FREE MEMBERSHIP Includes » ABL Advisor eNews + iData Blasts | JOIN NOW ABLAdvisor Gray ABLAdvisor Blue
Skip Navigation Links

Date: Aug 07, 2018 @ 08:00 AM

The free flow of sensitive information between businesses and their clients is essential. But when it comes to data security, not understanding the risks can result in costly and sometimes irreparable mistakes.

As evidenced by the September breach at credit-reporting agency Experian, which exposed the data of some 143 million Americans, the need for financial service providers to employ cutting edge information security solutions is paramount. Even the largest and presumably most well-protected entities have found their client data for sale on the Dark Web, causing a backlash of bad press, potential litigation and burdensome cleanup costs.

In the course of conducting due diligence for a loan, lease or other business transaction, banks, independent finance companies, private equity firms, and other specialty lenders must handle a range of sensitive and potentially valuable information. Each day, millions of pages of documentation are sent through cyberspace in the form of e-documents, attached files and plain old email correspondence. Yet many if not most people are largely unaware of the many dangers lurking in cyberspace. New threats emerge daily; and nefarious actors are aggressively pursuing new avenues to unlocking data that doesn’t belong to them.

Unfortunately, essential paperwork often contains information that could cripple a client’s business or personal life if it falls into the wrong hands. When asked to identify high-risk data, most people are aware that information contained in medical records and bank statements, and unique identifiers such as credit card and social security numbers are in high demand by fraudsters. However, so-called “Personally Identifiable Information,” or PII, also covers a number of seemingly innocuous variables. Indeed, the federal government defines PII as any piece of information “that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.”

This covers identifiers such as name, address, social security number, telephone number, or email addresses, among others. While not every individual data point carries the same level of risk, when used in conjunction with more sensitive information even something as simple as a client’s date of birth can hold value for cybercriminals.

But the risks associated with lax data security go beyond any potential financial loss experienced by the information’s owner. That’s because mishandling client PII can have serious blowback even in cases where no actual fraud is committed or financial loss demonstrated. In most cases the mere acknowledgment of a breach carries fiduciary and possibly regulatory penalties for the responsible party. And that doesn’t even account for the damage a serious data breach can inflict on a business’s reputation and credibility in the market.

Even so, the vast majority of American businesses think too little about the cyber risk environment. According to one survey conducted in 2017, only 2 percent of small businesses view data security as their top priority, despite the fact that nearly half of all cyberattacks target the small business sector.

According to Hemu Nigam, founder of the internet security firm SSP Blue, “Most small-business owners take the attitude of ‘Why would anybody care about me? I’m just the little guy.’”

On the contrary, says Nigam, hackers love small businesses for that very reason, as smaller firms have fewer resources to protect against data theft. Although large breaches like Sony or Experian are more likely to capture headlines, most data exposures affect just thousands, or even hundreds of records. One analysis of PII for sale on the Dark Web found that 90% of it came from breaches of 5,000 accounts or fewer. Accordingly, it is critical for lenders and businesses of all types and sizes to be aware of these risks and to take proactive steps to secure their client data when processing a credit application.

Some simple tactics for protecting data include automating networks to require regular password changes to limit the window of risk, and avoiding the use of public WiFi networks that are open to multiple unknown users and/or administrators. Many businesses are also employing two-factor authentication — which requires both a password and a randomly generated key code for network access. Housing documents securely on servers that are safety behind a firewall is also critical to protecting client documentation during the due diligence stage.

Still, even the strongest safe only protects what’s inside it, and small-scale data breaches often happen when information is in transit or housed improperly on employee or vendor devices. One way to keep sensitive documents out of the wrong hands is to use encrypted messaging and file sharing platforms in lieu of email. While email remains one of the most accessible avenues for cyber-intrusion, many lenders still routinely transmit documents that include personal financial information back and forth over this relatively unprotected channel. Thankfully there are dozens of “secure” enterprise collaboration tools on the market. However, not all employ the same level of protection. Businesses should be mindful about researching messaging and document sharing platforms carefully before adopting them for sensitive tasks, and consider both in-house and third party options.

Most cyberattacks are successful because hackers first target employees with identity theft schemes to steal their access information. In the end, the most important tool in a lender’s information security arsenal is also the cheapest: education. Keeping employees up to speed on the risks associated with sending information over unprotected channels, and warning of the impending threats from phishing attacks, malware and ransomware can prevent breaches before they happen, saving both time and money. It’s important for all enterprises to have written policies in place that employ simple best practices.

Lenders and other business transaction professionals should embrace mandatory and frequent training to make sure all employees — from sales to underwriting staff — are aware of the current cyber risks. Policies should also include guidelines for proper handling of electronic correspondence; warnings against clicking unknown URLs or downloading attachments from unverifiable sources; and instructions for keeping devices used for work secure while away from the office. The free flow of sensitive information between businesses and their clients is essential to many different industries, and the growth of technology has increased the speed and efficiency of the due diligence process. Companies that handle PII during a background check or due diligence process have an obligation to their clients to put the security of their personal data above the desire to quickly close a deal. When it comes to data security, not understanding the risks can result in costly and sometimes irreparable mistakes.

Sue Bury
President/Chief Executive Officer | 1STWEST Background Due Diligence LLC
Sue Bury oversees the strategic direction, operations, vendor management and marketing of Denver-based 1STWEST Background Due Diligence. As a big picture visionary and business strategist, Ms. Bury and her team have engineered the most comprehensive Risk Intelligence Platform, providing leadership in risk mitigation solutions by uniting cutting-edge technology and advanced data intelligence with hands-on expertise.

Ms. Bury has over 25 years of experience in the background screening industry. She is a strong advocate for brand and bottom line protection by mitigating risk through enhanced background due diligence and routinely conducts webinars, frequently speaks as an industry expert on panels, and authors blogs/articles with numerous industry associations and publications.

Professional work history includes a proven track record as a successful entrepreneur in numerous ventures and she has held senior executive marketing positions with public and mid-market companies garnering award-winning achievements for prominent global brands. Ms. Bury is experienced in leading comprehensive business development, organic growth expansion, operation efficiencies, establishing and sustaining superior brand positioning, concept to market product innovations, investor development & relations and marketing communications. Sue has been an effective company spokesperson and an on-air lifestyle host with numerous cable and digital brands in diverse industries.

Ms. Bury actively networks within the following organizations: Commercial Finance Association, Association for Corporate Growth, Turnaround Management Association, Small Business Alliance Association, International Factoring Association, Society for Human Resource Management and the Women Business Enterprise National Council. She holds a B.S. Degree – University of Iowa.
Sponsored By: