3 Tips to Avoid a Data Breach
The security of personal information – or lack thereof – is a hot topic, with cyber attacks on Equifax (2017), Target (2013) and Yahoo (2014) fresh in our collective minds. Those may be the big ones we remember, but data breaches happen every minute of every day, as criminals are always trolling for data-rich environments to infiltrate.
In this context, it’s critical that we in the financial industry do everything we can to safeguard borrowers’ personal data. Doing so not only protects borrowers from identity theft, but it also protects us from headlines that could destroy our (corporate) reputation as well.
So, what can we do to protect ourselves? In the industry, we tend to focus on technology and systems, such as penetration testing, application security scans and following OWASP guidelines. Make no mistake, these are important areas on which to focus. However, humans are still at the heart of everything, so good old-fashioned common sense is just as critical. Even when the most sophisticated data-security measures are in place, all it takes is one person to store borrower information in an Excel spreadsheet and save it (even temporarily) on his desktop screen to put everything at risk.
Here are some specific recommendations for those of us who stake our own professional reputations on the guaranteed protection of borrowers’ personal data.
#1 – Use layered security
In other words, don’t put all your eggs in one basket – even if that basket has the strongest possible perimeter security. Instead, segregate your data through isolation and ensure end-to-end protection with restricted access to distinct security keys. This way, if criminals gain access to one area, they don’t automatically have unfettered access to everything.
#2 – Reinforce good password hygiene
Educate and continually remind your team members to practice good password hygiene, with rule #1 being “change them often.” Unfortunately, we tend to use the same passwords everywhere, and we tend to base those passwords on personal information, such as birthdates. The best practice is to create passwords that are hard to guess, but easy to remember – which can be easier said than done. Even security experts are human beings, and our brains are only equipped to remember so much.
Using an encrypted password manager to securely store your passwords on your local device is one solution. Some even use random letter-number generators to create the passwords themselves. These solutions make it much easier to use different passwords for each system you manage, to make those passwords highly complex and to change them frequently.
Lenders should also be exploring solutions that shore up their consumer-facing portals to help borrowers stay one step ahead of hackers. For example, many networks are now using two-factor authentication, where a one-time code is sent to the user via text message and is required for login from a recognized device.
Alternative forms of authentication, which do not rely on traditional memorized secrets, such as username and password, are also on the horizon. These mechanisms fit especially well for processes that are short-lived, such as loan origination. This process simply uses multiple pieces of the customer’s information, combined with a form of two-factor codes, to perform a secure authentication for consumer-side access. This is in contrast to requiring a customer to make up yet another (potentially weak) password, behind which their entire file is stored. Besides augmenting data security, this practice also provides a more convenient customer experience.
#3 – Continuous monitoring
The same way that a police force wouldn’t make just one round of the city and call it safe for the night, any entity with sensitive data to protect – be it a company or an individual consumer – should conduct ongoing “patrols” for suspicious activity. This doesn’t necessarily mean lenders need to expand their payroll by adding an IT police force, however. This is one service that can be easily outsourced to vendors that monitor all inbound requests, track all IP addresses that “ping” the network and compare each one against a known database of fraud sources. If necessary, a questionable IP address can be denied access.
Be vigilant – but not alarmist
One final note: while identity crime is certainly a formidable threat, I believe it’s an exaggeration to say we are more vulnerable now than we were 20 years ago simply because of electronic data storage.
Yes, we are doing more and more business online, with digital self-service becoming the norm across all industries: financial, medical, retail, travel, and – don’t forget about the biggest platform for user-uploaded personal information – social media.
However, the risk of identity theft existed long before the Internet, when criminals used to pilfer credit card statements from curbside trash piles and scour the obituaries in the local paper for “available names” they could appropriate.
In the midst of our focus on the latest and greatest security challenges and technologies, we also need to empower ourselves through basic human diligence. For instance, I check my own credit card and bank transactions online four or five times a week – a habit instilled in me the hard way, having been the potential victim of identity theft not just once, but several times in recent years. Fraud is an easy problem to fix when it’s just one or two unauthorized transactions, as opposed to waiting for the news that someone has taken out a car loan in your name, sold the vehicle and left you with the bill. (If I’m going to be making payments on a BMW, I want it to be sitting in my driveway!)