A Practical Approach to Office Data Security

Security of data in the mortgage industry is more than having an IT guy configure the router between your office and the Internet. In this article, we will review some basic suggestions on ways to protect your office and data from eavesdropping.

Start with Fundamentals
If you have an office of more than one individual, you have a built in potential for a security breach. Similar to the way that a secret cannot be kept if one person tells anyone else, security becomes compromised when multiple individuals have access to information we don’t want shared indiscriminately with others.

Securing data in our office has to be done for a number of reasons, some not so obvious. The most important reason for security is to protect the privacy of our clients, and to ensure that they do not find their identities and financial information compromised by a third party. Not only is it a business and ethical requirement to protect this data, there is another reason overlooked by many loan officers: it is required by law. In particular, we are required to protect the integrity of data transmitted electronically, be it by e-mail, the Internet, or within an office network.

But security is not just a matter of configuring and securing data on our computers and network. It starts with some common sense rules in the way we run our businesses.

Workplace Etiquette
One of my favorite issues is the way many individuals operate in a cubicle environment and leave their passwords written on a sticky note for others to see when they walk by. This is particularly amusing with a receptionist or other individual within easy access of a visiting delivery person or interviewee. We simply have to enforce an atmosphere in the office where we require people to take seriously the policies that are in place to secure information.

There should be an adequate and readily available paper shredder for any loan officer or processor with regular access to client documentation, so unwanted copies and notes may be effectively destroyed. Some offices are very loose on this topic, maybe providing only a single large shredder for use by key processing personnel. The bottom line is that if such equipment is not readily available, the office will soon get lazy about disposing of confidential documentation.

Finally, paper loan files should not be left out at night for prying eyes to see, and should preferably not be left open, but put away in file cabinets when the office is closed. It would not be too much of a stretch to suggest they be locked up after hours when regular mortgage personnel are not there.

Internal Computer Network Security
It is very much a universal truth at this point that a mortgage company will have a local area network to communicate between workstations and the central data repository—the server. It is relatively easy to secure this basic network from outsiders. The network is based on a wired connection between the workstations and the server, and unless this wire is intercepted physically by a third party, it is impossible to read the data circulating on this network. There are some very not so obvious ways for data to “leak” from this network without the network administrator or office manager being aware.

While it is now becoming uncommon to see a floppy disk drive on the typical office machine, it is very common to see a CD Writer or USB ports. The USB ports allow devices such as the mouse or keyboard to access the computer. Unfortunately, the advent of the USB Memory key also allows a person to copy massive amounts of data from the machine or network in only a few minutes, without the knowledge of anyone else in the office. I would highly recommend that any large retail operation highly restrict access to the network via these security holes. Machines may be ordered without CD Writers and USB ports can be disabled, allowing a mouse and keyboard only with the more traditional PS2 style connector on the back of the computer. USB ports should be allowed only by personnel who really have a need for such capability.

Wireless Internet Hubs
Many offices provide wireless internet access within their meeting rooms, or even in their main work areas. Traditional forms of security involve 128 bit encryption, private keywords and station IDs that are not broadcast but must be known before a laptop can connect. I can only very minimally recommend any type of wireless capability in most mortgage enterprises, because traditional forms of encryption are simply too easy for a motivated hacker to attack. Additional forms of protection such as the so called MAC address filtering, where a machine’s hardware address must specifically be on the list of machines permitted to enter the network, will help some.

But for the most part, limit this technology to the meeting room, and preferably only for Internet access. If you must provide access to the file server, limit the coverage of the hub and take all precautions. Consult an IT professional for more recent WPA technology that provides higher degrees of security when used with very long pass phrases. And if you are a bank or credit union, forget about any of this. You simply cannot take the chance and will be in violation of various federal security statutes if you run a wireless network in your office.

Accessing the Internet
This area of securing your data has already received a great deal of attention in the press, but a quick overview should provide some assistance in securing your office. First, it is a really good idea that your main file server not be the same machine you are using for accessing data from outside the office from the Internet. Any machine with direct access from the Internet needs to be separate from the other file servers in your office. Secondly, it is a given that you are using a hardware firewall/router to separate your office from the Internet. The router is primarily there to provide individual client connectivity through a single Internet share point. A side benefit of this hardware configuration is the ability to partially isolate these machines from unwanted ingress directly from the Internet.

If you are running a large office and protecting sensitive date, consider an additional firewall appliance in addition to the regular router. While it is beyond the scope of this article to get too detailed, this appliance can do such things as sample incoming data for certain characteristics of a hacker attack. In addition, it may allow data into the network only from specific other locations, further limiting the potential for hacking. This is one area where you simply have to acquire a very competent IT professional who is really on top of the latest in firewall technology, and you need to be aware that this is also one area of networking where there is plenty of marketing fluff and hyperbole, reminiscent of consumer audio and video marketing. The bottom line is that computer security technology is still in its infancy.

Leaving the Office
Several years ago, I would have listed a litany of suggestions about protecting data on your laptop or on your home PC if you were accessing your network from home. In the last year, technology advances have made it possible to truly keep your data secure while accessing it from outside of the office. It is still as important as ever to show some real care in the use of a laptop, considering the high rate at which they are stolen. A good, long password will keep users out of your machine if it is lost or stolen. Keeping very critical data both password protected and encrypted is easily accomplished with Windows XP Professional. Above all, loan information may be accessed live via the Internet with modern Loan Origination Systems, and the file does not ever need to be saved to the laptop or home office computer. There is nothing more disconcerting than losing a laptop loaded with several hundred files of personal financial account data, and wondering where it will end up.

Conclusions
Data security is as much a matter of common sense as it is using sophisticated technology. The keys to data security lie in a careful application of this advanced technology coupled with some practical direction sense on a daily basis. Hopefully, this article has made you aware of a few things you can do to better safeguard your office data.

By Stephen Breden