DSNews delivers stories, ideas, links, companies, people, events, and videos impacting the mortgage default servicing industry.
Issue link: http://digital.dsnews.com/i/205149
There is an old proverb that says a chain is only as strong as the weakest link. This is true in the mortgage servicing industry when managing data security. software release security patches and updates to plug these holes. It is critical these systems are current, especially on mobile devices. Encrypting Drives Encryption is the process of encoding data in a way that hackers cannot read it, but that authorized parties can. It is critical for not only the hard drives on computers, but also the easyto-use external thumb drives. In the event of a loss, the encrypted data that resides on these drives would be useless to hackers who may look to improperly use the information contained within them. Many different programs can be used to encrypt drives and systems. These include Bitlocker (included with Windows OS) and True Crypt (which can be used to encrypt external and thumb drives), as well as whole drive encryption programs such as those made by CheckPointe and Sophos. Shred, Shred, Shred The importance of a good confetti-cut shredder to destroy confidential documents cannot be overstated. Strip-cut shredders are not effective because the remnants can be reconstituted too easily. Policies should be in place to shred all documents that contain confidential data of any type. Once a business identifies the types of data that are confidential, anything written down or printed out containing that sensitive information needs to be shredded rather than tossed in a trash bin. Often forgotten are post-its or other notepads. People use them for everything from taking down phone numbers and account numbers to even remembering passwords. They attempt to hide them where they think no one else will find them, such as under their computer 56 monitors or keyboards, and as a result, they often forget to shred them. Anything with confidential or classified information must be shredded to ensure full data security. Physical Security In addition to securing systems and devices, all businesses need to be aware of potential physical security concerns. All access to business systems and buildings should be protected. This must include access by every person who enters a facility, from the guy delivering water to the technicians who work on computer systems. Every person who enters a facility must be viewed as a potential data security risk and should be assessed and controlled accordingly. At the same time, it's important to recognize the need for different levels of security control based on the potential risk that a vendor or service provider may pose. For example, a grass-cut vendor will require different levels of control than a technician who is repairing computers. The technician, who may have more access to data within a company's systems, presents a greater risk and thus the company should work under tighter controls. Does the technician require a master password to access all data or just what he needs to fix? Does he work for a reputable vendor? These are the types of questions that should be addressed before systems vendors and technicians are called in to complete work. Physical access to computer systems is another important consideration. Most people do not realize that passwords are not needed if someone has physical access to a system. There are alternate ways to remove or change passwords on everything from networking devices to operating systems if someone has physical access to those devices. This applies to backups of data and systems as well as to originals. All outside technicians or vendors need to be monitored while completing work. A trusted company employee should be at a system vendor's side throughout his or her entire visit. Communication Is Sacred Field service companies need to continually remind their inspector and contractor networks that electronically transmitted communications must be protected. When communicating in person, it is easy to control the audience. This is not the case with electronic communication. Every day and in every business, people send emails, text messages, and voicemails to others and have no idea who else may have access to these messages. These forms of communications must be secured so that confidential data does not become compromised. To ensure the security of all electronic communications, any websites being viewed on company computers need to have a secure sockets layer (SSL) when confidential data is being transferred, and any email provider must use transport layer security (TLS). SSLs and TLS provide communication security over the Internet and allow for data and message confidentiality. Any data transfers should proceed only if these protections are in place. Being cautious when relaying confidential information applies to phone conversations as well. It is critical to validate who is on the other end of the phone line before discussing any sensitive data. Use Common Sense Every situation concerning confidential client and property information needs to be evaluated to strengthen every link in the information and data chain. The process requires common sense, vigilance, and ongoing training to ensure that all guidelines, regulations, and best practices established by mortgage companies, regulators, and field service companies are followed. Inspectors and contractors in the field need to be aware of potential security breaches and take the necessary precautions to keep all confidential data secure. It is everyone's job to make sure that each link of the chain is as strong as possible. Alan Jaffa is the CEO and Darren Kruk is the information security officer of Safeguard Properties, the largest mortgage field service company in the United States.