All industries are dealing with the thorny issue of who comes back to work during the pandemic and who doesn’t, and the return-to-work plans will diverge depending on each enterprise’s needs and culture.
But banks, financial institutions, and many other players in the financial services industry are paying close attention to the security perils of an increasingly remote or hybrid workforce.
In a discussion with two Yubico experts who live and breathe finserv daily, we find out there are a number of top priorities that banks are juggling all at once: reassuring customers that their finances are secure, dealing with employees who may be new to remote work security protocols, and designing secure authentication flows that may not allow mobile phones to be involved. Jim Sandford, Enterprise Account Director and Rob Hemeryck, Regional VP of Financial Services, give us the scoop.
Q: How have you seen finserv weather the massive pandemic shift to remote work? And how are the banks doing now that many, like tellers, are coming back to the physical branches?
Jim: What I hear from many CISOs is that, despite the initial shock of thousands of staff shifting to remote work, they found most employees were equally, if not more productive at home. So the move back to the office is being done slowly and with more thought. They are still evaluating who really needs to return.
From a financial services security standpoint, of course, having everyone in one building is better because you can control the risks and put in physical and network protocols. But there’s no doubt that a large number of workers will be outside the building moving forward, so multi-factor authentication (MFA) is becoming a top priority if it wasn’t already.
The second trend is about customer retention. Banks are trying to find new ways to provide value to customers concerned about security, like millennials who are used to doing everything on their phones. All customer bases highly value convenience, so security measures have to be as seamless as possible.
I work with organizations across the financial services sector, including many large traditional financial institutions. Many of these companies are looking to provide continuous benefits to their customers and are doing so with YubiKeys, not just for their employees, but also to provide to their end users. This means they’re not only getting protection against phishing attacks for their own organizations but giving their customers the same level of security to protect their own accounts. This results in a more positive perception in the marketplace as they keep pace with the innovation of the smaller, more agile financial institutions.
Q: What are the unique financial services security challenges versus other industries?
Rob: There are many high-security areas of a financial institution where mobile phones might not be allowed because they’re considered data exfiltration devices. So an authentication process implemented for remote employees — say, authentication using a phone — would not be the best solution for on-site employees or customers going through a high-security process like a loan application or another sensitive workflow.
When customers are involved, you have to be careful to avoid implementing processes that impose a lot of inconvenience, creating potential backlash.
Q: What’s the best way for the enterprise to communicate their renewed focus on financial services security with customers or stakeholders?
Jim: Banks want to directly address the issues their customers are worried about in the news. Now that we’ve heard so much about high-profile breaches — from large retailers to a host of banks — there’s a danger of data breach fatigue. Meaning that you get used to the idea of a series of breaches and decide to do nothing about it until the next one happens to you. Utilizing modern authentication can position the company and brand identity with greater security.
Q: How far down the road to passwordless do you think finserv has traveled so far?
Rob: We’re seeing a lot more internal deployments rather than external, consumer-facing systems for now. For consumers you have such a broad range of technical skills, and it requires more effort on education. Those deployments will come in time, because there’s a lot of momentum for large entities to get to passwordless for their users.
The industry recognizes that there are still vulnerabilities in weaker MFA systems, so many CISOs are looking for the “next step” up.
Read Yubico’s white paper, “Strong authentication for hybrid and remote work in financial services” to learn more about security challenges related to long term hybrid and remote work and contact us to discuss how Yubico can work to secure your institution and customers.