During the pandemic the traditionally office-based finance sector has quickly adapted to remote working – and now many employees may not be returning to the office for some time, if at all.
Lloyds Banking Group told most of its UK employees not to return to the office until at least spring, while Deloitte announced that it would not renew property leases at four of its 50 offices, so 500 staff would have the opportunity to work remotely full-time. PricewaterhouseCoopers is reportedly preparing for '50 to 60 per cent' of its staff to work flexibly on a permanent basis, and many others in the sector are planning to adopt a hybrid working model.
Managing this and embedding remote working securely in the longer term requires a new approach to network access – one tailored to individual roles and responsibilities rather than department or level of seniority.
To support office based working, enterprise networks were usually designed from outside in, using a ‘castle and moat’ or a ‘hub and spoke’ approach to keep threats out. However, in a world of remote working, security has to be built into infrastructure and applications. This means restricting unrequired and unwanted movement of traffic both between systems and to and from users.
In effect users, rather than firewalls, become the security edge, and identity management replaces perimeter management, creating a ‘zero trust’ network.
A zero trust network is based on the principle that organisations need to know who is accessing what data, when, where and why, so they can wrap security around how their users actually work. For example, if someone is logging into the network at 10pm, is this normal behaviour for that individual? What applications and data are they accessing, and should this set alarm bells ringing?
What makes this ideal for the finance sector is that it can be wrapped around individual users. Some teams work across time zones, while others may need to work long hours to complete a deal within a deadline. Access rights and privileges can be tailored to specific roles, quickly tailored to new projects, and instantly rescinded if needed. But the basic position should be to implement least privilege and default deny policies for each user and system, with clear processes to approve and change them where needed.
Putting this into place does not require a huge investment in software. There are analysis tools available within many existing applications, including the Office 365 suite, and many are self-learning. However, organisations need the resources and expertise to map their environment and the behaviour of their users so they can fine tune these tools to create a picture of normal working.