Amid the COVID-19 pandemic and orders to stay-at-home, many businesses have moved almost entirely to a work-from-home structure. With most mortgage professionals working with a lot of sensitive information on behalf of clients and the company, there is an increased risk of compromised networks and data.
A joint advisory from U.S. and U.K. cybersecurity officials are warning that cyber criminals are targeting individuals and organizations while employees are relying on less than secure home networks to do their work.
“Cyber criminals are using the pandemic for commercial gain, deploying a variety of ransomware and other malware,” the advisory stated.
While everyone transitions away from an office environment, the normal methods of doing business are changing, making it easier for an attacker to appear legitimate. Malicious hackers are using social engineering methods to persuade users to carry out a specific action, whether that’s clicking on a link that leads to a phishing website or opening a file that contains malware. Overcommunicating to employees and clients is the number one thing companies need to be doing to help lower risk.
“Working from home is a totally different experience. If companies aren’t checking in and communicating with employees, understanding new challenges and working through those, it will result in a challenge for the business,” said Bruce Phillips, senior vice president and chief information security officer for WEST, a Williston Financial Group (WFG) company.
Video conferencing technologies can also increase risk, as companies try to replicate face-to-face interactions through programs like Zoom. Phillips warns the easier a program is to use, the less secure it likely is, so it’s important to find a balance.
For example, a new phenomenon called “zoom bombing” happens when hackers access and disrupt a live meeting. An example of this occurred during a virtual University of Texas meeting that was being hosted by a group that aims to support African American male students. Unknown users joined the meeting and began shouting racist slurs to disrupt it. Zoom has since apologized publicly for the lax measures and changed its default settings to help improve security.
“When using a new technology, you need to have a full understanding or have someone help you configure it correctly, so you don’t put your business or clients at risk,” said Phillips.
Numerous companies were forced to transition away from their traditional office structure at such a rapid pace, any business without a tested pandemic response plan was left scrambling. Another problem, according to Phillips, is not every company had enough equipment for employees to take home with them.
“Now we are relying on personal devices on a personal home network that is not configured to be secure, being used to access sensitive company information,” he added. “There are things people don’t think about, like printing closing packages. That’s client information sitting in someone’s house.”
Lessons to learn from
The key to making it through this with as little damage as possible is educating employees and implementing whatever security measures possible. Phillips says a lot of work has to go into policies and procedures for working from home, so employees are clear on what they need to do to protect company and client information. The first place to start is understanding specific company risk and addressing that.
“One of the best ways is having a technical control in place, but at minimum, you need to remind your employees on administrative controls on how they need to protect that information,” he said.
West Protect is a new, affordable cybersecurity help desk for real estate agents, mortgage companies and titles agents, where users can forward any suspicious content to be checked by security professionals.
No one could have predicted the magnitude of the COVID-19 pandemic and how it would affect our workplace, but Phillips says it’s a good opportunity to plan for the future: “Companies who had not thought this through are learning some hard lessons right now. The best thing to do now is learn from it.”
Once the dust settles, Phillips recommends company leaders take a couple things into consideration.
- If employees took corporate assets like laptops or mobile devices from the company network into their homes, it needs to be treated as a hostile device. It needs to be properly cleaned and inspected by an IT professional or cybersecurity company before it goes back on the corporate network.
- After some time getting back into the groove of things, turn around and start looking at lessons learned from this experience. Evaluate what worked, what challenges arose and begin preparing for the next event.
Choosing a cybersecurity company can be overwhelming, and while protecting against cyber risk is important, Phillips says make sure to avoid panic buying.
“None of these are easy to implement and it’s another change on top of all these other changes. Pay attention to your own risk profile, understand exactly what you need, and if you decide to make that change, think about the execution.”