Darren Kruk Takes Steps to Ensure Confidential Information is Secure

The June issue of Servicing Management featured an article authored by Safeguard’s Information Security Officer, Darren Kruk, titled No Laughing Matter.

No Laughing Matter
Field services companies take steps to ensure confidential information is secure.

The fictional story of Sandy Patterson in the popular 2013 comedy “Identity Thief” poked fun at the trials and tribulations of identity theft – making audiences chuckle and raking in more than $173 million worldwide. The film is about a woman named Diana (played by Melissa McCarthy) who lives in Florida and steals the identity of Sandy (played by Jason Bateman) from Denver.

Diana racks up large credit card bills, gets arrested for an assault in Sandy’s name (causing him to be questioned by police) and comes close to destroying Sandy’s life. After not getting the results he seeks from law enforcement, Sandy decides to take matters into his own hands and tracks down Diana to turn her into the police. They end up having a hilarious adventure, and everyone lives happily ever after, but in the real world, identity theft and information security breaches are no laughing matter.

According to the U.S. Office of Justice Programs, about 7% of people age 16 or older were victims of identity theft in 2012. Direct and indirect losses from identity theft totaled $24.7 billion that year. Approximately 36% of the victims reported moderate or severe emotional distress as a result. Now imagine the magnitude of a massive security breach at a company and the responsibilities it bears in keeping secure the data entrusted to it by millions of people and consumers.

Everyone can recall the recent data breach Target experienced around the holidays last year. That breach affected the credit card and personal information of 110 million Target shoppers. Since that time, it also has spawned dozens of legal actions and the resignations of Target’s top executives, including its chief information officer and CEO.

According to a Feb. 12 post on Krebs-OnSecurity, a blog written by Brian Krebs, a former Washington Post reporter who first alerted the public to the initial Target data breach, the breach “began with a malwarelaced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer.”

It was a malicious email at a vendor’s business that caused one of the largest data security breaches in the country’s history. It potentially could have been avoided if Target had ensured that information security was a priority, not only internally, but for its vendors as well.

In the mortgage servicing industry, it falls onto field services companies to ensure the security of millions of points of sensitive property data by promoting secure behavior internally and through their vendor networks.

Promoting secure behavior

Promoting the secure behavior of employees and vendors, rather than relying on awareness alone, is the most important aspect of information security for any business. In the past, businesses have spent millions of dollars on security awareness. But for those programs to be effective, they need to address the behaviors of their biggest asset – their employees and vendors.

While security experts do not like to admit it, they know that a company’s biggest asset can also be its weakest point. The old standards are standards only because they are so successful. Why would cybercriminals traverse a maze of elaborate systems and firewalls when all they need to do is send a targeted phishing email to employees or vendors that would trick them into launching a backdoor exploit? Nothing could be easier, and that is why this is still the most prevalent means of attack.

The Information Security Forum released a report in May called “From Promoting Awareness to Embedding Behaviors.” The report states that instead of just making people aware of their information security responsibilities and how they need to respond, businesses need to embed positive information security behaviors that become habits and part of the corporate culture.

Field services companies can embrace the message in this report by offering ongoing information security training in topics including fraud prevention, secure coding for developers, phishing and social engineering.

While the security department professionals take advanced training annually and concentrate on security daily, most employees have other daily duties, and without frequent reinforcement, they are prone to being exploited.

This is why it is necessary to focus on this group and move beyond annual training. Suggestions include monthly newsletters, bulletins, security games and positive reinforcement for following security rules.

There needs to be a belief that information security is a necessity and not just an add-on. It needs to be baked into an organization and its system, not be just a module that is added on afterwards.

Often, security department professionals hear, “What regulations are requiring us to do this?” or “Which client is asking this of us?” The answer is that it doesn’t matter. Field services companies must implement security controls because it is the right thing to do, not because a client or regulation is demanding it of them.

Communication is key

In the information security world, communication trumps all. Hackers communicate and help each other develop better and more efficient techniques of cracking into business systems. That same degree of communication at all levels of the mortgage servicing industry will help to minimize information security risks and prevent data breaches.

In any company, there should be clear and frequent communication not only between departments, but also with employees, clients and vendors. This can take the form of business-tobusiness calls to discuss operational issues and service-level agreements but also should include communications regarding security issues.

Security departments tend to be secretive, not wanting to divulge issues that exist, but that is exactly what hackers count on. Security departments within field services organizations need to balance the need to protect weaknesses with the benefits of communication. By sharing experiences with employees, clients and vendors, all can benefit and collaborate on building security protocols.

Field services companies need to create and maintain a common forum for their security officers to have these discussions on a frequent basis, without judgment. Only then would those officers be able to share new techniques, trends in the industry, and new threats to assess and adapt to them faster and more efficiently.

