The threat of a security breach is real and growing. Experts on a panel at the Mortgage Bankers Association Mortgage Servicing conference on Thursday outlined the threat trends facing the mortgage industry and what companies could do to make their companies safer from a cyber attack.
And perhaps most notable is the techniques hackers use to crack their targets. In short, cyberweakness isn't just due to lacking the correct security protocols. Hackers these days, in fact, dig deeper than that.
First on the list? Train everyone to not open fishy emails.
That sounds easy enough, but as the panelists pointed out, the newest threats aren’t the typical letter from a Nigerian prince offering untold wealth — the infamous 419 scam. Instead, they are probably coming from an email address of someone you know and trust — like your spouse, your company’s HR department or your biggest client.
“The level of sophistication is getting so great that really even the most savvy person when it comes to cyber security will struggle not to click on these links,” said Kevin Hayes, senior principal of Promontory Financial Group.
Hackers have identified and are exploiting the easiest point of entry into any company’s system — its employees.
“These attacks come across using people, because it’s easier to crack a human than crack a machine,” said Thomas Clerici, information security officer at Freedom Mortgage. “It’s the little things that get people in trouble.”
And as workplaces become increasingly interconnected, those “little things” start multiplying like gremlins. The Internet of things makes our lives much easier, but also much more vulnerable.
“The interconnectedness is making that opportunity space for attacks bigger and bigger,” Hayes said. “Look at the increasing numbers of mobile apps, different web interfaces — there’s just a tremendous waterfront for organizations to cover.”
The antidote is widespread training that makes people pause before opening anything even remotely “off,” even if it is coming from a trusted source.
But this can’t be some haphazard effort delegated to an employee as an added responsibility. According to the experts, to have a real chance at defending against cyber threats, you have to recognize these things:
1. It’s a top-down commitment.
Your company’s leadership has to be committed because safety requires a sustained investment of time and resources. Is your leadership seemingly tone-deaf to the threat? One way to get their attention, Clerici suggested, is an internal hack. Demonstrating where your company has weak spots makes the threat real and tangible, especially if that weak spot is the boss’s email.
2. This is not an IT problem, it’s a business issue.
Expecting your IT department to “solve” this problem shows a fundamental misunderstanding of the nature of the threat. Joseph Dombroski, chief mortgage strategist at Fiserv, outlined how low-tech the problem areas can be.
“If you have call reps and they have pads of paper, and they are writing things down, where does that physical information go?” Dombroski asked. “All of that becomes part of the fabric of how you manage that information.”
This is not an IT problem because the threat doesn’t reside in your hardware or software, it resides in your employee’s behavior and your processes.
3. It’s not a matter of if, but when.
Threats are constant and evolving. Enormous resources are being spent by criminal networks, overseas enterprises and even nation states to breach your security and get to your clients. “No organization is 100% when it come to cyber security — it doesn’t exist,” Hayes said. “Every organization is vulnerable, it’s just a question of how much damage the security breach causes.”
4. The only thing harder and more expensive than preparing for a threat now is waiting until after you’ve been hacked.
As Hayes put it, “The sheer effort and internal costs of actually addressing a serious breach shouldn’t be underestimated.” And that doesn’t even count the reputational risk, which could easily tank companies who get blackballed by clients or regulators.
Understanding the threat to your company’s cyber security is an important starting point, but for too many companies it’s also the ending point. Real action needs to be taken.
5. Any effort is better than no effort.
Sometimes the effort can overwhelm companies who don't know where to start, but the panel agreed that taking any action is better than taking no action, and that training employees on basic security measures can actually accomplish a good deal.
The MBA offers a number of resources on the topic, including a workshop and a webinar on the FFIEC cybersecurity assessment tool, as well as a free white paper on the basic components of an information security program. But there are also free resources the experts recommended, including information from the FDIC and the SANS Institute newsletter.