Darren Kruk Discusses the Necessity of Cyber-Security

The April issue of DS News featured an article by Safeguard Properties Information Security Officer Darren Kruk titled A Measure of Security.

A MEASURE OF SECURITY
With cyber-attacks looming as a real and ever-present threat, the mortgage services industry must instill security measures at every level of its everyday business.

One of the fastest-growing and fastest-changing professions is that of the security professional. In today’s world, a security professional manages more than a business’s physical and employee security. These professionals must be versed in information risk management, governance, compliance, IT processes, and increasingly possess depth of knowledge regarding cyber-security. The repercussions of cyber-attacks and the global nature of these threats have the potential to impact all industries, including the mortgage services industry. And cyber-attacks are unfortunately becoming the new business norm as such advances in technology, as mobile, cloud services, IP enabled workplaces, and social networking are adding to the layers of systems that need vigilant monitoring.

Although the core function of information security applies to all businesses, each industry has its own unique requirements and guidelines, in addition to the requirements and guidelines specific to the regulatory entities that oversee it. Mortgage companies and their field services partners fall under the information security regulatory requirements and guidelines of the Consumer Financial Protection Bureau (CFPB) and the Gramm-Leach-Bliley Act.

Almost every day there is a new report of a company that has fallen victim to a malicious cyber-attack, and these attacks are becoming increasingly more sophisticated. Recently, a large health care provider discovered it was the victim of a sophisticated hack, which affected not only its employees, but also more than 80 million accounts that were liberated from the company’s databases. This breach, unlike the numerous others this past year, obtained personal identity data instead of payment card data seen in many of the recent retailer attacks.

How do businesses protect themselves from today’s ever-changing environment, and more importantly, how does an information security professional know whether the proper controls have been implemented and if the controls in place are sufficient?

KNOWING YOUR ASSETS
There are standard formulas that must be followed that apply the basic security management protocols, such as access control lists, secure firewalls, Intrusion Prevention Systems, segmentation, logging, and monitoring. But these are the mechanics of prevention. To fully understand the depth of a highly dynamic and complex information system, the information security team needs to first understand why they would be a target of a cyber-attack in the first place; what do they have that would attract a hacker? To understand this, the information security team needs to think like a hacker and take a hacker-centric approach to security. What are the points of interest? For most hackers their interest lies in a company’s data and/or systems.

To understand what might be of value, a complete asset inventory is necessary. An asset, for example, can include such devices as computers, tablets, and smartphones. An asset can also include data and a company’s physical operating system. Why would a hacker be interested in a system? Hackers are always looking to launch a hack from a better platform. A company may have minimal data, but their platform may entice a hacker.

Mobile technology is one of the biggest competitive advantages for many customer-facing businesses. Whether your customers are consumers or other businesses, being able to harness the power of mobile technology has become a game changer. For several years mortgage field services companies have been investing millions of dollars annually in mobile technology and applications to better meet growing client needs, as well as the needs of their inspectors and vendors.

Although field services companies cannot dictate which devices inspectors and vendors use to complete their assigned work in the field, they can require the use of only pre-approved, closed community applications that have been properly vetted and inventoried. Why is this important? We live in an interconnected world where business and personal time often overlap. One minute a tablet or smartphone could be used for work purposes, the next minute to send a personal email or access an external webpage. Without the proper controls in place, these devices can become a goldmine of information to exploit.

Millions of points of data are generated each and every day, but not all data is created equally. To fully track this data, it is vitally important to clearly define the classification, or rank, of each data element and create a matrix that qualifies where each data element resides. This is important because the level of protection provided is controlled by the predetermined ranking of the data element, as well as the level of risk the information poses if exposed. It is equally important to classify and track all data that is shared externally. For example, confidential information, such as loan numbers, are ranked the highest and require SSL encryption to the end point.

INTEGRATING INFORMATION SECURITY WITH BUSINESS
Information security should be a welcome partner with the business functions of any organization. As such, it should be baked into business decisions from the onset. Do not think of it as just another cost of doing business, but rather a business initiative that provides service improvement and savings. For example, by keeping anti-virus software up-to-date, new vulnerabilities will be addressed through routine security patches that “plug the holes.” For mobile devices, this is especially true as new software versions and applications are continually introduced.