Monitoring, logging, alerting

Knowing what to monitor and log when it comes to information security can often be tricky. The best practice for field services companies in keeping private client and consumer information secure is to identify the confidential information and continually monitor and log it. And, just as importantly, these companies must remember to set up alerts that warn of deviations to the norm.

Many security professionals conduct tests to determine the effectiveness of their company’s security programs. They look for ways a hacker can gain entrance into the company’s environment and realize that they can never have too much information on where weaknesses have been identified. Companies often remember to secure the servers, network gear and desktop systems but also need to remember to include the printers, faxes, phones, remote access and the industrial control systems (ICSs).

The ICSs tend to be the most forgotten. After all, it is easy to forget that your computer room air conditioner units and uninterruptible power supply systems are attached to the same network, usually via simple network management protocols (SNMP), and are often left with their default passwords and settings. Anything that contains embedded operating systems today can be used as an entry point into your environment.

It is important to recognize and track the shape of the company’s data traffic because a change from the norm can indicate a problem. Employees embedded and engrained in information security also need to respond to alerts once theyare received.

Effective ways to monitor and log confidential information include the following:

  • Asset management: The pillar to protecting sensitive information is having a clear understanding of the company’s and clients’ assets, their classification, and where and how they are stored. Without understanding what needs to be secured and where it is located, it would be very difficult to protect it. There should be clear definitions of the data types that exist within the company and a matrix identifying the location of them. This is important when dealing with change control approvals. Anyone who has spent hours reviewing changes for approval can attest that knowing what data may be affected by the change can be the difference between an approval and a denial- and the difference between secure data and leaving the company or client open to a potential breach. A variety of changes have been known to be denied simply because the authors of a proposal did not do their due diligence and did not understand that they were manipulating confidential data incorrectly.
  • Network intrusion and prevention: Limited access and prevention will keep hackers or unauthorized persons from accessing your environment. A layered approach to information security is the most effective and includes systems such as firewalls, network monitors, anti-denial of service and antidistributed denial of service, access-lists, virtual local area networks, integrated file integrity monitoring, and host-based intrusion detection systems. Each layer makes it more difficult for an attacker to enter and gives a chance for security professionals to stop and prevent unauthorized access.
  • Password protection: Everyone knows the reason for passwords and that they need to be complex and changed frequently. But there is one aspect of passwords that tends to be overlooked, and that is changing the default user accounts and passwords from the defaults. This includes the default iLO passwords, the SNMP strings and remote access modems. Security professionals also need to Google the backdoor passwords and accounts that are created by manufacturers to be able to get into their company’s systems to repair possible issues.

In “Identity Thief,” Diana made a simple phone call and was able to obtain enough information to steal Sandy’s identity and ruin his financial life. More than 110 million people were left vulnerable to cybercriminals in the 2013 Target security breach. Although one is a fictional movie, the message about the importance of protecting sensitive data remains the same in people’s personal lives and in all industries.

Field services companies’ security professionals need to keep an open mind and never stop exploring new ways to protect their companies’ systems. From creating positive security habits in their employees and vendors, to constant communication and monitoring data transfers, information security programs should never remain stagnant. It is important to keep learning and improving.

Field services companies and their vendor networks are tasked with assuming their clients’ posture with respect to data and protecting it as if the fate of the company depends on it. Often, it does.

Darren Kruk is the information security officer for property preservation and field services firm Safeguard Properties. He can be reached at darren.kruk@safeguardproperties.com.

Please click here for the article in PDF.


About Safeguard 
Safeguard Properties is the largest mortgage field services company in the U.S. Founded in 1990 by Robert Klein and based in Valley View, Ohio, the company inspects and maintains defaulted and foreclosed properties for mortgage servicers, lenders, and other financial institutions. Safeguard employs approximately 1,700 people, in addition to a network of thousands of contractors nationally. Website: www.safeguardproperties.com.



Alan Jaffa

Alan Jaffa is the chief executive officer for Safeguard, steering the company as the mortgage field services industry leader. He also serves on the board of advisors for SCG Partners, a middle-market private equity fund focused on diversifying and expanding Safeguard Properties’ business model into complimentary markets.

Alan joined Safeguard in 1995, learning the business from the ground up. He was promoted to chief operating officer in 2002, and was named CEO in May 2010. His hands-on experience has given him unique insights as a leader to innovate, improve and strengthen Safeguard’s processes to assure that the company adheres to the highest standards of quality and customer service.

Under Alan’s leadership, Safeguard has grown significantly with strategies that have included new and expanded services, technology investments that deliver higher quality and greater efficiency to clients, and strategic acquisitions. He takes a team approach to process improvement, involving staff at all levels of the organization to address issues, brainstorm solutions, and identify new and better ways to serve clients.

