When most consumers think of assets, they often think of personal property, real estate they own and cash. The most valuable asset they possess is their personal financial information, for if that is taken everything else can be taken as well. A big part of what we do in the financial services industry must therefore be about protecting the personal financial information of the consumers we serve.
Accomplishing this goal in a fully connected world where a few taps on the keyboard can gain access to a hacker half a world away is not easy. Many of the partners we work with don’t have the resources to provide a robust defense against the many risks they face. They count on our support. This is the way we view information security.
A Critical Mandate
The title company plays a pivotal role in the real estate transaction. We insure the transaction, of course, but we also often handle the closing, hold funds in escrow for both parties and handling the recording of the final documents. As more of this process is completed in a fully electronic manner, our role as data guardians becomes more prominent.
While some might tell you that they can keep you safe from all threats, they are over promising, leading you into a false sense of security and lying to you. The truth, while difficult to hear, is that in spite of our very best efforts, the chances of keeping a committed attacker out of a network are extremely small.
Similar to our physical homes, if someone is fully committed to getting in, he/she will find a way to do so. No amount of locks or alarms or alarm signs will prevent it. But we can be ready when it occurs if we know what to watch for.
Knowing where you are at risk
Our industry faces both generic risks stemming from cyber-attacks that can be used against any industry, and industry-specific risks. There are a range of “phishing” attacks that are very common. Generally, coming to the company or the consumer through e-mail — though increasingly through social media — these schemes attempt to get an unsuspecting person to give the hacker access to their computers. Once access is gained, malware can be downloaded to the system.
Many businesses are run on e-mail. Americans working in all industries use it all day long. But e-mail was never meant to be a secure method of communication. It’s easily spoofed. You don’t have to have very much technical knowledge to be able to spoof an email and make it look like it came from someone else.
Once a hacker gets access to a computer they can download ransomware, which will take control of the user’s data until a fee is paid to the hackers to get the information back and regain control of the computer.
One attack that is very specific to our industry involves escrow accounts. Hackers have long tried to trick industry workers into sending escrow funds to the wrong place. E-mail is again the favorite tool for the criminal here.
Our Approach to Information Security
Some have proposed that hackers enjoy cyber-crime because they don’t want to work hard enough to keep a real job. That may or may not be true, but it is definitely true that given the choice between an easy target and a secure one, the criminal will go for the easy mark every time.
Defending yourself often comes down to that old saying: “You don’t have to be faster than the bear; you just have to be faster than the other person fleeing the bear.” To protect ourselves, our partners and our customers, we have to be stronger than other targets with similar information assets. Our goal at WFG is to be extremely strong when it comes to information security and to do what we can to help every one of our partners be just as strong.
The first step down that path is the development of a solid strategy for information security. This begins with a strong framework, which generally takes the form of an Information Security Management System or ISMS. The ISMS puts the company’s policies and procedures into a framework that includes all legal, physical and technical controls involved in the company’s information risk management processes.
There are several that exist and we’ve studied them all before adopting one we feel does the best job of protecting our assets. Much has been written on the benefits of one framework over another and there is plenty you can read on the issue, but it’s far better to choose one than to be unprotected while you try to make a decision. We are happy to share with our partners why we made the decision we did.
A good ISMS framework is important because it gives the Information Security departments metrics to measure against. Without a framework, it is very difficult to know how well the company is protecting itself from outside threats. A framework gives the IS manager a set of management-approved steps to take in the event of an intrusion.
As for preventing intrusions, we never count on e-mail and urge our business partners to always let transaction participants know in advance that you will never send them wiring instructions via unencrypted e-mail. This is the path of least resistance for the criminal who simply sends an e-mail to the buyer with his bank account information and asks them to send over the escrow money.
We also take great pains to protect our e-mail server. We see thousands of e-mail attacks hit our servicers every single day. Upwards of 87% of all the e-mail messages we receive are malicious! We use sophisticated blocking technologies to protect our people and customers from these attacks.
We take employee training seriously and make sure that our people are up to date on the latest intrusion techniques and let them know how to foil them. We stay in close communication with our partners, sending them valuable security information. Soon, we’ll offer even more services to help them keep their data — and the information their customers trust them with — safe.
No one can guard against every single security threat, which is why a good ISMS framework details the steps the company will take if an intrusion occurs. But when it comes to being stronger than the next company out there, WFG takes its responsibility as Information Security Guardian very seriously. It’s helps us sleep better at night, and our partners and customers, too.
About the author:
Bruce Phillips is Senior Vice-President and Chief Information Security Officer for Williston Financial Group. He can be reached at Bruce.Phillips@willistonfinancial.com.