Tag Archives: cyber security

Being cyber secure

The threat of online security risks including cyberattacks, malware, and phishing scams will always exist. Cybercriminals are constantly evolving to become more complex and convincing, meaning your business must stay vigilant and take steps to protect itself, its employees, and its customers.

Startling statistics reveal that in the UK, a small business is hacked successfully every 19 seconds. Across both small and medium-sized businesses 65,000 cyberattacks are executed every day, with 4,500 of those being successful[1].

Worryingly, attacks are increasing in frequency with 46% of businesses reporting a cyber security breach or attack in the last 12 months with many experiencing issues at least once a week. Of those, 19% experienced financial or data loss while 39% suffered loss through business disruption or having to implement new measures to stop a recurrence[2].

Pandemic predators

The COVID-19 pandemic has brought a surge in online activity creating more opportunities for cybercriminals to steal data, and employees working from home also provide new targets[3]:

  • Coronavirus blamed for 238% rise in attacks on banks
  • 80% of firms have seen an increase in cyberattacks
  • Cloud-based attacks rose 630% between January and April 2020
  • Phishing attempts have risen 600% since the end of February.

Types of threats and staying safe

The term ‘hacker’ covers professional criminals and disgruntled employees alike but regardless of name, they are developing new methods of attack all the time. Throughout the cyber security industry, the eight main threats to be aware of are deemed to be as follows, together with some actions to try and stay safe, as recommended by the National Cyber Security Centre (NCSC), the government, and major security companies:

Malware – makes your computer/network malfunction or grants the attacker access and control with varieties such as worms, viruses or trojans.

Phishingmalicious emails designed to fool people in disclosing details or taking action that is damaging for the business.

Ransomwaredenies a user access to their own system by locking it behind a paywall rendering it unusable until a ransom is paid.

To minimise the likelihood of becoming a victim of malware, phishing, and ransomware, or similar threats, industry experts recommend taking the following precautions:

  • only use current and updated web browsers and operating systems;
  • scan new disks and files with anti-virus software;
  • avoid giving out personal data to unsolicited calls, emails or texts;
  • don’t click links in emails you were note expecting;
  • only download from trusted websites and sources;
  • do not click unverified links;
  • avoid use of public wi-fi networks;
  • and use a virtual private network (VPN) where possible.

Other types of threat

Distributed Denial of Service (DDoS) – designed to overwhelm either your database or website by bombarding them with more requests than they can handle, causing them to become unresponsive.

To avoid becoming victim of a distributed denial of service attack, industry experts suggest that you:

  • ensure your business/website has enough bandwidth to handle spikes in traffic;
  • spread your servers across multiple data centres and distribute traffic between them;
  • protect servers with network firewalls, web application firewalls, and load balancers.

Man in the Middle – pretending to be a reputable business using a fake website or intercepting a connection with the intent of harvesting data from users. These attacks often occur through unsecured public Wi-Fi networks.

There are several steps that experts say will counter these attacks, for instance:

  • educate employees not to use public networks;
  • use virtual private network (VPN) for secure connections;
  • monitor networks and devices for unusual activity;
  • use up to date and secure browsers;
  • implement two-factor authentication.

Structured Query Language (SQL) Injection – hackers insert a malicious code into an SQL server to make it release information.

Cyber security professional suggest preventing SQL Injection attacks by:

  • using a web application firewall;
  • and creating multiple database user accounts meaning only specific and trusted individuals can access the database.

Password attacks – whether guessing a user’s password or using software to do so, once obtained the cyber attacker has complete access to the system and all its information.

To combat password attacks, experts suggest implementing a password policy that promotes strong passwords. A strong password includes:

  • at least 12 characters;
  • no personal information;
  • a combination of numbers, symbols, capital letters and lower-case letters.

Zero-day exploits – exploiting software’s vulnerabilities, especially as they age. That is why it always important to keep software updated and apply any security patches that are issued.

Cyber security professionals suggest your business can reduce the risk of zero-day exploit attacks by:

  • using solutions that can scan for vulnerabilities;
  • installing software patches as soon as they become available;
  • utilising data validation to test any input supplied by an application or user.

