Can a Hybrid Work Model’s Cyber Risk Be Tamed?

Many U.S. banks are beginning to repatriate their employees to the office after some 16 months of working at home during the Covid-19 pandemic.

Some, like JPMorgan Chase & Co., have demanded that their staff return to the office full time even though many of them may prefer the flexibility that working from home affords. A recent McKinsey & Co. survey found that 52% of respondents wanted a flexible work model post-pandemic, but that doesn’t impress JPMorgan’s Jamie Dimon. “Oh, yes, people don’t like commuting, but so what?” the CEO of the country’s largest bank said at The Wall Street Journal’s CEO Council in May, according to a recent article in the paper. “It’s got to work for the clients. It’s not about whether it works for me, and I have to compete.”

Other banks, like $19.6 billion Atlantic Union Bankshares Corp. in Richmond, Virginia, are adopting a hybrid work model where employees will rotate between their homes and the office. “We have taken a pretty progressive view there is no going back to normal,” says CEO John Asbury. “Whatever this new normal is will absolutely include a hybrid work environment.” Asbury says the bank has surveyed its employees and “they have spoken clearly that they expect and desire some degree of flexibility. They do not want to go back into the office five days a week [and] if we are heavy-handed, we risk losing good people.”

However, a hybrid work model does create unique cybersecurity issues that banks have to address. From a cyber risk perspective, the safest arrangement is to have everyone working in the office on a company-issued desktop or laptop computers in a closed network. In a hybrid work environment, employees are using laptops that they carry back and forth between the office and home. And at home, they may be using Wi-Fi connections that are less secure than what they have at the office.

“If you think of a typical brick and mortar [environment], the network and computer systems are walled off,” says David McKnight, a principal at the consulting firm Crowe LLP. “No one can gain access to it unless they’re physically there.” In a hybrid work environment, McKnight says, “There are additional footholds on to my network that I don’t necessarily have full visibility into, whether that’s my employee’s home office, or the hotel they’re at or their lake house. That introduces different dynamics, connectivity-wise.”

Still, there are ways of making hybrid arrangements more secure. Full disk encryption protects the content of a laptop’s hard drive if it is stolen. Virtual private networks – or VPNs – can provide a secure environment when an employee is working from a remote location. Multi-factor identification, where employees must provide two or more pieces of authentication when signing on to a system, makes it harder for hackers to break-in to the network. And new cloud-based platforms can enhance security if configured properly.

Many smaller banks struggled to adapt when the pandemic essentially shut the U.S. economy down in the spring of last year, and many banks sent their employees to work from home. Some banks didn’t even have enough laptops to equip all of their workers and had to scramble to procure them, or ask employees to use their own if they had them.

Atlantic Union was fortunate from two perspectives. First, it had already completed a transition throughout the company from desktop computers to laptops, so most of its employees already had them when the pandemic struck. And the bank considers the laptop to be a “higher risk perimeter device,” according to Ron Buchanan, the bank’s chief information security officer. “What that means is you’re putting it in a high-risk environment, and you just expect that it’s going to be on a compromised network [and] it’s going to be attacked.”

The bank has a VPN that only company-issued laptops can access, and this gives it the same level of control and visibility regardless of where an employee was working.

Other security measures include full disk encryption, multi-factor authentication and administrator-level access, which prevents employees from installing unauthorized software and also makes it more difficult for hackers to break into a laptop.

Although cyber risk can never be completely eliminated, it is possible to create a secure environment as banks like Atlantic Union did. But they have to make the investment in upgrading their technology and cybersecurity skill sets. “The tools are there, and the abilities are there,” says Buchanan.