Mention data security to a mortgage executive and it’s enough to make them squirm. You can’t read the news without seeing a piece about a new security breach, even from some of the world’s most cutting-edge technology companies.
Data is the heartbeat of the mortgage industry. Protecting it should be the priority for all organizations, no matter their size. And it’s time to own up to the reality that the conventional methods of security are no longer sufficient.
Ken Kantzer knows a bit about data security. He’s the co-founder of PKC Security, a cybersecurity consulting firm. He has undertaken cybersecurity consulting and code audit efforts across multiple sectors: high-tech startups, financial services, oil & gas, industrial infrastructure, and high-security government systems. We sat down with him to identify 5 security best practices for mortgage lenders that will help them protect their business and their bottom line.
1.) Reduce fractured business architecture
Many mortgage companies work in a way that is fundamentally fractured and insecure. Data resides on systems from the loan officer’s messaging app on their smartphone to their LOS and everywhere in between. Data sits in Word documents, lives in Outlook, and is transferred to third parties as part of the process every day.
Despite marketing promises to the contrary, there’s no single all-in-one platform. The idea of having one password to rule them all is more a fever dream than an actual possibility. But that’s not to say you can’t have a set of best-of-breed, modern systems that work together seamlessly.
“The best way to get hacked is to have systems on your hands that no one at your company understands. Given the choice, opt for platforms that employ the most modern security measures, and simple interfaces between your systems.” – Ken Kantzer, PKC Security
TO DO: Use an encrypted password manager
Switch to an encrypted password manager so you can maintain password integrity across all your accounts and devices without having to remember dozens of passwords. Just choose one of these top password managers to get started (I prefer LastPass myself).
2.) Protect your data
The conventional castle-and-moat approach to data security is outdated. The financial services industry — particularly the mortgage vertical — must take a more comprehensive approach than just using firewalls, antivirus, content filtering, and threat detection.
“The old idea of putting up a wall and standing watch just doesn’t hold true anymore,” says Ken. “The new approach to data protection focuses on resiliency — systems must ensure that even in worst-case scenarios where there is a data breach, the data can be rendered useless.”
Encryption is one such approach. Mortgage companies can maintain control of their data, even when it is deployed in the cloud or in their data center. By moving security controls as close as possible to the data, a mortgage company can ensure that even after the perimeter is breached, the information remains secure.
“At PKC, we always look at how cloud services use encryption, and how the encryption keys used by the service are protected. When encryption is properly implemented, it can be a huge help in strengthening the security of a service, but when it’s improperly implemented, it can actually hurt by lulling users into a false sense of security.”
If you haven’t been breached yet, you’re either lucky or you just don’t even know it happened.
TO DO: Shore up your data defenses
Only mortgage companies that adopt a combination of password managers, encryption-at-rest tools like BitLocker and FileVault, and two-factor authentication can be confident that their data is useless should it fall into unauthorized hands. At Maxwell, we use JumpCloud to manage all of the above.
3.) Facilitate better collaboration between sales and IT
Hopefully you’ve already got security basics in place, like security awareness training, security policies that are enforced across the organization, and a consistent process of monitoring and reviews. Though they might feel like shackles for the sales team, these are necessary precautions to take.
As many CIOs know, employees are generally your weakest link:
“The key to security is not a sexy new kind of technology. It’s not machine or deep learning,” says Ken. “Of all the awesome technology to deploy to catch bad things before they happen, it’s your frontline employees that will have the highest rates of detection.”
When IT and sales collaborate, it is an opportunity to confer the feeling that owning security is everyone’s responsibility. The key to security is getting every person to care about it and to set a shared value that we must ‘protect our house’ both at home and in the office.
TO DO: Implement a VPN for remote work
Connecting to public WiFi networks can be incredibly risky, but sometimes circumstances necessitate that you have to connect to a public network when you’re working on the go. A VPN (or Virtual Private Network) allows users to securely access a private network and share data remotely through public networks. Much like a firewall protects your data on your computer, VPNs protect it when you’re online. This list of top VPN providers will help you get started.
4.) Work with Sales, Not Against Them
Rather than IT attempting to shackle sales, arm the sales team with market-leading mobile communication and collaboration tools that solve their problems and make them more productive while maintaining high-level security.
Use the best technology on the market to reduce non-selling administrative or customer service aspects of a loan officer’s role. Too often, those activities take up more time than selling loans, and the time-wasting is often exacerbated by poorly designed tools that add to the problem rather than alleviate it.
As Ken notes, “A mortgage company that understands how to minimize the amount of time a loan officer and her team spends doing administrative tasks, such as data entry and chasing borrowers for documents, will win by helping them be more productive.”
TO DO: Deploy an enterprise-grade communication app
Instantaneous communication coupled with data security and privacy lead to better sales and customer experience, fewer errors, and employees that work as one cohesive force.
5.) Hack yourself
It sounds counterintuitive (if not downright scary), but the quickest way to identify vulnerabilities in your security infrastructure is to hire someone to find them. The biggest financial services companies swear by this tactic; companies like PayPal, Western Union, Square, and Simple have utilized these ‘bug bounty’ programs as an effective complement to their (often strapped) internal security teams.
And it’s not just financial companies — the U.S. government famously launched a “Hack the Pentagon” program. Through this program, more than 1,400 participants found hundreds of vulnerabilities in the Department of Defense’s systems and paid out the hackers who helped identify these problem areas.
Mortgage companies can only benefit from these bug bounty programs. Offering a bug bounty or undergoing a quarterly penetration test is quickly becoming a best practice for top-tier mortgage companies who understand the high stakes surround security issues.
TO DO: Hire a Hacker
Hire a hacker to analyze your systems and look for security holes and then pay them a bounty when they find them.
Hackers are going to hack. Wouldn’t you rather pay them to be on your side and work for you, rather than dealing with the legal, privacy, intellectual property, and cyberfraud issues that arise when less valiant hackers use your weaknesses against you?
Security must be at the forefront of all decisions made by mortgage professionals. Rather than letting security concerns slow down or cripple your organization, use security as an asset to grow your business. Empower your teams rather than limiting their capabilities, and challenge yourself to regularly audit your security infrastructure and make changes as needed.
Technology and proper processes unlock efficiencies and can improve not just the security of your clients’ information, but the stability of your bottom line as well.