In 2008, Alan was recognized by Crain’s Cleveland Business in its annual “40-Under-40” profile of young leaders. He also was named a NEO Ernst & Young Entrepreneur of the Year® finalist in 2013.


Chief Operating Officer

Michael Greenbaum

Michael Greenbaum is the chief operating officer for Safeguard. Mike has been instrumental in aligning operations to become more efficient, effective, and compliant with our ever-changing industry requirements. Mike has a proven track record of excellence, partnership and collaboration at Safeguard. Under Mike’s leadership, all operational departments of Safeguard have reviewed, updated and enhanced their business processes to maximize efficiency and improve quality control.

Mike joined Safeguard in July 2010 as vice president of REO and has continued to take on additional duties and responsibilities within the organization, including the role of vice president of operations in 2013 and then COO in 2015.

Mike built his business career in supply-chain management, operations, finance and marketing. He has held senior management and executive positions with Erico, a manufacturing company in Solon, Ohio; Accel, Inc., a packaging company in Lewis Center, Ohio; and McMaster-Carr, an industrial supply company in Aurora, Ohio.

Before entering the business world, Mike served in the U.S. Army, Ordinance Branch, and specialized in supply chain management. He is a distinguished graduate of West Point (U.S. Military Academy), where he majored in quantitative economics.



Sean Reddington

Sean Reddington is the new Chief Information Officer for Safeguard Properties LLC. Sean has over 15+ years of experience in Information Services Management with a strong focus on Product and Application Management. Sean is responsible for Safeguard’s technological direction, including planning, implementation and maintaining all operational systems

Sean has a proven record of accomplishment for increasing operational efficiencies, improving customer service levels, and implementing and maintaining IT initiatives to support successful business processes.  He has provided the vision and dedicated leadership for key technologies for Fortune 100 companies, and nationally recognized consulting firms including enterprise system architecture, security, desktop and database management systems. Sean possesses strong functional and system knowledge of information security, systems and software, contracts management, budgeting, human resources and legal and related regulatory compliance.

Sean joined Safeguard Properties LLC from RenPSG Inc. which is a nationally leading Philintropic Software Platform in the Fintech space. He oversaw the organization’s technological direction including planning, implementing and maintaining the best practices that align with all corporate functions. He also provided day-to-day technology operations, enterprise security, information risk and vulnerability management, audit and compliance, security awareness and training.

Prior to RenPSG, Sean worked for DMI Consulting as a Client Success Director where he guided the delivery in a multibillion-dollar Fortune 500 enterprise client account. He was responsible for all project deliveries in terms of quality, budget and timeliness and led the team to coordinate development and definition of project scope and limitations. Sean also worked for KPMG Consulting in their Microsoft Practice and Technicolor’s Ebusiness Division where he had responsibility for application development, maintenance, and support.

Sean is a graduate of Rutgers University with a Bachelor of Arts and received his Masters in International Business from Central Michigan University. He was also a commissioned officer in the United States Air Force prior to his career in the business world.


General Counsel and Executive Vice President

Linda Erkkila, Esq.

Linda Erkkila is the general counsel and executive vice president for Safeguard and oversees the legal, human resources, training, and compliance departments. Linda’s responsibilities cover regulatory issues that impact Safeguard’s operations, risk mitigation, enterprise strategic planning, human resources and training initiatives, compliance, litigation and claims management, and mergers, acquisition and joint ventures.

Linda assures that Safeguard’s strategic initiatives align with its resources, leverage opportunities across the company, and contemplate compliance mandates. Her practice spans over 20 years, and Linda’s experience covers regulatory disclosure, corporate governance compliance, risk assessment, executive compensation, litigation management, and merger and acquisition activity. Her experience at a former Fortune 500 financial institution during the subprime crisis helped develop Linda’s pro-active approach to change management during periods of heightened regulatory scrutiny.

Linda previously served as vice president and attorney for National City Corporation, as securities and corporate governance counsel for Agilysys Inc., and as an associate at Thompson Hine LLP. She earned her JD at Cleveland-Marshall College of Law. Linda holds a degree in economics from Miami University and an MBA. In 2017, Linda was named as both a “Woman of Influence” by HousingWire and as a “Leading Lady” by MReport.


Chief Financial Officer

Joe Iafigliola

Joe Iafigliola is the Chief Financial Officer for Safeguard. Joe is responsible for the Control, Quality Assurance, Business Development, Accounting & Information Security departments, and is a Managing Director of SCG Partners, a middle-market private equity fund focused on diversifying and expanding Safeguard Properties’ business model into complimentary markets.

Joe has been in a wide variety of roles in finance, supply chain management, information systems development, and sales and marketing. His career includes senior positions with McMaster-Carr Supply Company, Newell/Rubbermaid, and Procter and Gamble.

