting proper setup can lead to problems.
Most companies are already in the midst of implementing their business continuity plans. Some are still in the process of sending workers home, many of you are reading this from home already, and others are doing their best to mitigate the spread of the virus while staying in the office. In this post, we are outlining a few elements to make sure you have considered. In addition, if you’re realizing your business continuity plan might need some revising for next time, we want to encourage taking notes now and considering what changes might be necessary. After all, if we’re going to have a global crisis, we might as well learn from it and consider: How ready were you? What might you have overlooked? What will you need to do next time?
Even when we narrow our focus down to the treasury industry, there is no one-size-fits-all formula or checklist for remote work. Each organization will have its own unique situation to think through. There are, however, several considerations that any treasury group interested in remote work will need to take into account in their preparations.
Technology is the very thing that allows the possibility of remote work, but that doesn’t mean it’s a simple factor. On the contrary, it’s one of the elements that requires the most logistical foresight and work. Treasury experiences this even more than most professions. Their work typically leverages powerful technological tools, and their elevated need for security often requires technical security measures that, while necessary, can complicate remote work.
Below, we list a few common components to make sure you’ve accounted for, but keep in mind that this is not exhaustive. Your organization and department will have to think through your unique day-to-day processes and the tools you use as this process continues.
Make sure that you’ve considered any logistical difficulties that might arise from the more physical, hardware-related, location-dependent components of your technology stack.
- Physical Security Tokens. Many organizations use tokens or fobs for multi factor authentication (MFA). If staff are to work from home, taking their tokens with them is likely to be a necessity. We’ll discuss security later in this article. For now, simply realize that accidentally leaving a token in the office could completely impair an employee’s ability to work until they’re able to retrieve it, so make sure they think to take it.
- Laptops and Desktops. Do your staff members have laptops already set up for business use? If not, are they taking home their desktops? If you didn’t have laptops and it caused problems, what can you do to make sure things go more smoothly if something like this happens again? For those with desktops, you may need to confirm whether they can station the desktop near their home router (connecting with an ethernet cable). If they will require a WIFI adapter, it will need to be installed and tested.
- Installed Treasury Systems. If your TMS is installed on premise, your plan for remote work will look quite different from many of your SaaS-based colleagues’ plans. While you won’t be able to log into your system from home directly, discuss with IT whether your workers can remote into their office desktops and use the installed solution indirectly. Consider any security repercussions of this decision and discuss whether additional measures are necessary to protect your assets and confidential information.
While software components are typically less tied to location, some issues may still arise. Consider the following examples of situations your organization might face.
- VPN and VPN Capacity. When accessing company information and systems remotely, many organizations use a Virtual Private Network (or VPN) to ensure the network is appropriately protected. If you don’t currently use a VPN, it might prove necessary during this “mass experiment” in remote work.
Even if you already have a VPN for your staff to use, however, double-check its capacity prior to your remote work switch. As noted in a recent AFP article, the Atlanta ice storm a few years ago caused a large company to temporarily move to remote work, but their VPN proved unable to handle the entire company staff logging on simultaneously. They ended up using multiple VPNs. Consider ahead of time whether your VPN is likely to fail with so many users, and make preparations and backup plans.
- VPN and SSO. Even if your TMS is SaaS-based, this doesn’t guarantee that you won’t run into problems trying to access and handle your information remotely. For companies that use Single Sign On (SSO) as a security measure in the office, VPN will be a necessity for remote logins or you’ll need to add some home IP addresses.
- Home Networks. Switching to remote work means working from home and potentially from other networks. Understand that your employee’s home internet speed and setup will become a factor for your business activities. Some have speculated that residential internet is likely to be especially sluggish for a while since so many people’s day-to-day work and school internet activities are concentrated at home instead of spread across business and classroom networks. We haven’t seen this happen in a significant manner yet, even though well over 50% of treasury personnel have moved home this week.
