Covering Your Bases: Remote Work Security Concerns for Credit Unions


Since Covid-19, with nearly every state issuing shelter-in-place or stay-at-home orders since mid-March, credit unions all over the country have been working to get employees working remotely, many of whom have never had the required technology. Taking on new methods and diving into something they’ve never attempted before, credit unions have had many questions about these remote work strategies.

Response to the pandemic

At this point, nearly every credit union is:

  • Operating with a closed lobby or open to appointment only.
  • Working on strategies for doing virtual appointments using Zoom or Facetime to continue to serve members.
  • Getting really creative about the things they can do through a drive thru window.
  • Leveraging their electronic strategies like electronic signatures, online banking, and mobile banking to serve members who are stuck at home.
  • Working to set up portions of their staff to work from home on a full-time basis until the end of the pandemic, or to rotate staff between remote and in-office work.

Given the key cybersecurity objective for credit unions is to safeguard member information and to be available for their members, how that strategy is carried out is important. The setup of these remote strategies can present new risks to cybersecurity programs at a credit union. Add to that an uptick in cybercrime – bad actors trying to profit from the pandemic in using malware, targeting phishing, and other social engineering tactics – and it’s clear data protection should be more of a concern now than ever.

Weak spots to watch out for

To lend some guidance, the NCUA, in the month of April published this article on security practices for remote work. Key takeaways from the letter are:

Cover the expectations of remote work with staff before they’re sent home. Make sure that remote workers are extra vigilant and ready to communicate with management and IT teams immediately if something does not look right (if you see something, say something). We recommend having a remote and mobile work policy as part of your information security program that covers these points, and also to have a signed acknowledgement from each team member using the capabilities.

Physical security needs to be a big part of the consideration. When in office, the credit union controls the physical security of the workspace. With a remote workforce, institutions have less control over physical setups at team member’s homes. Is the PC or laptop in a secure place that will prevent theft or shoulder surfing? Do you want staff bringing printed information home or having the ability to print at their home office? If the user is connecting back to the CU from a personal computer, how are you vetting that machine and ensuring it’s not compromised by malware like a keylogger?

Technical controls are more important than ever when your team is working from two or three times more locations than they normally would. Does your remote access system employ a form of multifactor authentication? Are you logging monitoring remote access sessions into the CU network? Are cloud based services like Microsoft 365 locked down sufficiently and utilizing MFA and conditional access? What is your strategy to continue the patching and continual monitoring and maintenance over your remote PCs and laptops?

Finally, incident response is more critical than ever before. With your credit union’s IT department not right around the corner, remote staff members need to know the basics of responding to an incident. For example, if their PC gets an alert from their endpoint security software, they need to know they should disconnect the machine from the network immediately and contact IT. The CU should then follow its normal response protocols to assess, contain, and resolve.

Take notes for next time

Once we get through this period, we’ll be able to assess how we did with our cybersecurity program after a large shift from in-office to remote. Expect to hear about your strategy for the next time, as well as updating and detailing a formal pandemic response policy.


Your email address will not be published. Required fields are marked *