WFH cybersecurity trends: Q&A with Don Duclos, Girish Khilnani, and Justin Ryan

Don Duclos, Linedata CISO: Overall, work-from-home has increased the complexity of cybersecurity management for IT teams. For example, organizations still need to update their WFH employees’ security patches and malware signatures. But when people are working outside of the office, a different set of tools is required. So instead of relying on a traditional on-premises patching solution, it becomes necessary to use something like Microsoft Intune to patch remote resources. IT teams now have to master multiple toolsets.

Girish Khilnani, Co-Head, Linedata Technology Services: AI has had two clear negative impacts in this regard: Deep fakes and AI-generated phishing emails.

Deep fakes are readily available. For a minimal cost, bad actors can use AI voice cloning tools to sound exactly like the person they’re trying to impersonate—for example, the CEO of a company or a senior member of the finance department. This has the potential to make social engineering attacks more effective.

And with generative AI tools, one can easily produce convincing phishing emails. Back in the day, you’d get a phishing email, and it would be very easy to spot because it would be full of grammatical errors, spelling mistakes, or other tells that made it quite obvious that the email wasn’t sent by your boss or your colleague on the finance team! But with tools like ChatGPT, it’s possible to write very sophisticated phishing emails that will be good enough to fool many people.

Justin Ryan, Relationship Manager: Adding to Girish’s point, there are also practical considerations here. For example, deep fake threats aren’t specific to work-from-home employees per se. But they become much harder to spot if you’re not in the office. WFH employees are isolated. They don't have easy access to the people being impersonated by a deep fake like they would if they were in the same building—and they can’t easily ask a colleague for a second opinion if they’re unsure whether something is wrong.

Don Duclos: There’s also a potential internal risk from tools like Bard or ChatGPT: data leakage. I worry about employees entering confidential data into AI tools to get a better work product out. An employee might want to write an excellent letter to an investor—and use the investor’s personal information in their prompt to ChatGPT. Or an analyst might want to create a better report for their manager and start entering confidential deal data into their AI tool.

But the question is: What happens to that data? Once data goes into an AI tool, it’s there for public consumption, whether it was meant to be or not. But how will ChatGPT, or Bard, or whoever, use that data? Will it use your data to provide a response to someone else? We just don’t know.

Girish Khilnani: In many organizations, there’s a lack of understanding about how WFH impacts security. There is no clear grasp of the risks and liabilities involved. Many teams simply don’t comprehend what would happen if, for instance, a data breach resulted in a leak of confidential information. People are running legacy systems at home that are past end-of-life—and therefore won’t receive security patches—and they don’t even realize they’re vulnerable.

Perhaps because of this lack of understanding, there’s also a real lack of participation in the work of ensuring WFH security in many organizations. We’ve seen disconnects where a cybersecurity or IT team has an important security tool they want to implement, but other teams don’t really understand what they’re doing or why. And so, there’s no communication. There are no clear expectations around how to use the tool, or why it’s necessary for the organization.

You can also see this lack of participation in the realm of incident response planning. Sometimes organizations will have excellent documents and policies in place for disaster recovery (DR), or a really strong business continuity plan (BCP). But only a few people in the organization will know about these resources. Outside of a few people in IT or the finance team, employees and leaders don’t even know where to find the relevant documents. In other words, they don’t know how to participate. If there’s an incident, they don’t know what they’re supposed to do during a DR, or what their role in the BCP is.

Justin Ryan: In many organizations, there’s a problem with complacency. In today’s threat landscape, especially in our hybrid or WFH environments, it’s essential to be proactive. Sadly, many firms treat fundamentals such as cybersecurity training as nothing more than a box to check once a year. The attitude is, “OK, it’s done. That was the SEC requirement, now we don’t have to worry about it.” Whoever said that training once a year is enough to be successful at something? Businesses have to really work to create a comprehensive culture of cybersecurity, and a culture of compliance, where it’s all hands on deck and everyone, from the top down, is taking it seriously. In terms of cybersecurity training, this needs to be done quarterly at a minimum, where people are continuously reminded about why they need to be careful when reading emails, or how to properly handle data, or what links they should and shouldn’t be clicking.

Don Duclos: I would double down on what Justin mentioned earlier: the fact that training is critical. In a WFH environment, phishing simulations in particular are more important than ever before. They should be done more often. At Linedata we’re doing these trainings for our own employees on a monthly basis.

