Member Article

1.

If a firm allows staff to remotely access the firm’s internal network and system through a Virtual Private Network (VPN):

• Only use a robust VPN. Make sure that the VPN provides strong encryption and multiple layers of protection as well as use multiple VPN servers, to help protect sensitive data during transmission.

• Use of strong passwords and two-factor authentication. Using a combination of two (or more) authentication factors (i.e. what a user knows, what a client has, and who a client is) is known to be one of the most effective controls. Criminals might manage to steal one type of proof of identity but it is difficult for them to steal the correct combination where more than one is required.

• Limit access by external parties. Firms should avoid granting standing or permanent access to external parties and only allow system vendors to access specific systems during pre-determined timeframes.

• Update VPN software regularly. Security patches and hotfixes are often added by the VPN developer to address vulnerabilities in their system so it is important to update the VPN software regularly.

• Implement network segmentation. Network segmentation helps limit access to the network by outside security threats. If an attacker successfully breaches a network that is segmented, it will take them more time to break out of that portion of the network to get the information they really want (e.g. client personal data).

2.

Where firms allow staff to use videoconferencing platforms:

• Do not share meeting links on social media. Invite participants via legitimate channels such as office emails and do not share links to videoconferences via social media posts, as this makes it easier for unauthorised persons to gain access to the videoconference meeting.

• Control access to videoconferences. Restrict access to videoconferences by checking the email address of each attendee and authenticate their identity, making use of “waiting room” features, etc.

• Lock the conference meeting. Once all attendees have joined a meeting, lock the meeting to prevent others from entering the virtual meeting room.

• Choose platform carefully and keep software up to date. Firms should assess the security features of a videoconferencing platform before using it and should make sure staff are always using the latest version of the software (with security patches).

• Do not use personal meeting IDs. Use random meeting IDs instead.

3.

In addition:

• Provide cybersecurity training regularly. Provide cybersecurity training to users to ensure that they are kept abreast of emerging cybersecurity threats and trends (e.g. phishing and ransomware) and to educate them on precautionary security measures (e.g. use of secure Wi-Fi networks ).

• Detect unauthorised access. Implement monitoring and surveillance mechanisms to detect unauthorised access to internal networks and systems.

• Incident management and reporting mechanism. Develop and maintain an effective incident management and reporting mechanism.