Can a Hybrid Work Model’s Cyber Risk Be Tamed?

Many U.S. banks are beginning to repatriate their employees to the office after some 16 months of working at home during the Covid-19 pandemic.

Some, like JPMorgan Chase & Co., have demanded that their staff return to the office full time even though many of them may prefer the flexibility that working from home affords. A recent McKinsey & Co. survey found that 52% of respondents wanted a flexible work model post-pandemic, but that doesn’t impress JPMorgan’s Jamie Dimon. “Oh, yes, people don’t like commuting, but so what?” the CEO of the country’s largest bank said at The Wall Street Journal’s CEO Council in May, according to a recent article in the paper. “It’s got to work for the clients. It’s not about whether it works for me, and I have to compete.”

Other banks, like $19.6 billion Atlantic Union Bankshares Corp. in Richmond, Virginia, are adopting a hybrid work model where employees will rotate between their homes and the office. “We have taken a pretty progressive view there is no going back to normal,” says CEO John Asbury. “Whatever this new normal is will absolutely include a hybrid work environment.” Asbury says the bank has surveyed its employees and “they have spoken clearly that they expect and desire some degree of flexibility. They do not want to go back into the office five days a week [and] if we are heavy-handed, we risk losing good people.”

However, a hybrid work model does create unique cybersecurity issues that banks have to address. From a cyber risk perspective, the safest arrangement is to have everyone working in the office on a company-issued desktop or laptop computers in a closed network. In a hybrid work environment, employees are using laptops that they carry back and forth between the office and home. And at home, they may be using Wi-Fi connections that are less secure than what they have at the office.

“If you think of a typical brick and mortar [environment], the network and computer systems are walled off,” says David McKnight, a principal at the consulting firm Crowe LLP. “No one can gain access to it unless they’re physically there.” In a hybrid work environment, McKnight says, “There are additional footholds on to my network that I don’t necessarily have full visibility into, whether that’s my employee’s home office, or the hotel they’re at or their lake house. That introduces different dynamics, connectivity-wise.”

Still, there are ways of making hybrid arrangements more secure. Full disk encryption protects the content of a laptop’s hard drive if it is stolen. Virtual private networks – or VPNs – can provide a secure environment when an employee is working from a remote location. Multi-factor identification, where employees must provide two or more pieces of authentication when signing on to a system, makes it harder for hackers to break-in to the network. And new cloud-based platforms can enhance security if configured properly.

Many smaller banks struggled to adapt when the pandemic essentially shut the U.S. economy down in the spring of last year, and many banks sent their employees to work from home. Some banks didn’t even have enough laptops to equip all of their workers and had to scramble to procure them, or ask employees to use their own if they had them.

Atlantic Union was fortunate from two perspectives. First, it had already completed a transition throughout the company from desktop computers to laptops, so most of its employees already had them when the pandemic struck. And the bank considers the laptop to be a “higher risk perimeter device,” according to Ron Buchanan, the bank’s chief information security officer. “What that means is you’re putting it in a high-risk environment, and you just expect that it’s going to be on a compromised network [and] it’s going to be attacked.”

The bank has a VPN that only company-issued laptops can access, and this gives it the same level of control and visibility regardless of where an employee was working.

Other security measures include full disk encryption, multi-factor authentication and administrator-level access, which prevents employees from installing unauthorized software and also makes it more difficult for hackers to break into a laptop.

Although cyber risk can never be completely eliminated, it is possible to create a secure environment as banks like Atlantic Union did. But they have to make the investment in upgrading their technology and cybersecurity skill sets. “The tools are there, and the abilities are there,” says Buchanan.

A Former Astronaut Offers Work-From-Home Advice to Bankers

Michael Massimino is uniquely qualified to offer tips and encouragement to people working remotely because of the coronavirus pandemic.

He was an astronaut.

He’s been to space twice and holds a team record for the number of hours spacewalking in a single space shuttle mission. He was also the first person to tweet from space.

Massimino sees many parallels between the challenges he faced as an astronaut and the situation confronting office workers today.

Now a mechanical engineering professor at Columbia University, he has written books and articles and given talks about the qualities that underpinned his work: building trust, perseverance and working with teammates and customers.

The following interview has been edited for length, clarity and flow.

Isolation and Working from Home
My space flights were not long — two weeks at a time — but I was trained to go to space for longer periods of time. One thing we were concerned with was using free time well: There was a lot of photography, communicating with family and friends, and outreach about what it is that you’re doing in space.

It’s important to do your best to embrace the situation, even if it’s tough to accept. Try to make yourself understand, “This is the way it is. No matter how much I complain about it, it ain’t going away.” We have to learn how to embrace situations and see what opportunities are there for us.

