By John Paasonen, CEO of Maxwell & Ken Kantzer, Co-Founder PKC Security
Mention data security to a mortgage executive and it’s enough to make them squirm. You can’t open a newspaper without reading about a security breach, even from some of the world’s most avantgarde technology companies.
Data is the heartbeat of the mortgage industry. Protecting it should be the priority for all organizations, no matter their size. And it’s time to size up to the reality that the conventional methods of security are no longer sufficient.
Ken Kantzer knows a bit about data security. He is the co-founder of PKC Security, a cybersecurity consulting firm. He has undertaken cybersecurity consulting and code audit efforts across multiple sectors: high-tech startups, financial services, oil & gas, industrial infrastructure, and high-security government systems.
Reduce Fractured Business Architecture
The way most mortgage companies work is fractured and insecure. Data resides on systems from the loan officer’s messaging app on their smartphone through to the LOS and everywhere in between. Data sits in Word documents. It lives in Outlook. And it’s transferred to third parties as part of the process every day.
Despite marketing promises to the contrary, there is no single all-in-one platform today. Indeed that may be an unrealistic utopia. What is realistic is a set of best-of-breed, modern systems that work together seamlessly.
“The best way to get hacked is to have systems on your hands that no one at your company understands,” says Ken. “Given the choice, opt for platforms that employ the most modern security measures, and simple interfaces between your systems.”
Protect Data Dynamically
The conventional castle-and-moat approach to data security is outdated. The financial services industry, particularly the mortgage vertical, must move beyond just firewalls, antivirus, content filtering, and threat detection. “The old idea of putting up a wall and standing watch just doesn’t hold true anymore,” says Ken. “The new approach to data protection focuses on resiliency — systems must ensure that even in worst-case scenarios where there is a data breach, the data can be rendered useless.”
Encryption is one such example of this approach. Mortgage companies can maintain control of their data, even when it is deployed in the cloud or in their data center. By moving security controls as close as possible to the data, a mortgage company can ensure that even after the perimeter is breached, the information remains secure. “At PKC, we always look at how cloud services use encryption, and how the encryption keys used by the service are protected. When encryption is properly implemented, it can be a huge help in strengthening the security of a service, but when it’s improperly implemented, it can actually hurt, by lulling users into a false sense of security.”
If you haven’t been breached yet, you’re either lucky or you don’t even know it happened. Only mortgage companies that adopt a combination of password managers, encryption-at-rest (using tools like BitLocker or FileVault), and two-factor authentication can be confident that data is useless should it fall into unauthorized hands.
Make Sales & I.T. Collaborate
Hopefully you do the basics: security awareness training, security policies that are enforced across the organization, and a consistent process of monitoring and reviews. Although these are necessary, they often feel like shackles for the sales team.
As many CIO’s realize, employees are often the weakest link. “The key to security is not a sexy new kind of technology, it’s not machine or deep learning,” says Ken. “Of all the awesome technology to deploy to catch bad things before they happen, it’s your frontline employees that will have the highest rates of detection.”
When IT team and sales collaborate, it is the opportunity to confer the feeling that owning security is their responsibility. The key to security is getting every person to care about it, to set a shared value that we must “protect our house” both at home and in the office.
Rather than IT attempting to shackle sales, have them arm the sales team with market-leading mobile communication and collaboration tools that solve their problems, make them more productive and are, by their very nature, secure.
Finally, use the best technology has to offer to reduce non-selling administrative or customer service aspects of a loan officer’s role. Too often, those activities take up more time than the selling loans, and sadly are often created by poorly designed technology tools themselves. Ken agrees: “A mortgage company that understands how to minimize the amount of time a loan officer and her team spends doing administrative tasks, such as data entry and chasing borrowers for documents, will win by helping them be more productive.”
It sounds counterintuitive if not downright scary: invite hackers to analyze your systems, looking for security holes, and pay out a “bounty” when they find them. But PayPal, Western Union, Square, Simple and other financial services companies that have created or worked with so-called bug bounty programs say they’re an effective supplement for the work done by sometimes-strapped internal security folks.
Outside the industry, it’s become a common-enough practice that even the U.S. government launched a “Hack the Pentagon” program. Hackers have already found 100 vulnerabilities in Department of Defense systems and the program has paid out $15,000 to 1,400 participants.
Pay hackers to take your side and work with you, and avoid the legal, privacy, intellectual property and cyberfraud issues that result when they go it alone.
Companies that have been using bug bounty programs for years see only benefit to them. Along with the many other types of security defenses mortgage companies need, offering a bug bounty, or undergoing a quarterly penetration test, is likely to become a best practice in the industry.
Empower Your Customers
Two in three customers said they’d cease doing business with a company that experienced a breach where financial information was stolen. Half of the respondents to the global survey by Gemalto said they’d stop doing business with a company where personal information was stolen. A quarter of people said they’d consider legal action against the breached company.
In fact, a mortgage company can even increase customer trust by telling borrowers about the security measures that they have put in place to protect their data. By being open about the efforts they are making with regards to data protection, like encrypting data in transit and at rest, they can be perceived as trusted innovators.
Mortgage companies can take this a step further and, as well as informing customers about what they are doing to protect them, can also tell them what to do in order to protect themselves and become safer users of their services — for example, instructing them not to send sensitive documents by email.
Security must be at the forefront of all decisions made by mortgage professionals. Rather than letting this slow you down or cripple your organization, use security as your asset to grow your business. Have your teams empower each other rather than limit the capabilities of each group. Challenge yourselves regularly.
Technology and proper processes unlock efficiencies and can improve not only the security of your clients information, but your bottom line as well.
Maxwell is a lightweight digital mortgage platform, helping lending teams become more efficient and provide the digital experience borrowers expect. Maxwell was created on the principle that mortgage companies will win by betting on the augmentation of human ability, not by replacing it with faceless technology. At Maxwell, the power of the human relationship is core to how we build software.
Founded in 2015, Maxwell is a member of the Mortgage Bankers Association and the Colorado Mortgage Lenders Association. In 2017, we were named one of the most innovative companies in real estate by HousingWire Magazine. Every day, our software is used by originators across the U.S. to serve thousands of homebuyers.