In this column, she advises brokers to replicate banks in their client communications and explains the ramifications of data breaches.
The ‘ripple effect’ of data security errors
Atkinson recently attended a women in data event where a speaker from the International Cooperative Alliance (ICA) spoke about the ripple effect of errors.
This could be a situation where a person has escaped an abusive partner, and a data leak allows their former partner to see their new address.
Where there are joint applicants for a mortgage, a client portal might allow people to see their own data, but Atkinson questioned whether people should be able to see their partner’s information.
Welcome to the future: how collaboration is driving the shift to digital home buying
Sponsored by Halifax Intermediaries
“We might be comfortable with sharing joint applicants’ details, but if the relationship dissolves into a domestic abuse situation and the person moves and creates another application, their information could still be visible to their partner through the client portal.
“Those ripple effects can have devastating impacts,” she added.
Mortgage Brain follows strict protocols of security by design within all its processes. The firm tests how each process could result in a breach of security.
The company has different permission role profiles within the CRM module, such as compliance and administration, meaning each department can only access certain information.
Atkinson said: “We have a myriad of different roles with different security protocols and permissions to make sure any individual in their role can only see the information relevant to complete their role.”
Mortgage Brain has a similar practice, as its back-end database is on Mongo, and very limited people in the business can access this.
Atkinson said: “We don’t allow our developers to have access to live product data, even though they have access to the code.
“Even within a smaller company like ours, we have segregation of duties through the production pipeline, and we have a chain of command so no one or two individuals could work together to extract production data or maliciously make changes.”
This sits alongside normal checks any other company would do, such as having an external penetration test or “break the system”, abiding by code principles and having third parties check it has not breached industry best practice.
Communicating through secure channels
Discussing the potential for seemingly legitimate spyware emails to be sent out to a company’s database, Atkinson said the weakest link in any organisation was its individuals.
She encouraged brokers to communicate with clients through secure portals.
Atkinson added: “That is bank standard; you’ll never get an email from your bank telling you to click on a link or disclose something sensitive about your account, but you will get a call to action to log in to your client portal to see a message they’ve sent.
“Those standards are ones we are trying to encourage brokers to adopt. We know a lot of businesses communicate via email because it’s convenient, but if we can encourage them to use secure portals, it’s much safer. Then we can put controls over those portals to protect a client’s sensitive information, whereas it is much more difficult with a third party’s email account.”
People are becoming more aware of phishing emails, but they are very clever and often look legitimate or urgent, leading people to click on them quickly without thoroughly checking that it looks normal, Atkinson said.
She said this was why it was important to have controls in place, such as multi-factor authentication, and even though some brokers felt negative about it or it slowed them down, Atkinson said this ensured protection against a password or device being compromised.
Putting data security into practice
Atkinson said it was possible for malicious individuals to gain access to email communications where important documents like bank statements, passport information and payslips were being shared, especially on a web-based browser.
She added: “Actually, it’s not best practice, we shouldn’t be encouraging customers to share via email. They only need to mistype the email address to send personal information to the wrong person.
“Similarly, when sending secure information to a client, it’s not recommended over email. As a broker, you also don’t know whether that client’s email has been compromised, so you’re sharing information back [that] might not be seen directly by the customer.”
She said brokers should move away from email communications in the same way banks have done.
Where brokers might keep data on a device separate from a technology platform, Atkinson said the information should not be kept on a desktop, especially without remote wipe security functionality, where information can be wiped remotely if the device is stolen, preventing it getting into malicious hands, it should be in a secure portal.
When deciding on a system to use, security should be an important consideration, Atkinson said, adding that ISO 27001 and Cyber Essentials certification were a great indication of system standards. Atkinson described ISO 27001 as the “gold standard” and said everyone should be working towards this.
Mortgage Brain is currently working towards achieving this standard in the next 12 months.
