They didn’t know it was impossible, so they did it
Any would-be potential cyber-attacker who thinks that Covid-19 has created some kind of open season on high-end users of high-end technology systems really ought to think again, and go and lie down in a dark room until the urge to engage maliciously subsides. Client protection is very much at the top of our list of priorities and we work endlessly to ensure their security.
No one could possibly have forecast what the entire world has come to experience in the past few months. But the banking sector has been at the forefront in struggling to come to terms with the pandemic, quickly acknowledging the new and multi-faceted challenges facing it and reacting accordingly, adapting as required.
In the words of the Mississippi author Mark Twain, they didn’t know it was impossible, so they did it. Or, in the rather more prosaic words deployed within Societe Generale: clients can rest assured that we had control, we have control now and we will continue to have control.
The major challenges of the crisis
We were faced with two main issues when it became clear that governmental response global to Covid-19 would require many of our colleagues in cash management and international payments to work from home. Some managers were very wary of people working without the customary supervision.
The first was a purely operational challenge. How do we enable people in such a sensitive area of work to do that. The second was an awareness of the possibility of increased levels of cyber-attacks. While we were certain that we were not at excessive risk thanks to existing technology and processes, we needed to ensure that all risk was further mitigated.
We weren’t starting from a zero base, as we were already geared up to enable a large number of staff to work from home one or two days a week. But we had to establish access to the full scope of everyday working functions so that they could carry on working and meeting client needs as if they were in their normal professional office environment. This obviously includes authorising very large payments, both to clients and by clients.
On the first point, we had already strengthened security measures surrounding the technology needed to connect to the bank’s internal systems, concealing logs, for instance, and not allowing everyone to open certain applications. The advent and rapid spread of Covid-19 forced us to take a new look at the existing processes.
This required us to open a new channel of communication with the financial industry’s regulatory authorities to discuss questions of compliance and operational risk. The regulators quickly agreed that the question of operational risk was one for us to address and resolve ourselves.
We quickly reached the conclusion that with appropriate controls and checks in place, there is no more risk arising when our colleagues work from home than arises when they are working in the office.
It was then up to the IT professionals
It was then up to the IT professionals to explain this to the banking business professionals, and for them to decide whether they could feel comfortable with the change. There soon followed the decision to authorise only senior staff with demonstrable in-depth knowledge to access the bank’s systems from home.
On the second point, cyber-attacks are nothing new. At their simplest, the submission of fake invoices, they are a relic from the days before IT. We were already accustomed to carrying out internal large-scale exercises to cope with, for example, phishing (a well known scam that uses fake e-mails to lure people to web sites that closely resemble a well known company’s site).
These exercises – which took the form of fake attacks and drills – were designed to raise staff awareness of the look and feel of cyber-attacks and to train them in how to respond most appropriately.
These drills and exercises have now stopped and all our staff know that any attacks they might encounter are real, and must be treated as such. At the risk of holding ourselves hostages to fortune, and of throwing down a gauntlet to would-be malefactors, our checks and controls have clearly reduced, the chances of identity theft and the illicit acquisition of passwords, inter alia.
We have embedded the practice of automatically interrogating any single proposed payment action, to establish above all whether the action fits within established user patterns. But there is no room for complacency. Cyber-attackers have a tendency to become ever more clever and we will never lose sight of their continuing threat.
In this pressured environment, greater emphasis than ever is placed on artificial intelligence and its key role in our industry. Whatever IT systems are in place, however, people and their informed judgment provide the best form of defence.
In conclusion
In the wake of Covid-19, we have introduced a number of other specific defensive procedures to ensure that it is safe for the bank’s cash management and payments staff to work from home.
Things have changed because of Covid-19. We have adapted and improved and will continue to adapt and improve. Preparedness, training and vigilance remain essential watchwords in delivering the full range of client services.
It is no exaggeration to declare that Covid-19 has accelerated a long-established trend in the change of attitudes to traditional working practices. It has taken us to the threshold of a new normal, in which staff can work from home, 100%, permanently, and securely, should the need arise. Clients will almost certainly not notice any difference to their everyday interactions with the bank.