To be successful, information security should be an integral part of any organization’s business culture. This integration starts at the top with executive ownership and support. Executive buy-in will help ensure the success of such internal undertakings as security and compliance advisory boards.

These boards can provide continuity of knowledge, leadership, executive oversight, and guidance for security and compliance policies and activities, and ensure ethical behavior within the organization.

RISK-BASED MODELING
Taking a risk-based, or threat-modeling, approach to information security is important to effectively assess risk exposure and to determine how to best balance risk with action. Once the types of systems and data that exist have been classified, they can be rated according to their acceptable risk and threat levels. Risk-based modeling identifies the data and quantifies the risk of exposure, and the potential risk to stakeholders should it be exposed.

Risks to your applications and systems need to be included in the risk-based modeling exercise as well. This includes email, file transfer systems, and storage systems that are susceptible to data loss. Email is such a universally used tool in daily business and personal interactions that it has gotten to the point where it has become innocuous. Not many think to take into consideration the risks associated with something as simple as sending an email with a file attached to a non-company system. However, one must consider how that data is transferred or stored on the other side. It might not be a risk worth taking.

CREATING A SECURITY-CENTRIC CULTURE
Building a holistic security culture is probably the hardest thing to do in a nonsecurity based company. Our world has been forever changed by social media and its integration into daily life. The challenge is a common one in today’s world—how do we change behavior to maintain privacy and to protect what is important in this oversharing, ever-communicating cyber world? Next generation employees grew up with a cell phone in their hands, constantly tied to social media and their network of friends. They believe in sharing with one another everything from “selfies,” to pictures of food, music, and even personal passwords to feel connected to the world. It has become a challenge for businesses to instill the exact opposite mentality—that nothing should be shared unless absolutely necessary.

Education and continuous information security awareness programs are key. Field services companies must not only educate their employees on physical and data security best practices, but they also must monitor and track this education to ensure global compliance and understanding. To ensure compliance in the field, inspector and vendor networks must be educated on these same industry best practices.

Ongoing information security education for everyone who has access to sensitive information is critical to ensure daily compliance with all information security protocols and applicable industry guidelines and requirements.

Routine monitoring and auditing of vendor networks can help identify gaps that need to be addressed and certify that anyone who has access to confidential information knows and practices the appropriate steps to protect it.

TESTING AND AUDITING
Testing and auditing can be the most important part of measuring your data security controls. And, with the renewed focus and investment on vendor oversight within the financial services industry; internal, external and, vendor network testing and auditing have become commonplace.

Regularly scheduled internal audits not only gauge the effectiveness of a data security strategy but can also point out areas of improvement and should be looked upon favorably. Field services companies typically receive and utilize confidential consumer data, and it is imperative that the security controls safeguarding this data are robust and comprehensive.

External audits should be viewed similarly. As regulations within the financial services industry continue to expand, ongoing thirdparty vendor audits have become routine. Part of this audit consists of an information security assessment in which a review of such protocols as physical security, application permission and authority levels, data integrity and protection (encryption), and network vulnerability are tested.

Much like the financial services industry, some field services companies have taken the audit process to the next level by implementing routine, on-site vendor audits as part of the overall audit protocol. A portion of this audit focuses on a vendor’s data security compliance and frameworks. Routine monitoring and auditing of vendor networks can help identify security gaps so that anyone who has access to confidential information knows and practices the appropriate steps to protect it.

GAUGING SECURITY SUCCESS
Is there a measuring stick with which to gauge data security success? Some claim the ultimate measuring stick is not having been a victim of a cyber-attack. Unfortunately, that is a naive view of the information security world. A company cannot and should not claim success merely because it has not been the victim of a cyber-attack. The overall measure of a company’s security framework is an amalgam of many different control principles. The field services industry has embraced and invested in the people and technology to meet the information security requirements head-on. It is one more way to strengthen the industry and provide clients with the security needed in this interconnected electronic business environment.

