With high-profile data breaches in the news, we touch base with Chuck Bloodgood, CIO at FirstClose to learn how mortgage professionals can protect their customers’ data. In his role, Bloodgood oversees the people, processes, and technology within FirstClose’s IT department to ensure they deliver outcomes that support the goals and objectives of the company. He plays a key leadership role in the strategic, technical and management initiatives that mitigate threats and drive business growth.
What are the most common ways a company’s data is breached?
In the IT industry, in fact all industries, we are attacked all the time. I look at my list of people who are accessing my network on a weekly basis and I see IPs coming in from China, Russia, and many other places. Every week, I have people coming in trying to attack our systems. This is the normal environment. It's not new. Hacks have been going on forever. It's just that now with the Internet, the accessibility and the value has changed. Before you could probably get just a few items that you could steal, but now with cyber hacking, you can get an immense amount of value from it.
Because there is so much to be gained from entry into different networks, we're seeing hacking on an industrial, professional scale, sponsored by countries. The innovativeness of the professional hacker is much higher than what I've seen in the past.
Some of the attacks we’ve heard about are called a zero-day defect, which is something that no one knows about that's been in the program or the system where it's published. As the systems are getting better, the people who are trying to get in are looking for the weak spot.
If the systems are getting pretty well hardened, they're going to look to people. The way big data is being compromised now is they're shifting towards the social engineering side. That means phishing, Trojan horses, etc. Essentially, how can hackers convince a person to expose their network or password?
Can you tell us more about what people should look out for in phishing scams?
The phishing environment is extraordinary. For example, they can copy a Facebook friend notice where you get a friend request from someone and the minute you click on that button they take you to a page that has been completely replicated to look exactly like what you would expect. As soon as you enter any data, they can follow every single click you make and steal it. You have to look at the URL to which you are being directed to be safe.
It's also very easy for a hacker to send a consumer a notice from their bank saying, "Please check your account. We think that there's a security violation." Of course, that scares everyone so they click on it. They enter their banking information and all of a sudden, they're completely exposed because they went to a page that looked exactly like a legitimate one.
How can companies protect against one of their employees clicking on a bad link?
There are companies out there where you can pull a list of all your employees and every month they get a phishing test. I would much rather have my teams learn phishing by clicking on something where they get zapped rather than get taken. We monitor that. We track every employee, every month and monitor their performance. If someone consistently clicks on a links that they shouldn't we give them additional training.
That brings up the whole training aspect. We have to train our employees. IT may be a foreign topic to a lot of people, but it's the tool of our trade. Everyone has to have some degree of knowledge that these kinds of things exist and how to protect themselves.
Do you feel consumers will start to be less willing to provide their data during the mortgage process?
That's a good question. I just went through a home mortgage they said they were going to have someone call to verify my information. And indeed, I did get a call a day or so later, but I had not been given the name of the person that they would call, or the firm. The person called, and I told them very pleasantly "I'm sorry, I'm not going to give away that information until I verify it." The interesting response was they accepted it completely. I think consumers have to refuse to give out information. I think bankers have to accept that and make sure that they have this in mind when they discuss details with their customers.
In what other ways are you protecting FirstClose against breaches?
We have the standard number of firewalls, both internal and external. We protect the office from the data center. We protect office and data center from outside. All our servers as well as all our employee computers have antivirus. That's unusual for a server to have it, but we figure if one gets loose in our server environment, we don't want it to have free rein. We have multiple layers of protection on everything. Having said that, that just stops the simple attacks.
If we look at, for example, the recent Equifax issue it was caused by a system called Apache Struts. Apache Struts is a Java MVC framework used during programming. So here's a situation where code was hacked, and it was given to programmers. Now, giving it to the programmers didn't cause any problems. It still provided the tools that the programmer needed in order to make the applications that they're doing. However, when that was published, it then contained the breach.
How would a programmer have known that? They wouldn't. They don't go through the vast amount of compiled code that they get from tools. We all use multiple tools. The only way that could have been caught is by monitoring your network and looking for what are called data leaks.
In the case of something being on your network that shouldn’t be there, how is that addressed?
I spoke to my network guys about this a few weeks ago, and they said that they maintain the address of everything that's on the network. When things change, they notice it. So that's one thing, be aware of what's on your network. Second is you need monitor the traffic. Who are the top 10 data consumers on your network? What are the top 10 addresses that data is being sent to? Just keep an eye on what's going in, what's going out, what's being put on the network.
What should the companies do as next steps if find themselves in a position where they have had their data compromised in some way?
They have to have a security plan, first of all. The security plan needs to identify the immediate steps for that particular company. For example, in our company we have the security team—CEO, CIO, and COO. Those three people get together and organize the different directions for a response.
You have to manage the external communications. People have to be notified—the customer, vendor involved, and any related firms, as well as law enforcement. There are many external communications that may be required. Internal operations may be affected. Are we going to shut something down to stop the breach immediately or is the breach already over?
Then of course there's the IT. Immediately, IT has to get a handle on the scope, the effects, who's involved. There's a need for information very quickly about the breach. What process is in place that you can activate instantly to get that? Do you have the right tools? Are the right computers in the right place to go out to the network and look at your log files and find out what happened?
All of these things have to come together and you have to have your plan set up so that you do things in a managed, controlled, and proper way.