With organizations adopting digital and remote working, triggered by the Pandemic, Cybersecurity has become one of the existential threats of our time. Remote working has enabled extensive use of new types of connected devices and compute platforms, from Cloud to IoT, which have exploded the cyber-attack surface. And more tools collecting more data doesn’t equate to actionable insight for the Technology Leaders, CIOs, CISOs, and the Leadership. The old way of simply scanning on-premises IT devices for vulnerabilities is no longer enough. It’s time for a new approach.

INFOCOM, India’s top business, technology and leadership conference from the house of ABP Media Group joined hands with Tenable, one of the innovative leaders in Cyber Risk solutions with specialty in Risk-based Vulnerability Management and CyberArk, a leader in Identity Security and Access Management solutions to host a special CIO CONNECT interactive discussion on the Next Frontiers of Cyber Risk. Technology Leaders from Bangladesh comprising CIOs and CISOs came together for a Virtual Roundtable Discussion on the Theme: “Cyber Risk - Lessons Learnt from Remote Working”.The objective of the interactive session was to delve deeper into Cyber Risk enhanced by remote working and to enable us with the visibility and insight on the way forward.

The Question

The Pandemic triggered digital and remote working making Cyber Security one of the top priorities for organizations. In this context, tell us briefly how your organization managed the transition to remote working during the pandemic? How did you manage employees logging into the corporate network or accessing critical resources and remain protected from cyber-attacks?

Tell us about some of the unique security best practices that you have implemented to protect your organization against cyber-attacks

Perspectives from CIOs/CISOs/Technology Leaders from Bangladesh:

Md. Nazmul Haque Talukder, Senior Vice President and Head - IT, IFIC Bank Ltd

One of the most significant consequences of COVID-19 could be remote work. Pre-pandemic, roughly five percent of full-time employees with office jobs worked primarily from home. That figure is likely to settle at 20-30 percent in the new normal, with variation across occupations and industries. Many business houses in Bangladesh have converted to a remote or hybrid system, and this hybrid system is still in use today. In the banking industry, it is not possible to shift all employees to remote work, and it is also not possible to cease or pause our services for any reason. As a result, in order to provide suitable services to our clients, our bank implemented a hybrid system at the time of crisis.

• To provide 24-hour banking assistance via digital banking and ATMs, our bank implemented remote work for selected workers on certain days, as well as 24-hour physical support in our Head Office for urgent support cases.
• For remote work, we gave our critical workers office laptops with endpoint security licenses so that they could work from home. After providing adequate explanation for their usage and receiving approval from higher management, some users were given VPN connections. The VPN users' traffic was also monitored by the Security Solutions.
• When logging in to the PC or connecting to the VPN, users were required to follow the password policy and be cautious before clicking on any link or opening any email. To make employees aware about these things, frequent cyber awareness training is conducted in our office on a regular basis.

We believe that awareness among employees about cyber security is very important to protect our environment from any sort of hazard. Aside from that, we need to be more vigilant about new releases and their fixes, security and other device patch updates, secure data communication policy updates, and access policy and as well as their real time implications on various systems.

As organizations prepare for what life looks like in a post-pandemic world, one of the many issues they will have to be addressed is the cyber security risks of remote working. Here are some aspects related to remote work which an organization’s remote workers may be making that endanger the company:

1. Accessing Sensitive Data Through Unsafe Wi-Fi Networks
2. Using Personal Devices for Work
3. Ignoring Basic Physical Security Practices in Public Places
4. Using Weak Passwords
5. Email Scams
6. Security Controls are weaker
7. Cyberattacks on Remote-working Infrastructure etc.

The essential security clauses that should be included in remote work policy are as follows:

1. VPN
2. Firewall
3. Strong EDR
4. Implement SIEM in environment
5. Clearly define which positions are eligible for remote work
6. List the tools and platforms they should be using
7. Provide employees with steps to follow at the first signs of accounts being compromised
8. Multi-factor authentication
9. Cybersecurity awareness guidance or training

In our bank, we rigorously adhere to the above rules when it comes to remote work. All remote workers should be connected though VPN only. For remote work, only office-provided laptops are utilized, which are already protected by an endpoint security solution. In our bank, cybersecurity awareness training is a continuous activity, and every employee is aware of the issues. Furthermore, we have met ISO regulations and are planning to adopt new systems that will better protect our entire environment than ever before.

Shyamol B Das, Deputy Managing Director& CIO, Meghna Bank Ltd.

As we have all seen in the pandemic, there has been an over 600 per cent of increase in phishing attacks on organisations. Phishing and BYOD are two key elements that are directly related to active directory penetration. During the pandemic, you will find that most of the attacks have been devised through email carrying the subject line ‘COVID-19’ that immediately draws our attention. Of course, there were other areas as well like brand impersonation and email compromise. We have allowed employees to use their own device and to access through Teams, but we forgot at that time, employees might also access Teams from their mobile phones. That is a very vulnerable area.

However, as I said, the hybrid mode is here to stay, but starting anything new means increasing risks for the organisation. In our organisation, we have beefed up security measures and increased monitoring and set up a SOC (Security Operations Centre) for constant surveillance.

Noor Mohammad Shafi Kamal, Head of Digital Banking and Innovation Department, Mercantile Bank Ltd.