Justin Ryan: Firms need to acknowledge that work-from-home and work-from-anywhere bring unique security challenges. For example, you simply don’t have the same network safeguards that you have back at the office. You obviously aren’t going to have enterprise-grade firewalls at everyone's home office—and definitely not at the local Starbucks or the airport hotel. So, this is where technical safeguards like EDRR (Endpoint Detection, Response, and Remediation) or MDRR (Managed Detection, Response, and Remediation) become extremely important. Every WFH employee should have access to strong endpoint protection. Everyone should have a basic Virtual Private Network (VPN) to mask their IP address when travelling.

Girish Khilnani: Good endpoint security is critical, agreed. In addition, all WFH employees should have Multi-Factor Authentication (MFA) set up for any external access they have via the Internet. IT departments need some kind of device management solution—either a Mobile Device Manager (MDM) or an endpoint device manager—to ensure that all relevant data protection policies and security measures are in place on employees’ devices.

From the standpoint of process and governance, of course it’s important to make sure you have the right policies and procedures in place. But it’s equally important to test and validate these policies and procedures. So, for example, if your employees received their quarterly security training, that’s great. But did you really review that after the fact? Were there any issues with employees who were not able to complete the questions? Did they fail? Did we redo the training? Or for instance, when talking about incident response plans: How frequently do we review and test our DR or BCP procedures? These are the sorts of audit controls that organizations need to put in place to really know how their teams are performing, and how their procedures are working.

Don Duclos: A big piece of the puzzle is to correctly leverage cloud-related services more to ensure that your data is being held on those services and not, for example, on an employee’s laptop. In a sense, it’s just a matter of firms utilizing the technology that’s already available to them: reputable cloud services like Office 365 or cloud backup solutions like AFI.

Girish Khilnani: I’d come back to testing and validation. You can have the best of the best tools in your environment. But if you aren’t testing them regularly, it’s very, very difficult to ensure good security.

Organizations need to conduct vulnerability assessments and penetration tests to make sure their environments are not penetrable and that they’ve taken all available measures to protect their assets. And that means asking a lot of hard questions. Are there enough tools in the environment to accomplish the level of endpoint monitoring your team is looking for? Are your logs being monitored? Are your Office 365 users who are traveling most of the time being managed correctly? Are mobile devices managed appropriately such that your data is secure if a device is lost or stolen? Do you have a strong system of data backups—and are you regularly testing the restore from those backups?

And perhaps most importantly of all: Do you have the right partner in terms of your vendor or MSP? Someone who can help you manage all of this complexity, and make sure that everything is covered as a part of their service offering? Because your CTO or a small IT group probably won’t be able to do it alone.

Justin Ryan: To me, it comes back to the idea of a culture of compliance where every team member—whether they’re the CEO or a rank-and-file employee, in the office or working at home—is involved in improving organizational security. The cyber threat landscape today is, frankly, worrying. But the best way to defend against risks and unknowns is for everyone to up their game in terms of understanding the infrastructure they’re using and the best practices for cybersecurity. The threats have changed and will continue to change in ways that, realistically, no one can fully imagine. But the one thing we can do, the best thing we can do, is to plan for the now and equip our employees with more training and more knowledge. That is a true culture of compliance. You'll be better prepared for the future if you do that right now, as opposed to trying to solve for a black swan event that no one can predict.

About the authors

Don Duclos is Linedata’s Chief Information Security Officer. He has 20 years of Information Security experience at leading financial institutions and technology services providers. Prior to joining Linedata, he led teams in all three lines of defense (within the business line, Information Security, and Internal Audit) at regulated firms, where he frequently engaged with regulators and examiners from the SEC, Office of the Comptroller of the Currency (OCC), FDIC, and Federal Reserve Board (FRB).

Girish Khilnani co-heads Linedata’s Technology Services business, which includes Public and Private Cloud, Cybersecurity, and Managed Services. He’s spent nearly two decades managing IT infrastructure, cloud, and global service delivery teams to provide leading-edge solutions for financial institutions. Girish is passionate about enabling operational excellence that supports the specific requirements of hedge funds, private equity, and asset managers. 

Justin Ryan is a Relationship Manager at Linedata with over 17 years of in-the-trenches experience in buy-side finance including leadership, analytical, and implementation roles. He is passionate about Linedata’s mission of helping clients meet their challenges with innovative and effective technological and outsourcing solutions.