2
0
Last year Gartner reported that spending on information security (infosec) and risk management worldwide had increased more than 6% in 2020 and was on track to double that in 2021.* Given the amount of personally identifiable data our industry touches it is a key target for cyber criminals. The mortgage industry was also cautioned in a recent article that a purchase market creates more vulnerability at a time when attacks are already on rise. The topic is so important, the Mortgage Bankers Association even has an entire track dedicated to it at the upcoming MBA Tech Conference in Las Vegas next week.
In light of these statistics and for those not attending the show, I thought it a good time remind us all of some best practices to help prevent and protect us from an attack.
Internal Controls
I can’t stress the importance of internal controls. One of the best lines of defense against a cyber-attack is to add additional review and approval layers to help catch something that might seem like “normal business” but is instead a bad actor posing online as someone you know.
Protecting against wire fraud is a great example where internal controls can help. It’s not uncommon for vendors to communicate via email. When requests to change bank routing information come through, red flags should always go up because this type of attack could damage the financial position of the company should it succeed. Rather than acting immediately on the change request, internal controls like the ones below should be followed:
- Have the vendor fill out and sign a formal form for the request
- Physically speak to the vendor requesting the change
- Compare all original data and signatures to the new information and question any discrepancies
- Assign a supervisor to review the details of the change request
Physical Controls
Many companies are welcoming back employees to their offices as pandemic conditions improve, which makes physical controls a renewed focus. While at work or traveling for work, all members of the company should be reminded to:
- Always lock your computer when stepping away from your desk
- Properly dispose of printed materials containing confidential and personally identifiable information in designated, secure shredding stations.
- Not have passwords on display or easily accessible and never share passwords, under any circumstances, with colleagues.
- Avoid working in public spaces (coffee shops, public transit, ride shares) where what is on your screen may be viewed.
Online controls
These days nearly every aspect of our lives is online and often intertwined. As such, it’s important to know how to protect yourself and the company you work for (and its assets) from cybercriminals or are constantly finding new ways to catch you off guard. When it comes to online controls, the following five are a great start at saying protected:
- Avoid the use of public wi-fi. Should this be unavoidable, be sure to leverage your company’s virtual private network (VPN) for added security.
- When sending confidential information both internally and externally outside your company leverage your company’s “send secure” method to protect against penetration.
- Report suspicious emails: The number one rule is if you have even a slight suspicion, the best course of action is not to click on or open anything and forward the email to your IT team for their review and investigation.
- Sniff out phishing emails by looking closely at the ‘From’ and ‘Reply’ email addresses for matching/correct domains. Ones that do not match are warning signs this is from a bad actor. Phishing emails will also attempt to trick you by:
- Using something that closely resembles your company’s domain
- Masking the actual sending address with your company’s own domain
- Phishing emails often use the names of company employees in the email in order to make it look valid
I hope of these 3 control controls to protect against cyber and other attacks were helpful, as you and your teams work both remotely and back in physical offices this year. For more helpful tips surrounding cybersecurity, you can also read my last post here.