Having a regular schedule helps. Getting exercise is really important. When we were training, we would exercise every day that our schedule allowed it and got outside to enjoy the beauty of the planet. In space, we could look out the window or during our space walks and enjoy the beauty that surrounds you. You can do that here on Earth too; don’t forget, we live on a beautiful planet. And it seems to be better to go outside than to stay in, as the virus goes.

The last thing about isolation is: Eventually we’re going to break out of this, so you want to try to make the most of it. We are away from the hustle and bustle of our daily lives right now; that’s the way it is in space as well. You can do some really thoughtful quiet thinking about what life is about while you’re in those situations.

Effective Team Communication
I speak to a lot of bankers. They’re used to collaborating and dealing with clients, and they approach that relationship in a way that they can’t do anymore.

When you train for spaceflight, you work with your instructors, flight controllers and flight director. You also work with your fellow crewmates, but they’re generally with you — unless you’re outside and they’re inside the spaceship.

We practiced communicating and working with people at a distance. The crew would be in a simulator, the instructors would be in one spot and the flight control team would be in the Mission Control center. We would practice communicating and relying on each other and hearing each other’s voices.

I did the “Capcom” communication job a lot as an astronaut. I always made sure that the crew in space knew that I was there for them, that I would keep them informed and let them know that we didn’t forget about them.

If I had trouble during my spacewalks, I felt really alone. “I can’t get to the hardware store to fix this. Who’s going to help me?” I had one particular problem on my last spacewalk that was a real issue — I stripped a screw or bolt trying to repair the telescope — and the crew came up with a solution.

Today, we can still do Zoom calls and even see each other. There’s a level of comfort and normalcy to the whole thing, and teams are still in place. All of the support team is still there, your clients are still there — and you’re supporting them. You can support someone else on your team but also reach out for support when needed.

Coming Back from Tragedy
I was on the flight right before the Columbia accident. We landed successfully; they took the ship the next time and didn’t come back.

That was pretty devastating. It was similar to the situation we have now: Life changes in an instant. We lost our friends and we had to console their families and deal with the loss of people. But it was also like: “What the heck has happened to the space program?” We had no intention of stopping the space shuttle program, but it was grounded to a halt, even though we had a lot of important work still to do.

We used the idea that we weren’t going to let our friends’ deaths happen in vain. We were going to continue the program and figure out ways to move forward with the space shuttle program. We didn’t fly all that much the first couple of years, when we were dealing with how to recover from everything, but we started flying again and were able to finish the space station build up and also service the space telescope once more. We continued the program until 2011.

But we had do everything with a different set of rules. The accident taught us a lot of things that we needed to change: We needed to inspect the vehicle, we need to be able to repair it if it had damage, we needed to have a rescue capability — all these things had to be developed over a period of years before we were ready to continue that program.

Accepting, Adjusting to Change
When something changes that drastic overnight, you react as quickly as you can, but you might not be able to get back into the flow of things. It was a different world that we lived with, and we did that for a finite time. That was one solution to the question of, “How do we get back to finishing what we started?”

The other thing was, what do we do beyond that? The longer-term issue was that we could not fly the shuttles forever. We were going to do it in a different process, in a different phase of the program, but we knew that it would end after a few more flights. We got another 20 flights or so, maybe a little less, and that was it.

The bigger solution was to come up with a new way to get to space. That was pretty drastic as well, dealing with that change. We didn’t want to be dependent on the Russian Soyuz forever, and a whole new idea developed: doing it commercial through private companies. Everyone was like, “You’ve got to be kidding me. NASA needs to do this. Only governments can do this. This will never work.”

A lot of people resisted the thought that we’d go back to space with private companies. But you had to get on board because change was coming. You might not like it, but you need to accept it. People were [upset] and many stepped aside because they weren’t onboard. But some remained to work on it and now look where we are: A much better situation than where we were. But that takes time.

There’s a lot of analogies here that applies to what we’re dealing with, particularly in the financial markets. The Paycheck Protection Program was really important, and banks played a huge role in helping their customers apply for that. But now banks are going through a lot of restructuring and a lot of uncertainty. It’s volatile — things go up and down — but you’ve got to persevere.

Even if you don’t love it, you need to accept it. Maybe after a while, you’ll think, “This was a good idea.” But it’s not easy. People don’t like change, especially when you we’re doing something you really liked and were successful at, and now you’re not doing that anymore. We were all forced into this pandemic. There’s certainly some bad — but most of the bad comes early. Most of the good comes later.