Please click here to view A Measure of Security [pdf].

About Safeguard 
Safeguard Properties is the mortgage field services industry leader, preserving vacant and foreclosed properties across the U.S., Puerto Rico, Virgin Islands and Guam. Founded in 1990 by Robert Klein and headquartered in Cleveland, Ohio, Safeguard provides the highest quality service to our clients by leveraging innovative technologies and proactively developing industry best practices and quality control procedures. Consistent with Safeguard’s values and mission, we are an active supporter of hundreds of charitable efforts across the country. Annually, Safeguard gives back to communities in partnership with our employees, vendors and clients. We also are dedicated to working with community leaders and officials to eliminate blight and stabilize neighborhoods. Safeguard is dedicated to preserving today and protecting tomorrow.  Website: www.safeguardproperties.com.

x

CHIEF EXECUTIVE OFFICER

Alan Jaffa

Alan Jaffa is the chief executive officer for Safeguard, steering the company as the mortgage field services industry leader. He also serves on the board of advisors for SCG Partners, a middle-market private equity fund focused on diversifying and expanding Safeguard Properties’ business model into complimentary markets.

Alan joined Safeguard in 1995, learning the business from the ground up. He was promoted to chief operating officer in 2002, and was named CEO in May 2010. His hands-on experience has given him unique insights as a leader to innovate, improve and strengthen Safeguard’s processes to assure that the company adheres to the highest standards of quality and customer service.

Under Alan’s leadership, Safeguard has grown significantly with strategies that have included new and expanded services, technology investments that deliver higher quality and greater efficiency to clients, and strategic acquisitions. He takes a team approach to process improvement, involving staff at all levels of the organization to address issues, brainstorm solutions, and identify new and better ways to serve clients.

In 2008, Alan was recognized by Crain’s Cleveland Business in its annual “40-Under-40” profile of young leaders. He also was named a NEO Ernst & Young Entrepreneur of the Year® finalist in 2013.

x

Chief Operating Officer

Michael Greenbaum

Michael Greenbaum is the chief operating officer for Safeguard. Mike has been instrumental in aligning operations to become more efficient, effective, and compliant with our ever-changing industry requirements. Mike has a proven track record of excellence, partnership and collaboration at Safeguard. Under Mike’s leadership, all operational departments of Safeguard have reviewed, updated and enhanced their business processes to maximize efficiency and improve quality control.

Mike joined Safeguard in July 2010 as vice president of REO and has continued to take on additional duties and responsibilities within the organization, including the role of vice president of operations in 2013 and then COO in 2015.

Mike built his business career in supply-chain management, operations, finance and marketing. He has held senior management and executive positions with Erico, a manufacturing company in Solon, Ohio; Accel, Inc., a packaging company in Lewis Center, Ohio; and McMaster-Carr, an industrial supply company in Aurora, Ohio.

Before entering the business world, Mike served in the U.S. Army, Ordinance Branch, and specialized in supply chain management. He is a distinguished graduate of West Point (U.S. Military Academy), where he majored in quantitative economics.

x

CHEIF INFORMATION OFFICER

George Mehok

George Mehok is the chief information officer for Safeguard. He is responsible for all strategic technology decisions, new systems deployments and data center operations supporting a national network of more than 10,000 mobile workers.

George has more than 20 years of leadership experience dedicated to high-growth companies in the mobile telecommunications and financial services industries, spanning startups to global industry leaders.

George played a senior role in the formation of Verizon Wireless, leading the IT product development and strategic planning team. He led the integration planning for the Verizon merger including: GTE, Vodafone-AirTouch, Bell Atlantic Mobile and PrimeCo.

As chief information officer at Revol Wireless, a VC-backed CDMA wireless communications network operator, George’s team implemented an integrated technology infrastructure and award-winning business intelligence platform.

George holds a bachelor’s degree in political science and economics from Eastern Michigan University and an M.B.A. from The Ohio State University. He is a board member of Akron University’s School of Business Center for Information Technology, in addition to an advisory board member for OHTec.

