NAFCU Journal March April 2021

26 THE NAFCU JOURNAL March–April 2021 For most credit unions, the challenge to move employees out of the branches quickly resulted in a hodge-podge of personal and corporate machines, a scramble to find virtual private network licenses and ongoing updates to security requirements. “Unfortunately, many credit unions were not set up on a VPN and did not have security protocols that were developed for remote work,” says Ben Kirkland, director of cybersecurity operations for DefenseStorm. An added challenge was the lack of machines that could be taken home by employees. “One client went to a local electronics retailer and pur- chased several laptops and other clients purchased commercial laptops, but there were shortages of machines.” Even when laptops were available, con- nectivity testing, purchase of VPNs or firewalls with a VPN appliance, addition of antivirus and security software and development of security protocols had to occur quickly. “Credit union employ- ees were used to just sitting down and turning on their computer, but laptops also require sign-in verification and full- disk encryption,” says Kirkland. “Although it was chaotic at first, I was amazed at how quickly everyone was able to get employees working remotely.” Ensuring the security of member and credit union data in a remote workforce included a combination of changes to technology and process or policy. Vpns, Encryption, and Added Security Features “We had about 200 people who had not worked remotely that had to begin using remote desktop protocol or VPN from their homes to access their office desktops,” says Dale Fiedler, assistant vice president and information security officer for Grow Financial. “We ran out of VPN licenses early on and over three weeks had to purchase 300 more to cover all of our remote workers.” Since then, Fiedler has changed vendors to one that offers unlimited licenses, which better supports scaling a remote workforce up and down. Purchase of multiple laptops or even sending existing devices to an employee’s home requires additional security, includ- ing encryption, says Fiedler. “We did not allow a device to leave the office before it was secured.” Another critical component of a remote workforce is a good patch management system to fix security vulnerabilities on a regular schedule. “We had some employ- ees who worked a few days a week from home before the pandemic, but they were able to bring their laptops to the IT staff for updates,” says Fiedler. “During the pandemic, we had to patch remotely and had to create a schedule to make sure the updates occurred on a regular basis.” Other security features for Connex included shortened timeouts for inac- tive sessions, lengthened passwords, improved vulnerability scanning tools and an anti-virus program that checked for malicious behavior remotely, says Klemenz. An add-in to Outlook that generated messages alerting employees that the message was going outside the organization and asking if they were sure they wanted to send or if they wanted to encrypt the message provided some extra assurance that sensitive informa- tion would not accidently be disclosed. “We also dedicated one staff specialist to monitor inbound and outbound email traffic for spoofing or phishing activity,” says Klemenz. “We saw a significant increase in attempts to access our system but proactive attempts to block them along with two-factor authentica- tion and the use of a VPN to access our network prevented problems.” Credit union employees were used to just sitting down and turning on their computer, but laptops also require sign-in verification and full-disk encryption. Although it was chaotic at first, I was amazed at how quickly everyone was able to get employees working remotely. BEN KIRKLAND, DIRECTOR OF CYBERSECURITY OPERATIONS FOR DEFENSESTORM We told employees how to evaluate where they set up their home workspace. With children and spouses at home, we told people to make sure the space was secure. DENNIS KLEMENZ, CHIEF INFORMATION OFFICER AND VICE PRESIDENT AT THE CONNECTICUT CREDIT UNION