Articles & E-Books


Internal audits focusing on remote access at financial institutions

Jan 03, 2022

by David Rich and Nolan Anderson

Multi-factor authentication continues to grow and remote work is here to stay, and both will be at the forefront of cybersecurity assessments for financial institutions in 2022.

More than half of employees in the U.S. and U.K. were using multi-factor authentication by 2019, and that number jumped to 79 percent in 2021, Duo Labs reported.

That number will only continue to increase — even for financial institutions — as more companies allow flexible work situations for employees.

While multi-factor authentication and remote work are now part of the mainstream, there are still nuances financial institutions will want to keep in mind on both fronts.

Multi-factor authentication for financial institutions

Multi-factor authentication provides an additional layer of controls, ensuring users who sign in to a network are who they claim to be. That extra layer of security can prevent an institution from falling victim to an attack.

To maintain that security. multi-factor authentication must include two of three categories: something you know, such as a password; something you are, such as a fingerprint or facial recognition scan; and something you have, such as a hardware token or access card.

Some financial institutions have relied on one-time PINs sent via SMS, but the National Institute of Standards and Technology recently recommended avoiding them due to the threat of SIM card attacks. Services found in Gmail, iMessenger and elsewhere that auto-forward texts to a computer also increase risk.

In August, the Federal Financial Institutions Examination Council issued guidance on authentication and access to financial institution services and systems. It recommended identifying high-risk users, those with remote access or senior management with access to critical data, for example, who may warrant enhanced authentication controls.

The popularity of MFA is showing up in the insurance industry as well. Insurance agencies are often requiring that financial institutions use MFA in order to receive cybersecurity coverage.

Beyond MFA for remote access

The increase in remote work means people are accesses internal networks in ways beyond a virtual private network. Many financial institution employees can now log into to their accounts through Office 365.

Multifactor authentication is critical for protection but not the only measure to take. You also need to ensure the device that is being used remotely is secure. This means having an antivirus solution, up-to-date patches and hard drive encryption.

In addition, it is essential to log and track all remote sessions — plus review those logs for any red flags.

Also consider a security information and event management software solution or more affordably, a syslog server where all your logs can go and be easily accessed in one place.

Finally, don’t give every employee remote access. To protect you client’s sensitive information and you’re your own, remote access should be controlled through a formal approval process. And you should disable remote access when it is not being used or there is no business need for it.

How Wipfli can help

Wipfli’s internal audit services team can help identify the areas of highest risk within your financial institutions and build a risk-based internal audit plan that ensure internal audit time and dollars are spent in the areas with the most impact — including cybersecurity. For more information, see our internal audit services page.