BrokerEngine

1300 998 791Request a DemoFree Demo

Top 7 Data Security Best Practices For Mortgage Brokers

by

Technology and “the cloud” have delivered amazing efficiencies to mortgage broking firms. Yet a world where sensitive client data is connected to the web also poses threats for brokers and your clients alike. 

According to the Office for the Australian Information Commissioner (OAIC), there were 57 notifiable data breaches reported by financial services firms during the latest reporting period (Jan – June 2021). 

The good news is that most of the data risks are known and simple enough to protect against. In this article we’ll unpack the top 7 ways data breaches occur and how to protect you and your clients against them. 

How Data Breaches Occur: Truth vs Reality

When many people think of “cyber-crime”, they think of malicious actors trying to “hack into“ computer systems. The reality is very different:

  • most data breaches occur as the result of human error, rather than technical hackers breaking through firewalls or servers.
  • Cyber-crime tools are now widely and cheaply available online, meaning that it’s easier than ever for criminals to attack your firm.
  • Breaches instigated by employees, contractors or outgoing partners also need to be considered. 

Therefore, the focus needs to be on plugging the security holes that are most likely to occur so you can keep your firm safe. Here are the top 7 such holes, and how to patch them…

1. Team Members “Daisy-Chaining” Passwords

“Daisy chaining” passwords means using the same password for multiple online accounts.

When individuals bring their personal passwords over to the business setting, they often re-use the same passwords.

However, when cyber-criminals get their hands on one of the passwords, they can easily detect other accounts where the same password is in use.

This is how criminals can breach sensitive services such as business email accounts, where a lot of damage can be done in a short time. 

FIX: Use a password management tool such as 1Password, Lastpass or Practice Protect to easily create strong, unique and virtually unhackable passwords for every service you use.

2. Weak Passwords Being Cracked By Brute Force Methods

Many people use passwords that are far too obvious, short and simple. Short passwords can be hacked by brute force in seconds. Passwords of even 8 or 9 characters present no problem to hackers, as this table (courtesy of Practice Protect) reveals:

FIX: We recommend that all cloud apps are secured with strong, unique passwords with a minimum length of 16 characters. Password management apps can be configured with a “minimum password strength” to ensure this rule is followed. 

3. Team Members Sharing Passwords

Some firms are in the habit of sharing logins between team members. The problem comes when team members leave. You have to cycle passwords to maintain security, and it’s easy to forget who has access to which passwords.

Before long, there are multiple people who have access to a patchwork of passwords and apps they’re not supposed to. 

Shared passwords also present a problem around controlling and auditing access. If a data breach or other irregularity occurs, it’s difficult or impossible to track the breach point. 

FIX: Wherever possible, supply unique usernames and passwords to each individual team member. Use a password management app to share passwords on a “need-to-know” basis. 

4. Insufficient Employee Oversight (Especially Remote/Offshore)

When employees are onsite in an office environment, it’s easier to spot when something seems amiss. But when employees are offsite, remote or offshore, you have less visibility. 

In 99% of cases, there’s no problem. But if a team member or other person with access to passwords starts stealing or improperly accessing data, it’s almost impossible to detect until the damage is done. 

Another issue is that firms often have no control over external devices and how secure they are. For example, a team member’s teenage son may have downloaded infected software on the weekend, leading to the device becoming infected with keylogging software. Now when their company email password is typed in, it’s captured, leading to a breach.

FIX 1: Use password management software to put a “Geo-Fence” around data access, so that only team members in approved locations or facilities can access your cloud apps. 

FIX 2: Switch on Two-Factor Authentication (2FA) for sensitive apps. This makes it MUCH, MUCH harder for cyber criminals to breach your systems. (This is why BrokerEngine features mandatory 2FA for both users and mortgage borrowers who are submitting documents and fact find info online.)

FIX 3: Where possible, control access permissions to ensure the right level of access for each user, but no more.

5. Ex-Partners, Managers or Employees Stealing Client Data

The vast majority of team members are honest and would never do anything to compromise the good name or reputation of your firm. 

But occasionally, employees can become disgruntled and decide that your firm data is really their data to do what they like with.

It’s also not unknown for a partnership to dissolve and for the outgoing partner to take the client list and other valuable data with them. 

All these things happen far more often than you might think. 

FIX: Password management apps offer the ability to “switch off” access to apps with one click. For added security, we recommend cycling old passwords, especially for sensitive apps such as email or client management tools. 

6. Storing Passwords In Browsers

Browsers such as Chrome, Firefox and Internet Explorer offer the ability to save passwords directly.

It may be convenient, but it’s also extremely insecure. Raw passwords can be exposed in plain text with a few clicks. 

Where browsers are used across multiple devices, a stolen iPhone or an unsupervised desktop can quickly result in a leak. 

All team members should be reminded never to save passwords in browsers and to delete and cycle any that are already stored.

FIX: Password management apps offer a much more secure way to store passwords, and they are not expensive.

7. Leaving End Points (Devices) Open To Breach

A further risk is the actual devices and connections that team members are using. If a criminal gains access to any of your devices by stealing a cellphone or getting into your network, there’s plenty of damage they can do, even if they never get into any of your cloud accounts. 

One common risk is Public WiFi. If your staff occasionally log on at coffee shops or hotels, then any of the following could occur:

  • Criminals could see everything the logged in user is doing
  • They could install malware, trojans or other nasty software

Again, it only takes one staff member to access a non-secure network once for there to be a problem. 

FIX: Make staff aware of the risks of public WIFI, and if required, supply staff with VPN software such as NordVPN to provide a secure, encrypted connection. 

In Conclusion

Cyber-security risks may sound scary, but almost all the risks can be mitigated by:

  1. Adopting a Password Management app, firm-wide
  2. Ensuring your Password Management app is configured with appropriate policies (e.g. minimum password length).
  3. Providing periodic training to all staff members on cyber security risks and how to avoid them (even 10 minutes per month serves as a useful reminder to staff). 
  4. Mandating 2-Factor Authentication for sensitive apps. Yes, it’s a bit annoying, but it does offer greatly enhanced protection. 

Thank you to Practice Protect for their input into this article.