TheMReport — News and strategies for the evolving mortgage marketplace.
Issue link: http://digital.themreport.com/i/328038
16 | Th e M Rep o RT cover story matter of convenience, with one anonymous respondent remark- ing, "Oftentimes it was easier to have my clients send documents like W-2s through email because everyone has access to an email account. Most of us [lenders] didn't want to take the time to explain what a secure portal was and how to use it. Everyone understands what email is." However, that focus on ease of use can often come back to hurt companies when they have to ex- plain to the public how their cus- tomers' data was compromised, explains James Deitch, CEO and co-founder of Teraverde, a con- sulting firm for the banking and financial industries. "Customers are beginning to ask: 'Is my data secure, and do you have the capability to protect my data?'" Deitch said. "And that question has to be answered by the loan officer, and it has to be answered with real affirmation." And if a company does drop the ball on the security front? For an example, look at Target, which recently lost its CEO and took a hit to its fourth-quarter earn- ings as a result of a high-profile breach announced just weeks before Christmas last year. While the retailer's first-quarter report was unavailable as of press time, analysts have set their sights low as the fallout continues. "Reputationally, once you get a black eye, it's awfully difficult to recover," Deitch said. Know Thy Enemy S o how does a careful com- pany prepare its defenses against hackers? By putting hack- ers to work for them, of course. As part of its offerings, Tangible conducts penetration tests, moving on clients' systems the way a malicious attacker might move and reporting back with its findings—what those in the industry call an "adversarial approach." While Harper was initially surprised by the amount of data he could extract on a routine basis, he says it's actu- ally alarmingly common for the company to easily get anywhere a hacker would want to go. "We always get to the money. It's amazingly simple and easy. We're not shocked by it any- more, but the clients often are," he remarked. Making matters worse is the fact that many companies simply don't know how vulnerable they actually are. What happens all too often, Harper says, is that businesses will pay for the cheapest, least thorough penetration test available, resulting in little progress made on the tester's end and a false sense of security for the company. In fact, he says, a good way to tell the difference between a cheap penetration test and a thorough probe is the results you end up with. If your hired "attacker" turns up with too little, there's a chance you're not getting the kind of comprehensive analysis you really need. Inside Man O f course, not all breaches are solely the result of an outsider attack. Like in every heist movie, some of the biggest scores start with someone on the inside: a disgruntled former employee who still has access, an improperly screened loan officer with a criminal record, or an unaware worker who is granted too much access and doesn't know what to do with it. In fact, in a recent white paper released by Teraverde and Tangible, co-authors Deitch and Harper de- scribe more than a dozen different data breaches—many of which are the result of untrained employees and improper protocols. "The headline news is about hackers that brute-force their way into a high-profile target," Deitch said. "The reality is that most of the security breaches that we come across have been what I call either poor execution of a policy or deficient policy to begin with." In one of the more egregious scenarios described, "a bank employee with a laptop inserted an infected USB thumb-drive file, causing complete laptop com- promise, which a hacker used to obtain complete network compro- mise, including LOS application, customer data breach, and a gate- way into other bank systems in a federally insured bank." All of that from a device many people keep on their keychains. If a typical employee can cause that kind of chaos without intending to, imagine the damage that could be done by somebody leaving for another company. For that matter, consider the number of people filtering in and out of a typical workplace every day: the person who fixes the copier, the person who restocks the water cooler, the building custodians, and so on. "A lost of trust is given to vendors," Deitch said. "In some "Customers are beginning to ask: 'Is my data secure, and do you have the capability to protect my data?'" —James Deitch, Teraverde. How Do Regs Fit In? A s if normal security considerations weren't enough to deal with, finance businesses also need to be sure their efforts will hold up under regulatory scrutiny. Federal laws governing con- sumer privacy are nothing new, but with the recent series of high-profile incidents, agencies like the Office of the Comptroller of the Currency (OCC) and the Consumer Financial Protection Bureau (CFPB) are casting a focused eye on financial institutions and privacy practices, particu- larly when it comes to third- party vendor relationships. "[Lenders] have to think of it two ways," said Christopher Gulotta, CEO and founder of Real Estate Data Shield and the Gulotta Law Group. "They have to think, 'What do we need to do to show we're compliant,' but they also have to know their vendors are screened, monitored, [and] secure." Adding to the complexity is that regulators actually left a good deal of discretion to companies to monitor their own privacy efforts and decide if they think they've taken reasonable steps under the law. While that approach is flexible on the government's part, Gulotta says it's really just created a confusing environment: "I think the regulators were trying to be fair to corporate America and say, 'Hey, just do what's appropriate.' [But] this has created a lot of concern in the industry because small banks and big banks have to decide, 'If we suffer a breach, will they decide we didn't do enough?'" To simplify matters, he rec- ommends following an easy acronym in going down the checklist: RADDCO, or Risk Assessment, Due Diligence, Contracts, and Oversight. "Customers are beginning to ask: 'Is my data secure, and do you have the capability to protect my data?'"