­With heightened motivation and opportunity for cyber criminals, cyber security specialists say it’s important to review your cyber security regime and address any vulnerabilities that may leave your business at risk. Kaspersky estimated in 2019 that 41% of consumers left themselves open to security risk by using unsupported or near end-of-life operating systems like Windows XP or Windows 7[4].

The NCSC suggest a cyber security checklist for SMEs:

  • Knowledge is power

Establish a channel of communication to enable the exchange of information including policies and training to maintain awareness of cyber risks to your business.

  • Secure your network

Monitor and test your network, and secure its perimeter to stop unauthorised access or malicious content from entering.

  • Stop malware

Use up to date web browsers, ensure anti-virus software is used to scan disks and files; don’t give out personal data, and don’t click links in unsolicited emails.

  • Don’t go public

Public Wi-Fi is more vulnerable to being intercepted so reduce and avoid use where possible.

  • Keep systems updated

System security patches must be applied as soon as possible to ensure security configuration is maintained and avoid exploitation of vulnerabilities.

  • Control access

Limit user privileges and the number of privileged accounts to control access to systems. Restrict access to activity and audit logs.

  • Be ready to react

Prepare an incident response strategy and test your disaster recovery capabilities. Activate specialist company-wide training and report any criminal incidents to relevant authorities.

  • Monitor activity

Monitor all your systems and networks and look for any unusual activity that could indicate an attack. Set up a strategy and policies across the business to do this.

  • Away from the office

Ensure all staff understand the risks of home and mobile working and train them to follow protocols with ways to protect data at all times.

  • Strengthen passwords

Implement a password policy that promotes strong passwords that contain at least 12 characters, no personal information and a combination of numbers, symbols, and capital/lower case characters.

  • Start at the top
    Board and senior management must assess risk to information and systems within the business to establish a risk management regime.

Look out for further information on this topic from future blogs.


[1] http://hrnews.co.uk/cyber-security-statistics-in-the-uk-reveal-troubling-figures/

[2] https://www.gov.uk/government/publications/cyber-security-breaches-survey-2020/cyber-security-breaches-survey-2020

[3] https://www.fintechnews.org/the-2020-cybersecurity-stats-you-need-to-know/

[4] https://www.kaspersky.com/about/press-releases/2019_consumers-still-use-unsupported-and-near-end-of-life-os

Our Systems and GDPR

With the new General Data Protection Regulation (GDPR) coming into force this week, on 25th May, we’ve been working hard to ensure our systems are enhanced ahead of the new rulings, so that you can be confident that our technology will keep you compliant.

Our enhancements have addressed the main areas of GDPR relevant to the functionality of our systems and the way you use them: definition and handling of personal data, the right to be forgotten, recording of clients’ consent, data portability and the right to object. This blog explains how we have updated and improved each of our systems so that you can have complete peace of mind after 25th May.

GDPR

Mortgage sourcing

Both MortgageBrain Classic and MortgageBrain Anywhere have had several improvements and enhancements in light of GDPR.

There is now much greater flexibility and control in client data handling, for example enabling you to choose various options when deleting client records or exporting client data – some of the main GDPR requirements.

Deleting data

As GDPR requires you to justify why you’re keeping client data, our sourcing systems now enable you to find dormant clients in order to delete their data or re-contact them if needed. There is a ‘find dormant clients’ option, which you can select to bring up the clients to review.

The new rules also state that no record can be kept of any client data which has been deleted. Therefore, your deleted clients list will only contain a unique client ID, who deleted the client, when, and why.

A ‘deleted clients’ list can be exported in a CSV file to another location allowing it to be saved as part of the GDPR record keeping process.

Exporting data

Another stipulation of GDPR is to be able to export client data in a common standard format. This is to comply with the ability to provide clients with their data so that they can check and confirm that what is being held is correct.

We have also now made it easy to export this data, with a new export button, which also allows you to save the data to a file which can then be given to the client.

CRM, back office support & compliance systems

The Key, our CRM system, stores a great deal of client data, so there is now additional functionality to ensure you can fulfil your GDPR responsibilities. The enhancements include the ability to record consent, and the right for clients to be forgotten.