The COVID-19 pandemic has necessitated a paradigm shift in both our personal and professional lives. People as well as organizations have adapted to this rapid shift by moving their work to the virtual space. Even banks and financial institutions have significantly expanded on the use of virtual tools to meet their tasks and deliver their services to the customers. While these technologies have made our lives considerably simpler, yet, they are accompanied by multifarious cybersecurity threats and issues that could hamper the safety of the person or organizations using them. Prior to the COVID-19 pandemic, allowing employees to work from home or from remote places in Banks only were limited to a few officials and with limited resources they were able to gain access. The COVID-19 scenario pushed Banks towards the increased access of resources for the official work remotely. Banks in Bangladesh have started thinking to explore these areas with gradual increase of access by the resources from any place as well as providing more and more services through digital means.

Md. Anisur Rahman, Senior Executive Vice President & CIO, NCC Bank Ltd.

Cyber Security is always a top priority for the bank. During the pandemic, we were required to open our corporate network to provide uninterrupted customer support by enabling remote working. The Bank has ensured NAC with user authentication, separate firewall for VPN with MFA, endpoint security and need to know basis access to the systems with proper monitoring to ensure the security of remote working. Employee access to critical systems is role based and is controlled and monitored by a dedicated information security team. The Bank has also separate security solutions for the endpoints and servers. Moreover, the Bank only allows specific services from the server, network devices and firewall to safeguard the services with different OEM solutions to reduce the attack surface.

NCC Bank has increased the cyber security posture to prevent the cyber-attacks during the pandemic. In the process, the Bank has implemented extra security layer for ADC systems by segregation and segmentation in the network and access level with dedicated security solutions to minimize the attack surface area. The Bank has also implemented security solutions to manage and monitor the privilege access with MFA and UEBA, unusual activity monitoring in the system and network level. The Bank has a dedicated cyber security team to perform security assessment of the systems and applications to identify the security gaps and mitigate the gaps. Moreover, the Bank is in the process to implement the zero trust security by implementing never trust always verify, least privilege and default deny, full visibility and inspection and centralized security management to fight against the cyber-attacks.

Md. MahbubulAlam (Rafel), Head of Information Security, Prime Bank Ltd.

As the pandemic swept in, we made a quick transition to a remote workforce and gave intense focus on serving customers digitally. PBL Infosec teams, for their part, were largely successful in taking on a dual approach of supporting business continuity and protecting the enterprise and its customers.

We have adopted dual cybersecurity mind-set during the crisis period. At first, we had identified the attack surface like an attacker does and followed MITRE framework to understand various phases of attack tactics, techniques, lifecycle, and the platforms they are known to target. Then we have designed to employ the concept of least privilege as part of layered defense strategy. We have enabled zero trust (ZT) philosophy for identity & device with strong authentication and have managed the privileged access with fine-grained access control and defined who can access certain data.

Along with ZT approach we have worked on our threat detection, protection & response capability, and improve SOC operation maturity. Kudos to my team for working really hard to ensure deep visibility across the network and eliminating the blind spots.Through our cognitive SOC we have minimized the mean time for threat detection & the response window and are continuously working to progress as the cyber security job is continuous in nature.

GM Faruk Ahmed, Senior Principal Officer, Cyber Security Cell, Rupali Bank Ltd.

Most of the employees telecommuting during the COVID-19 outbreak were using their personal devices more frequently to access corporate network. Unified endpoint management and enterprise mobility management tools have been key for the IT teams to extend corporate productivity tools to mobile devices. If the pandemic continues long term, organizations that don't currently have extensive device programs might be interested in purchasing bulk mobile devices or laptops to enable remote employees. However, companies like Apple have warned that they would limit purchasing amounts of some products because of disruptions in the supply chain.

Meanwhile, a lot of corporate managers are uncomfortable with telecommuting during the COVID-19 pandemic because of data security concerns. Systems within the four walls of a business protect endpoints with security software they trust to make sure that the devices users rely on are secure.

Financial organization’s IT teams supporting remote workers would be wise to require that employees only access business-critical data using a VPN and require mobile security practices such as multifactor authentication to access corporate data. It's also a good time for IT to remind users of their own role in company security. End-user gaps in security awareness are one of the business's biggest risk factors, so IT teams should roll out internal phishing tests and additional password change reminders.

Khandaker Khaled Hassan, Executive Vice President& Head - IT, Southeast Bank Ltd.

During the pandemic, we had to allow only Head Office staff to work remotely. We were working on a roster basis, and 50% of staff was present at the office and 50% were in the remote office. So it was not required to give access to all the staff access to the corporate network at a time. All the Branch staff performed their duties physically to provide customer service. We allowed staff to access the office network through VPN, and for those who were working from home we allowed the two factor authentication (Domain login ID and Software Token). The general users were able to access office applications from their home PCs/Laptops after fully complying with the requirements of the security procedures and device profiling in the system. The priority users were having their office provided devices and they were permitted to logon to the mission-critical systems through PAM.

Some of the unique security best practices that we implemented to counter cyber-attacks during the pandemic are as follows:

• We ensured that anti-malware solutions are installed, and OS security patches and signature databases are regularly updated on all the endpoint devices.
• Security monitoring through SIEM was strengthened and 24/7 performance was ensured
• Updates of different operating systems of the servers were performed on an as and when required basis
• Internal VA scan was performed periodically on different systems using the Vulnerability Assessment (VA) tool and mitigated identified security holes/gaps immediately.
• We conducted several IT and cyber security awareness sessions virtually for different levels of officials of the bank.