Darren Kruk Reveals the New Technology Threat
The September edition of HW Focus features an article authored by Safeguard’s Darren Kruk, information security officer, titled New Technology Threat.
New technology threat
How vendors can help keep mortgage servicer information secure
Before the world of mobile phones, pagers, tablets and other “electronic leashes” that are part of daily life today, life was much simpler. People handed out their Social Security numbers with no concerns about thieves using that information to steal their money or identities.
Were there fewer criminals in the world then? Probably not. It’s just that advances in technology have given criminals new avenues to access and exploit electronic information for their own monetary gain.
Each year, technology races forward and brings new innovations and, with it, new exploitations. Protecting confidential information from exposure to new threats is like playing a game of Whack-a-Mole. Those trying to protect information have to stay one step ahead of the criminals who are trying to steal it.
Mortgage servicers and their field service partners are a part of that game. Just as technology is ever-changing, information security continuously must evolve to meet new threats and comply with changing regulatory requirements designed to protect the privacy and security of citizens.
As main vendors for the mortgage servicing industry, field service companies store a lot of confidential property data on behalf of their mortgage servicing clients. As such, they must adhere to the same information security guidelines to meet compliance requirements on behalf of their clients.
Also, field service companies must stay one step ahead of advances in mobile devices, cloud technology and social networking. The reason? Though they bring many benefits, they also present a number of threats.
Mobile devices have quickly brought the world closer together, allowing people to connect as never before. Our mobile devices are more than phones. They are our online banks, music repositories, contact lists, shopping assistants, and our source for airline tickets, maps, books, email and countless other activities.
In the field services industry, mobile devices also have become a valuable tool to help inspectors and contractors access and update work orders, meet timelines, instantly report property condition and damages, and protect properties from costly damage and code violations.
As the use of mobile devices in field servicing grows, so do the security risks. To protect the security of information transmitted through mobile devices, field service companies must educate and train their contractors using these devices on policies and procedures to keep information secure and minimize security threats.
Among the threats are exposure to cell provider networks that can be hacked, lack of firewalls, and malicious software in downloadable applications that can steal information. Because field service companies and their contractors of necessity must connect with the information systems of mortgage servicers, each can expose the other to potential security breaches.
Field service companies can assure that the information collected on their contractors’ mobile devices is secure by developing their own customized applications. For example, mobile applications should not be able to send or store any information on a customer’s loan or personal information, only the address of the properties the vendors are visiting. This is the easiest way to ensure information does not fall into the wrong hands.
However, even if contractors do not house sensitive information on their phones, field service companies must still ensure that any information collected is not easily accessible. This can be controlled in several ways. The first is to require a username and password that ties directly back to the field servicing company’s internal systems. A user should have to log in with their credentials before gaining access information. After a set period of inactivity, the application should log the user out of the application and require them to log back on.
Any data stored on the phone should be stored in what is referred to as a “sandbox”. Sandbox data cannot be accessed by an individual from their device outside of the application. Nor can they pull information from their devices if they connect to a personal computer.
While cloud technology is the latest buzz for technologists, companies should tread carefully and understand not only the benefits, but also the risks. Any new technology is an attacker’s dream, as companies often shift to it before they fully understand all of the vulnerabilities. Cloud services are especially vulnerable because they are quickly becoming repositories for large quantities of information, much of it confidential.
Many security experts fear that the next big hack will be to a single cloud service provider because of the ability to compromise multiple companies through a single source. For example, if a hacker has the option to hack 10 companies independently or attack the cloud provider that 10 different companies use as their application service provider, the hacker’s effort will have more impact by attacking the cloud provider.
Until better certifying authority and standards are developed, such as those from the International Organization for Standardization, field service companies and their servicing clients should use cloud services and other new technologies for noncritical, nonconfidential data only.
Social networks such as Facebook and Twitter, which connect users through an expansive cloud-sourcing community web, have advanced beyond helping people find old friends and maintain contact with family and friends across the globe. Businesses now rely on them to supplement their marketing and customer outreach efforts.
At the same time, many businesses have had to implement policies on social network usage during work hours because of productivity issues, reputational risks and, most importantly, security threats when employees access these services through company systems.
Hackers are creating new, complex computer viruses that can morph and be delivered to company systems through social networking sites. Work computers and company systems are vulnerable to these viruses when employees download the latest game or viral video. It is important for servicers and field service companies to create policies about social networking that block employee access to prevent potential attacks.
Times have changed when it comes to technology and the way field service companies obtain and relay information to their contractors and their mortgage servicing clients. To take advantage of the efficiencies these technologies bring, and also guard against the potential threats to security, it is imperative that field service companies implement, monitor, evaluate and update their policies and procedures to keep confidential information safe, assuring that their mortgage servicing clients maintain compliance.
Darren Kruk is the information security officer for Safeguard Properties, the largest field services provider in the U.S. He joined Safeguard in 2006 and is responsible for all policies and procedures to protect the security of sensitive client and corporate information.
Please click here to view the article in PDF.
Safeguard Properties is the largest mortgage field services company in the U.S. Founded in 1990 by Robert Klein and based in Valley View, Ohio, the company inspects and maintains defaulted and foreclosed properties for mortgage servicers, lenders, and other financial institutions. Safeguard employs approximately 1,700 people, in addition to a network of thousands of contractors nationally. Website: www.safeguardproperties.com.