In 2013, George won the Crain’s Cleveland Business CIO of the Year award for his team’s work in completing a major acquisition and technology transformation at Safeguard. In 2015, George’s team was recognized by InformationWeek’s annual Elite 100 ranking of the most innovative U.S.-based users of business technology. The mobile inspection technology developed at Safeguard was selected as InformationWeek’s “One of the top 20 ideas to steal in 2015”.

x

General Counsel and Executive Vice President

Linda Erkkila, Esq.

Linda Erkkila is the general counsel and executive vice president for Safeguard, with oversight responsibilities for the legal, human resources, training, compliance and audit departments. Linda’s broad scope of oversight covers regulatory issues that impact Safeguard’s operations, pro-active risk mitigation, enterprise strategic planning, human capital and training initiatives, compliance and audit services, litigation and claims management, and counsel related to mergers, acquisition and joint ventures.

Linda’s oversight of the legal department along with multiple compliance and human capital focused departments assures that Safeguard’s strategic initiatives align with its resources, leverage opportunities across the company, and contemplate compliance mandates. Her practice spans almost 20 years, and Linda’s experience, both as outside and in-house counsel, covers a wide range of corporate matters, including regulatory disclosure, corporate governance compliance, risk assessment, executive compensation, litigation management, and merger and acquisition activity. Her experience at a former Fortune 500 financial institution during the subprime crisis helped develop Linda’s pro-active approach to change management during periods of heightened regulatory scrutiny.

Linda previously served as vice president and attorney for National City Corporation, as securities and corporate governance counsel for Agilysys Inc., and as an associate at Thompson Hine LLP. She earned her JD at Cleveland-Marshall College of Law. Linda holds a degree in economics from Miami University and an MBA. In 2017, Linda was named as both a “Woman of Influence” by HousingWire and as a “Leading Lady” by MReport.

x

Chief Financial Officer

Joe Iafigliola

Joe Iafigliola is the Chief Financial Officer for Safeguard. Joe is responsible for the Control, Quality Assurance, Business Development, Accounting & Information Security departments, and is a Managing Director of SCG Partners, a middle-market private equity fund focused on diversifying and expanding Safeguard Properties’ business model into complimentary markets.

Joe has been in a wide variety of roles in finance, supply chain management, information systems development, and sales and marketing. His career includes senior positions with McMaster-Carr Supply Company, Newell/Rubbermaid, and Procter and Gamble.

Joe has an MBA from The Weatherhead School of Management at Case Western Reserve University, is a Certified Management Accountant (CMA), and holds a bachelor’s degree from The Ohio State University’s Honors Accounting program.

x

AVP, High Risk and Investor Compliance

Steve Meyer

Steve Meyer is the assistant vice president of high risk and investor compliance for Safeguard. In this role, Steve is responsible for managing our clients’ conveyance processes, Safeguard’s investor compliance team and developing our working relationships with cities and municipalities around the country. He also works directly with our clients in our many outreach efforts and he represents Safeguard at a number of industry conferences each year.

Steve joined Safeguard in 1998 as manager over the hazard claims team. He was instrumental in the development and creation of policies, procedures and operating protocol. Under Steve’s leadership, the department became one of the largest within Safeguard. In 2002, he assumed responsibility for the newly-formed high risk department, once again building its success. Steve was promoted to director over these two areas in 2007, and he was promoted to assistant vice president in 2012.

Prior to joining Safeguard, Steve spent 10 years within the insurance industry, holding a number of positions including multi-line property adjuster, branch claims supervisor, and multi-line and subrogation/litigation supervisor. Steve is a graduate of Grove City College.

x

AVP, Operations

Jennifer Jozity

Jennifer Jozity is the assistant vice president of operations, overseeing inspections, REO and property preservation for Safeguard. Jen ensures quality work is performed in the field and internally, to meet and exceed our clients’ expectations. Jen has demonstrated the ability to deliver consistent results in order audit and order management.  She will build upon these strengths in order to deliver this level of excellence in both REO and property preservation operations.

Jen joined Safeguard in 1997 and was promoted to director of inspections operations in 2009 and assistant vice president of inspections operations in 2012.

