April 26th, 2021
How to Keep Your Private Lending Business Data Secure
When it comes to data security, you are only as strong as your weakest link. Data security is a way of life, and it’s absolutely crucial to be in the know. A private lending business deals with storing various sensitive information that needs to be kept safe in order to gain trust, be a reliable partner, and ultimately, protect investors and borrowers, so it’s best to ensure that data is properly secured.
In the midst of a pandemic, we’ve been forced to change the way we operate our businesses. As web-based technology is becoming more prominent in our work environment, there is more accessibility for potential breaches and compromises to take place. In a 2020 article, TechRepublic says the volume of publicly disclosed data breaches fell by 48% in 2020 compared with the previous year, leading to 3,932 in total. However, the volume of records that were compromised by these breaches jumped by 141% to a whopping 37 billion, the largest number seen by RSB since 2005.
Not only is it a serious matter to have leaked and potentially compromised data, but there are also more fines and penalties from governing bodies these days as well. Data Protection Act fines and settlement payouts could be hundreds of millions of dollars. It is a huge responsibility to handle someone’s private and confidential information, and it should not be taken lightly.
To know your business data is secure, you need to ensure that the software companies you’re using have proper security practices in place, and you need to know about third parties and their practices as well. If you’re using a vendor to perform a certain task, you should know about how the data is stored and what practices are in place to keep it protected.
For example, at Mortgage Automator, all of the private borrower information we store is encrypted. There are many more examples of external and internal practices that should be considered within your business, and we will break them down for you.
- Know where the data is being stored.
- Understand the data policies of your software service providers.
- Have a disaster recovery plan in place.
Location of Data
Data residency is important—you need to know where the data is being stored. For example, did you know that Dropbox stores all of its data in the US? Dropbox receives data requests from government agencies from time to time, which they do abide by. If the US government ever needed access, they can fully access your data. It’s best to keep clients’ data where it originates. At Mortgage Automator, we have engineered our system so that Canadian clients’ data is held on Canadian servers and US clients’ data is on US servers.
Data Policies of Your Software Service Providers
Are you well aware of the data policy of your software service providers? What happens when or if there’s an attack? At Mortgage Automator, we use a web infrastructure called Cloudflare. It is used internally for protection from service attacks. It obstructs our IP addresses, and since you can’t perform attacks on the server without an IP address, no attack can be made.
Disaster Recovery Plan (DRP)
If something was to go wrong with clients’ data, do you have a plan in place? Who has access to what programs? What if there is a data loss or a failed backup? Think through all the scenarios and how you would approach them. Information and instructions in a DRP will help you to make decisions and respond to both cyber and environment-related events involving your data.
- Have staff data policies in place.
- Use two-factor authentication.
- Prepare emergency plans.
- Perform annual check-ins.
- Use encryption when necessary.
- Back up your data regularly.
Staff Data Policies
Your staff should be well aware of your internal protection policies. Make things easy for them to follow so that they can retain the information and put it into good practice. For example: train your staff on how to identify phishing emails. Also, make sure that all staff has continuous real-time background screenings. These checks should include both a financial and criminal history report.
Use a strong password for every account and have a reputable password manager remember it for you. Your best option is to choose the automatically-generated password that is suggested, or you can create your own. It should contain uppercase, lowercase, numbers, and symbols. For example: XkeDZaJ3%yIOd3. Contrary to popular belief, one password for each account is all you need, and you don’t need to change it every 3 months. Dave Hatter, a cybersecurity consultant at intrust IT, told Business Insider, “Unless you become aware of a password breach, there is no need to change your passwords regularly if each is a strong, unique password. This is even more true if you are using two-factor authentication.”
There is also a site you can use to check if your email address was in a data breach, and you can get notifications for this as well.
In addition to your username and password login, having two-factor authentication is a must, if available. It essentially adds a second layer of security to your account. In most cases, it involves receiving a code by SMS to your mobile number. Even if your password was to get stolen, the account still can’t be logged into.
Have Emergency Plans in Place
Just as you would have a plan for external emergencies, you should also think through the scenarios of what could happen internally as well. What happens if one of your staff’s computers is stolen? How do you ensure terminated employees lose access to sensitive data? You should also consider getting data breach insurance for your business. If there is ever a leak, data breach insurance can cover things such as investigation costs, hardware and software damage costs, fines incurred by lost data, lost revenue, etc.
Make sure everyone is following the policies in place. Hold annual check-ins to go over these policies. This way it holds everyone accountable and reinforces the knowledge and importance of data security within your company. Everyone should know their role and play a part in the priority of data security practices and protection.
Encryption is a balancing act. If you try to encrypt everything, it would be a hugely inefficient use of resources. The only thing that needs encryption is private and confidential information. Encrypt anything sensitive, no matter where it is stored or how unlikely it is for someone to find it.
There are two reasons why you should do regular data backups. One would be redundancy and the other is to ensure the accuracy of historical information. At Mortgage Automator, we often do backups of our system: every hour, up to four hours; every four hours, up to one day; every day, up to a week; and every week, up to a month. Then we store the monthly data. We also use another backup service in real-time that backs up our data, in case the main server ever goes down. This service switches our website to offline mode and saves the data in read-only mode.
It is a good practice to store data on backups. We suggest using the cloud and not a physical device. If you are an Apple user, iCloud is a great option. If your computer gets stolen or damaged, you can go into Apple and get a new computer and load all of your files onto it with the power of iCloud. If you are using an external hard drive, it is good to have that drive encrypted.
Data security is a serious mindset that should be embedded in the culture of your business. Be sure to review your policies with your team regularly and have internal and external plans and practices in place that will allow you to have a solid and secure foundation for private and confidential data.