The coronavirus is bad enough. We don’t want this to become a bigger payday for hackers on top of that. New scenarios always bring new risks, and the confusion of such a major change can give far too many opportunities to cyber criminals. This situation has everyone busy and mentally taxed as we try to keep up with rapid changes and complete overhauls to our day-to-day working environments, but this does not release treasury from their duty to vigilantly protect their organization’s assets and to assess and mitigate risks. As you lock in and execute your plans for remote work, make sure you’ve taken the following security measures and potential vulnerabilities into account.
Whether by having employees sign out any items they take or by another method, it’s vital that you keep track of items that leave the building: laptops, tokens, or anything else. As an example, were an employee terminated while working remotely, make sure you would know what items to recover from them. Additionally, remote wiping capabilities (and Mobile Device Management in general) are advisable for devices such as laptops and cell phones that store company information and could be lost.
Also decide, if you do not yet have policies in place, how you will instruct your employees to secure these items. Will they be required to keep them at home? If they take them with them to work elsewhere, what policies need to be in place regarding keeping business computers in sight, locking them, and etc.?
VPN and SSO
If you use SSO, this will be a necessity, but it will likely be prudent even if you don’t. Consider scenarios you will need to discuss with your staff, however. For example, if the VPN is overloaded and crashes, how will urgent tasks be handled? People may be tempted to access and save information insecurely if the VPN is running too slowly or malfunctioning. Think through how you will combat this.
The use of an IP filter can add a powerful layer of security for your organization. If you are using SSO and VPN, the filter will already be in place and should not add much in the way of complications for your remote workers, but if you don’t, remember that you will need to open up the IP filter to include any network your staff will be working from. Realize that this might not just include their homes. It could mean opening the filter to include hospital networks or the home networks of friends and family with whom your workers are staying. Decide how you will handle this and communicate any restrictions on work locations to your staff as early as possible.
Tightening Your Security
Cyber criminals prey on confusion, uncertainty, and distraction, so put controls in place to mitigate the dangers. Many will be tempted to loosen security procedures and requirements to ease the logistical complications and make sure the work still gets done. Expect hacking and social engineering attempts to increase during this time, as criminals take advantage of the confusion.
- Out-of-Band Authentication. Always wise, out-of-band authentication will prove crucial in the coronavirus remote work era. Before initiating payments or making any changes to sensitive, payment-related information or master vendor lists, staff should double and triple-check that any requests they receive are valid using a different line of communication than the request. If a vendor emails asking you to change information, call them on the number you have on record (not the number they put in the email). The same process holds true for ‘internal’ funds transfer requests: don’t trust – authenticate using a different channel than the request.
- Challenge Requests. Business Email Compromise (BEC) and similar fraud attempts could prove especially believable at times like this. Staff should be encouraged to challenge any payment requests they receive, no matter who seems to have made them. Since BEC emails often include threats of termination if the payment is not kept confidential, assure them that they will not be retaliated against for challenging payment requests, regardless of who sent them, in order to protect the company’s assets.
- Consider Your Framework. Finally, consider your own security framework, communicate with your staff, IT, and other departments, and try to anticipate where vulnerabilities will pop up as you transition to remote. How can you tighten the hatches to make quite sure that, even if operations run a bit slowly over the next few days and weeks, your group does not fall prey to fraud.
Bring your risk mindset and your eagerness to learn with you to the remote work planning meetings, keeping in mind that a remote work situation will bring new risks with it and will turn up the need for cross-departmental coordination. There will be much for treasury to learn from this mass experiment in remote work, not to mention from the COVID-19 crisis as a whole. Treasurers must pay attention, take notes, and stay alert to the fact that they will need to communicate even more closely with other departments to work the risks out of these crises.
Finally, if certain logistics seems impossible, remember that you can still accomplish social distancing by having very few people in the office. Determine who the vital players are who need to be in the office and who the best candidates for remote work are.
What are you learning? Drop us a note.
N.B. If you’re interested in helping the industry or gaining insights into the weekly developments of your peers’ views, click here to access the Treasury Coalition website. The Treasury Coalition was formed in response to the rapid changes and effects of the COVID-19 pandemic and seeks to monitor the industry’s response on a weekly basis through the Global Crisis Monitor survey. From the website, you can participate in the survey, register for results, or both.