Ensuring Data Integrity: The Risk of Email

April 23, 2020

Cybersecurity specialists focus on ensuring the integrity of the data inside the systems a company owns and flowing between those systems and partner platforms. This is not the same as ensuring the accuracy of that data. Nor does it have anything to do with privacy legislation compliance.

We went into some detail on the differences between these disciplines in an article titled Getting our Security Terminology Right.

In this article, we will focus on how information technology executives work to meet this mandate. How do we ensure the integrity of our data and what does that mean, exactly?

A Working Definition of Data Integrity

When we talk about a person of integrity, we know exactly what we mean. The person is as good as her word. If she says she will do something, we know she will do it. Data integrity is not that different.

In the information security world, data integrity means that if a data field is stored in a database the field will have the same value when it is accessed later. If the data has changed, it was changed by an authorized user and the change was captured in an audit trail that tells everyone exactly what has occurred with the data.

Now, the IT specialists working in this department have no control over the data that is entered by authorized parties. It could be inaccurate, and they would have no way to know. Neither can they exert any influence on what an authorized user does with that information. If it is used in a manner that violates data privacy laws, the IT department would have no way of knowing.

What they are expected to know is who is authorized to access the system. In addition, they are expected to devise methods of authorizing users that attempt to access the system in order to ensure that they are in fact who they say they are. This is a full-time job.

The Primary Risk Companies Face Today

Unauthorized access to company systems is the most serious problem that cyber security specialists and their companies face today. Without adequate controls in place, the company cannot protect its systems and will not be able to ensure the integrity of the data.

This is precisely why email is despised by cybersecurity professionals. As Mortgage Cadence’s Information Security Manager Joseph Lowe puts it, “Email is an insecure protocol by design. It's an old protocol that was never designed with security in mind.”

It’s very easy for an unauthorized user to pull data out of an intercepted email caught screaming through a network. And it’s surprisingly easy to intercept email traffic. Even with all the tools available to the cybersecurity specialist, it’s still virtually impossible to secure a company’s email against unauthorized access.

And even if we could make our email systems completely intrusion proof, people would still send email to the wrong address, which would counter all the company’s security protocols with the press of a single “send” button.

What does this cost financial institutions and lenders? According to Stephen Dougherty, Cyber-Enabled Financial Fraud Investigator for the U.S. Secret Service, Business Email Compromise (BEC, currently the top type of cybercrime) is run by increasingly complex criminal organizations who have a huge financial incentive to perpetrate the crime. “The average loss from a bank robbery is about $3,000,” he told Cybersecurity Magazine. “The average loss from a successful BEC attack is nearly $130,000.”

Giving Control to the Data Controller

According to Lowe, the answer lies in taking control of who has access to the information in the first place and then how it is shared and with whom.

Because hackers have moved beyond system intrusion and on to social engineering in search of intrusion opportunities, it is now impossible to secure company email. This is a problem because this tool is one of the oldest and most used technologies in any enterprise.

Cybersecurity professionals are now convinced that doing business over email, at least when those messages carry company data, is a weakness that companies can no longer afford. So, how do we get people weaned off email and where do we send them to interact with data that the company must protect?

You need to create a controlled environment where data sharing is safe and secure, and authorization and access are carefully controlled. We built one for the home finance industry and it works.

Collaboration Center is a secure private cloud built for the home finance industry that enables mortgage lenders, real estate agents and settlement services firms to work together seamlessly to create digital mortgages. It recalibrates an otherwise disjointed closing process by putting all parties into a single virtual room and connecting it directly to the lenders LOS, eliminating the need to rely on email or external chat applications.

Today, loan closing agents who control in excess of 45 percent of the mortgage industry’s volume are currently registered users of Collaboration Center.

Next time, we’ll explain why anything less will result in future data breaches. Hint: social engineering!

Mortgage Cadence’s Collaboration Center automates processes, manages documents and data, and enables real-time messaging —all within a secure environment.

Contact ALTA at 202-296-3671 or communications@alta.org.