EAST BRUNSWICK, NJ - Prior to the existence of the Internet, criminals had to break and enter, intercept mail or dig through garbage to steal personally identifiable information. Only 25 years ago, illegally accessing a person’s bank account would have required forgery and a visit to the bank. This could take hours and would place the perpetrator under the scrutiny of bank tellers, other customers and security cameras. It also would leave clear evidence of a crime.
Now that most of society’s information is available and exchanged with the ease of a click online, criminals can leverage the Internet to steal account credentials, money, identities, sensitive intellectual property and private data. The Internet provides anonymity, global reach, an expansive list of targets and an atmosphere where one simple click of a mouse can do damage equivalent to what a bullet or a bomb might do in the real world.
All things considered, the Internet has become the ultimate attack platform for criminals — and cybercrime is becoming almost everything in crime. To combat this, certain technologies are necessary, but so is proper training.
A real, virtual threat
Mortgage-banking transactions require the transmission, collection and storage of banking statements, tax returns and W-2 forms, driver’s licenses, pay stubs and more sensitive information. Because of this, the nature of typical mortgage transactions and the way they are carried out make the entire home-lending sector a compelling target for cybercriminals.
Most mortgage lenders understand the threat and have already invested heavily in the latest security technologies to secure their computing networks. Many have developed and implemented policies and procedures that help them operate efficiently and meet legal and regulatory requirements. Even with all of that, these same organizations’ losses to security breaches continue to grow each year. This is because the problem is not so much the result of the security technologies deployed to protect their networks or the processes that they have in place as it is a consequence of the lack of security savvy among their internal users.
All too often, security breaches are caused by users doing something they shouldn’t, like clicking a malicious link in an e-mail, opening a tainted e-mail attachment, using weak passwords, losing portable devices with confidential data or being tricked into giving up their passwords through social-engineering attacks. In fact, several industry-data estimates indicate that more than 80 percent of successful data thefts began with users doing something that they shouldn’t have. But there is no simple answer to this problem, and potential solutions raise difficult questions:
- Is it the responsibility of employers to regulate how their employees configure their home computing networks?
- Should employers tell their employees what they can post to their personal social media sites?
- Should employers dictate what type of mobile devices their employees use in their personal lives and how they can and cannot use them?
A 2015 study by CompTIA, an IT industry trade association, surveyed hundreds of end users and documented the most significant sources of human error. Forty-two percent of respondents said there was a failure to follow general policies and procedures, with the same number citing general carelessness. Thirty-one percent blamed a failure to keep up with the latest security threats.
Attackers have different motivations, including financial gain, to steal IP or other sensitive data. Other motives include retribution or revenge, competition and/or to challenge authority.
Online security breaches come in many varieties and include website defacements, identity thefts, sophisticated thefts of large amounts of data or sums of money and everything in between. Although attacks may be unique, many share one commonality: human mistakes as the root cause of these compromises. Because of this, getting end users to properly identify and respond to security threats is one of the most significant challenges facing organizations today.
Training to protect
Implementing an information security- awareness training program for employees can help mortgage-banking companies avoid this threat. The programs should include curriculum specific to the company’s security policies and procedures, including social media, acceptable-use, data-retention and bring-your-own-device policies, when applicable.
Training programs should also educate users on the potential threat of malicious insiders and include “If you see something, say something” messaging. During the training program, each employee should also be asked to read and accept company policy, which puts them on notice that they must be vigilant about security in the workplace. This projects a clear message to employees that security is everyone’s responsibility.
Training should be enhanced with creative tests or studies that measure personnel awareness, such as e-mail phishing studies. Repeat, frequent testing will mature end users from a security standpoint, and also allows the company to gauge improvement in internal-security awareness over time.
• • •
Modern mortgage-banking businesses are now online, Internet-driven and collecting more personal consumer data from their customers than most other commercial industries. Because of this, the entire sector is quickly becoming a desirable target for cyberattackers. One of the most effective and cost-efficient countermeasures is to train staff to avoid, recognize and respond to cyber threats. It is critical that mortgage companies educate staff and raise awareness about this serious growing threat before costly and irreparable information security compromises can occur.
*By Paul Lewis, vice president of technology risk, T&M Protection Resources; and Jeff Bernstein, managing director, T&M Protection Resources