You've put basic safeguards in place. Now what?
This is the third article in a series on what originators need to know about the cyber attacks and ways that they can protect their business. If you’ve already taken some steps to protect your business against cyberattacks, you may be wondering whether or not you need to do any more. How do you know if what you’ve done is enough?
The short answer is, you can always do more. Modernizing your business comes with inherent security risks and mitigating those risks isn’t always straightforward. Moving your infrastructure to the cloud, for example, makes your organization more secure than if you were hosting your own email platform, but if you don’t take additional steps to secure it, then you’re still vulnerable.
Even things like implementing multi-factor authentication—a must-do—aren’t a slam dunk, says JT Gaietto, executive director of cybersecurity services for Richey May & Co. He mentioned the “data security incident” involving Adidas earlier this summer. Although “only” usernames and encrypted passwords were claimed to be compromised, and not credit card information, that shouldn’t make anyone feel better about the potential breach.
“Many users, regardless if they’re in the mortgage industry or not, statistically use the same password on their LinkedIn, their Facebook, and at work, it’s just a rule of averages,” Gaietto said. So while you might not think it’s a big deal if anyone sees your athletic wear preferences, if you take into account that people reuse their passwords, the “bad guys” can then look at your password 1234, see that you work at Mortgage Company X, and try that login. The odds, unfortunately, are in their favor.
So how much do you really need to know to be effective? Staying on top of your clients and your industry is hard enough, do you really need to be an expert in network security as well?
Take heart; it’s 2018, and you can always hire someone to evaluate the security risks for your business and provide a fresh perspective on your overall security picture. This may be especially beneficial if you don’t have a dedicated IT department, but even if you do, it’s a chance for someone outside of your company to provide an objective overview.
“[If] I see that there’s a crack in the sidewalk, I pass the crack in the sidewalk every day, I don’t think that it’s such a big deal. But over time, that crack’s going to get bigger, or I don’t realize the crack was caused by the fact that there’s nothing underneath the foundation anymore, but I’m blind to the risk. When you have a third party come in and look, they say, ‘Whoa, you’ve got a crack in your sidewalk, but on top of that you’ve got a four-foot sinkhole underneath this; you should think about how you’re going to fix that.’ That’s the difference to having a third party come in . . . they’re move sensitive to what’s going on in the environment,” Gaitteo said.
A third party expert also has the benefit of experience with other organizations of various sizes, some of which share security similarities with your business. They can make suggestions based on the challenges they’ve already seen and the issues that other companies have faced, eliminating all of the trials and errors that your company might face otherwise.
Once you start outsourcing your security measures, however, the costs are going to escalate. The pinch may be even tougher to swallow in the current environment, where business for most originators isn’t as strong as it may have been 12-18 months ago.
“When we walk into an organization, many of them have the best intentions to protect their customers and protect their environment, but the costs can be staggering,” Gaietto said. That being said, originators are engaged and willing to improve security protocol a bit at a time. “I don’t have anybody coming back saying we’re not going to do anything. In that instance a lot of people are saying, what can we do to have a different risk curve?”
If volumes are lower or comp is a bit tighter in your market and you don’t have the capital to make a huge investment right now, don’t just shrug your shoulders and walk away. Have both short-term goals as well as a long-term plan. Cyber attacks aren’t going to lessen in the years to come. They’re only going to increase and evolve in their tactics and damage wrought. Create a plan, with or without a third-party evaluation for your business to be as strong as possible.