Joe has an MBA from The Weatherhead School of Management at Case Western Reserve University, is a Certified Management Accountant (CMA), and holds a bachelor’s degree from The Ohio State University’s Honors Accounting program.


AVP, High Risk and Investor Compliance

Steve Meyer

Steve Meyer is the assistant vice president of high risk and investor compliance for Safeguard. In this role, Steve is responsible for managing our clients’ conveyance processes, Safeguard’s investor compliance team and developing our working relationships with cities and municipalities around the country. He also works directly with our clients in our many outreach efforts and he represents Safeguard at a number of industry conferences each year.

Steve joined Safeguard in 1998 as manager over the hazard claims team. He was instrumental in the development and creation of policies, procedures and operating protocol. Under Steve’s leadership, the department became one of the largest within Safeguard. In 2002, he assumed responsibility for the newly-formed high risk department, once again building its success. Steve was promoted to director over these two areas in 2007, and he was promoted to assistant vice president in 2012.

Prior to joining Safeguard, Steve spent 10 years within the insurance industry, holding a number of positions including multi-line property adjuster, branch claims supervisor, and multi-line and subrogation/litigation supervisor. Steve is a graduate of Grove City College.


AVP, Operations

Jennifer Jozity

Jennifer Jozity is the assistant vice president of operations, overseeing inspections, REO and property preservation for Safeguard. Jen ensures quality work is performed in the field and internally, to meet and exceed our clients’ expectations. Jen has demonstrated the ability to deliver consistent results in order audit and order management.  She will build upon these strengths in order to deliver this level of excellence in both REO and property preservation operations.

Jen joined Safeguard in 1997 and was promoted to director of inspections operations in 2009 and assistant vice president of inspections operations in 2012.

She graduated from Cleveland State University with a degree in business.


AVP, Finance

Jennifer Anspach

Jennifer Anspach is the assistant vice president of finance for Safeguard. She is responsible for the company’s national workforce of approximately 1,000 employees. She manages recruitment strategies, employee relations, training, personnel policies, retention, payroll and benefits programs. Additionally, Jennifer has oversight of the accounts receivable and loss functions formerly within the accounting department.

Jennifer joined the company in April 2009 as a manager of accounting and finance and a year later was promoted to director. She was named AVP of human capital in 2014. Prior to joining Safeguard, she held several management positions at OfficeMax and InkStop in both operations and finance.

Jennifer is a graduate of Youngstown State University. She was named a Crain’s Cleveland Business Archer Award finalist for HR Executive of the Year in 2017.


AVP, Application Architecture

Rick Moran

Rick Moran is the assistant vice president of application architecture for Safeguard. Rick is responsible for evolving the Safeguard IT systems. He leads the design of Safeguard’s enterprise application architecture. This includes Safeguard’s real-time integration with other systems, vendors and clients; the future upgrade roadmap for systems; and standards designed to meet availability, security, performance and goals.

Rick has been with Safeguard since 2011. During that time, he has led the system upgrades necessary to support Safeguard’s growth. In addition, Rick’s team has designed and implemented several innovative systems.

Prior to joining Safeguard, Rick was director of enterprise architecture at Revol Wireless, a privately held CDMA Wireless provider in Ohio and Indiana, and operated his own consulting firm providing services to the manufacturing, telecommunications, and energy sectors.


AVP, Technology Infrastructure and Cloud Services

Steve Machovina

Steve Machovina is the assistant vice president of technology infrastructure and cloud services for Safeguard. He is responsible for the overall management and design of Safeguard’s hybrid cloud infrastructure. He manages all technology engineering staff who support data centers, telecommunications, network, servers, storage, service monitoring, and disaster recovery.

Steve joined Safeguard in November 2013 as director of information technology operations.

Prior to joining Safeguard, Steve was vice president of information technology at Revol Wireless, a privately held wireless provider in Ohio and Indiana. He also held management positions with Northcoast PCS and Corecomm Communications, and spent nine years as a Coast Guard officer and pilot.

Steve holds a BBA in management information systems from Kent State University in Ohio and an MBA from Wayne State University in Michigan.


Assistant Vice president of Application Development

Steve Goberish

Steve Goberish, is the assistant vice president of application development for Safeguard. He is responsible for the maintenance and evolution of Safeguard’s vendor systems ensuring high-availability, security and scalability while advancing the vendor products’ capabilities and enhancing the vendor experience.

Prior to joining Safeguard, Steve was a senior technical architect and development manager at First American Title Insurance, a publicly held title insurance provider based in southern California, in addition to managing and developing applications in multiple sectors from insurance to VOIP.

Steve has a bachelor’s degree from Kent State University in Ohio.