There are multiple enhancements to recording consent located in the ‘consent manager,’ as well as the ability to record ‘processing consent.’ Users are also able to record marketing consent via mail, email, phone and text message.

All of the Key’s deletion processes have been reviewed to ensure all personal data is removed to comply with GDPR. We have included a new function, enabling you to select multiple client records to be deleted all in one go. You can also search free text recorded as notes in order to search for, and delete, personal data that isn’t stored in the main client record.

The Key’s data portability features have also been reviewed, so that all necessary personal data is available. Industry-standard formats are now used, and records of activity now kept within the Key.

Finally, we have also reviewed our Fact Find functionality and have ensured that amendment of dependents data is recorded to ensure compliance with GDPR.

Multi-lender mortgage application platform

MTE, our mortgage application system, as with our other products already fulfilled most of the GDPR requirements, with personal data being password protected and encrypted. However, we have made further enhancements ahead of this month’s implementation of the new rules, including the ability to delete applications permanently, export client data as a CSV file and the ability to keep a record of client data exports and deletions. Furthermore, we have introduced a new option to record a free text note when deleting a client.

Data security

Your responsibilities

While our systems enable you to be fully GDPR-compliant, there are still responsibilities which lie with you. These include ensuring your computers are running software which is fully secure, and operating systems supported by providers. Any applications you use should be kept fully up-to-date, as well as protected by strong passwords to ensure security of data you store. We also recommend using screensavers for when you’re away from your computer for added protection.

You can find details about GDPR and our privacy policy, terms and conditions and release notes for the latest versions of MortgageBrain Classic, MortgageBrain Anywhere, MTE, the Key and MortgageStream on the GDPR page on our website.

If you’d still like to read more about GDPR, with the regulations coming into place on 25th May 2018, a presentation on the topic can be found here.

Keep your data secure with the Key

Cyber-crime is one of the biggest threats we face in our day-to-day lives – especially for those of us who spend a large chunk of our time on a computer.

With cyber-security of paramount importance, our role here at Mortgage Brain is to keep your client’s details safe and secure within our systems. This means that, as a broker, you are able to ensure that your clients have peace of mind throughout the mortgage advice process.

The Key is one of our flagship systems, and it holds a plethora of data about clients within it. So how do we ensure that it’s all kept safe and sound? We run through the security ins and outs for the Key below, so you can rest assured your data is kept safe with us.

How does it all work?

Like many systems nowadays, the Key stores all its data and documentation in ‘the cloud.’ Access to the system is restricted to approved users, supported by extensive configuration around password format and expiry.

There are then two ways in which this information is stored:

Locally stored information

Whilst data is in use and being updated, the Key operates with limited data stored temporarily on the user’s computer. Once the data is uploaded to the server – by saving it or closing the application altogether – this locally stored information is then removed.

Security at this end is where you come in.

Ultimately, the local computer environment remains under the control of the end user. We recommend you only use versions of Windows that are supported by Microsoft, and that they are kept up to date with regular system updates.

We also recommend that the latest anti-virus software is used at all times, as well as strong passwords changed regularly to keep the highest protection on your data.

Security

Server stored information

And this is where we come in. When we are hosting the Key, all server information is hosted with a leading Internet Service Provider within their data centres. These centres are protected by the latest, most sophisticated software as well as high-tech physical security systems – including CCTV, alarms, 24-hour monitoring and dual authentication access controls.

Personal data and documents within the Key are stored on servers with no direct connection to the internet. Access to them is via services hosted on separate, internet-facing servers. Data is also encrypted when it’s not in use, and access is controlled by firewalls that restrict all access other than that required to run the service.

There are also a number of other precautions we have in place, which are:

  • Microsoft-supported software
    Regular security updates
  • Anti-virus software on all servers

We also employ an independent security company who run regular tests against all aspects of our data security. Based on their findings, we make the changes and improvements necessary to ensure that your data within the Key remains secure.

For more information about how we keep your data safe in all our systems, you can take a look at our PDF here.