She graduated from Cleveland State University with a degree in business.

x

AVP, Finance

Jennifer Anspach

Jennifer Anspach is the assistant vice president of finance for Safeguard. She is responsible for the company’s national workforce of approximately 1,000 employees. She manages recruitment strategies, employee relations, training, personnel policies, retention, payroll and benefits programs. Additionally, Jennifer has oversight of the accounts receivable and loss functions formerly within the accounting department.

Jennifer joined the company in April 2009 as a manager of accounting and finance and a year later was promoted to director. She was named AVP of human capital in 2014. Prior to joining Safeguard, she held several management positions at OfficeMax and InkStop in both operations and finance.

Jennifer is a graduate of Youngstown State University. She was named a Crain’s Cleveland Business Archer Award finalist for HR Executive of the Year in 2017.

x

AVP, Application Architecture

Rick Moran

Rick Moran is the assistant vice president of application architecture for Safeguard. Rick is responsible for evolving the Safeguard IT systems. He leads the design of Safeguard’s enterprise application architecture. This includes Safeguard’s real-time integration with other systems, vendors and clients; the future upgrade roadmap for systems; and standards designed to meet availability, security, performance and goals.

Rick has been with Safeguard since 2011. During that time, he has led the system upgrades necessary to support Safeguard’s growth. In addition, Rick’s team has designed and implemented several innovative systems.

Prior to joining Safeguard, Rick was director of enterprise architecture at Revol Wireless, a privately held CDMA Wireless provider in Ohio and Indiana, and operated his own consulting firm providing services to the manufacturing, telecommunications, and energy sectors.

x

AVP, Technology Infrastructure and Cloud Services

Steve Machovina

Steve Machovina is the assistant vice president of technology infrastructure and cloud services for Safeguard. He is responsible for the overall management and design of Safeguard’s hybrid cloud infrastructure. He manages all technology engineering staff who support data centers, telecommunications, network, servers, storage, service monitoring, and disaster recovery.

Steve joined Safeguard in November 2013 as director of information technology operations.

Prior to joining Safeguard, Steve was vice president of information technology at Revol Wireless, a privately held wireless provider in Ohio and Indiana. He also held management positions with Northcoast PCS and Corecomm Communications, and spent nine years as a Coast Guard officer and pilot.

Steve holds a BBA in management information systems from Kent State University in Ohio and an MBA from Wayne State University in Michigan.

x

AVP, Mobile and Analytics

Jason Heckman

Jason Heckman is the assistant vice president of mobile and analytics for Safeguard. He is responsible for both Safeguard’s mobile development and strategy as well as the company’s data warehousing and business intelligence. Jason oversees the design, development and release of all Safeguard’s internally developed mobile applications. He also oversees the development and delivery of operational and analytical data technologies throughout the organization.

Jason joined Safeguard as manager of mobile in 2012. During that time he led the development and integration of Safeguard’s mobile applications across the company’s vendor network to provide real-time data from the field. In 2014, he was promoted to director of mobile applications and named assistant vice president in 2017.

Prior to joining Safeguard, Jason was the director of application development and business intelligence for Revol Wireless, a privately held wireless provider in Ohio and Indiana.

Jason holds a bachelor’s degree in business management from Case Western Reserve University in Ohio.

x

AVP, Business Development

Tim Rath

Tim Rath is the AVP of business development for Safeguard. He is responsible for developing innovative growth strategies for Safeguard and developing and overseeing potential partnerships, mergers and acquisitions.

Tim joined Safeguard in 2011 as project director and has filled numerous roles within Vendor Management, most recently serving as director of vendor management, a role he assumed in 2011.

Prior to Safeguard, Tim worked as director of supply chain at PartsSource Inc. in Aurora, Ohio, a provider of medical replacement parts, procurement solutions and healthcare supply chain management technology services. He also has held sales positions with Rexel, ComDoc, and Pier Associates, all based in Ohio.

Tim holds a degree in marketing and sales from The University of Akron in Akron, Ohio. He also earned his FAA Certified Commercial UAS (Drone) Pilot license in 2017.