Tackling data security
Paul Brooks, business services director at Countrywide Surveying Services, explains about the accreditation of information security management systems. He believes the information security badge should come as standard.
As much as we hear about fraud and data security - rather, data leakage - these days - whether it’s the phone hacking scandal or an embarrassed politician who’s left sensitive documents on a train – it appears that standards for mitigating and managing risk are fairly low across the board.
In the lending sector, alarm bells are ringing, and it’s not just the security alarms. Earlier this year, the National Fraud Authority admitted that it has difficulty detecting mortgage fraud. If they have difficulty providing a full picture, that leaves the rest of us to tackle it in our own responsible way.
And tackle it, we must. We have seen the devastating damage that fraud and security breaches can cause to individuals, families and companies. With advances in technology and more ways to access data than ever before, fraud prevention and data security are high on the agenda and the landscape of risk management has completely changed forever.
It is no longer about governance meetings and operating a rigid framework; it needs to be agile, predictive, proactive, and embraced at all levels within an organisation. The focus has shifted – because it has had to – from detection, to prevention.
Prevention, as they say, is better than cure, and when it comes to sensitive information and restricted data, the key is to reduce risk – a major concern for lenders, when selecting partners to do business with.
In much the same way as business had to catch up to the quality standards set by ISO 9001 ten years ago, there is certainly a case for the mortgage lending industry to set the standard for fraud prevention and data protection.
The current obligation for business partners is to ‘align’ with the ISO /IEC 27001:2005 standards, the internationally-recognised standard for Information Security Management Systems (ISMS). There are less than 600 UK organisations accredited under this standard - a surprisingly low number, given the risk averse lending climate, and very few of them are business partners in the mortgage lending network or supply chain. But this could all be about to change.
Countrywide has recently become the first company of its size and kind to achieve this certification, which covers its three core business-to-business trading divisions - Countrywide Surveying Services, Countrywide Conveyancing Services and Countrywide Corporate Property Services. And whilst we are certainly proud to be ‘pioneers’ in respect of our certification, shouldn’t the industry as a whole be moving towards this as a standard ‘badge’, rather than a platinum one? Is it not a risk in itself for lenders to partner with businesses who do not meet these standards, in light of their focus to prevent fraud?
Essentially, the ISO 27001 standard ensures that confidential customer and client data is handled in a secure manner, and that effective and robust risk management processes, business controls, and fully-tested recovery plans, are in place to protect that data, and indeed, the rest of the organisation, should the worst happen.
The importance of risk management is reflected in the fact that one of the first additions to the standard series was 27005, in 2008 which primarily relates to dealing with risk, and was updated again last year. Indeed the base 27001 and 27002 are due to be updated next year, with many experts predicting that in order to reflect changes in the business landscape risk assessment, treatment and management will once again be a focus of the revisions.
But it’s not just a cyber war. As much as technology can be exploited to commit fraud, it is as much about staff training and awareness, protection of buildings and personnel so that the building blocks are in place throughout the cycle of service.
Of course, it goes without saying that managing risk internally soon leads to a review of business partners and other outsourced services. Working with the supply chain to understand their existing processes and ensure they are risk-aware has benefits for all concerned parties. And of course, organisations which are already 27001-certified could move up the shortlist when it the time comes to select a new supplier. While it's unlikely that all parts of the chain will ever become 27001-certified the trickle-down effect should not be underestimated.
Countrywide has already gone one step further by taking the ISO strategy and developing new tactical responses, to allow for closer collaboration with its lender clients. This sharing of data intelligence and best practice methods further bolsters the framework, and gives lenders added security.
Starting from a position of prevention, control and risk-reducing, puts you in a different mindset. The ISO framework puts emphasis on prevention, and allows for a robust structure in which to stop fraud or data leakage before it starts. Countrywide is already issuing more fraud referrals on the basis of the dedicated reporting channels in place. Not only is it easier to detect and identify potential issues, but in many cases, with trained staff, it is possible to pre-empt it, by analysing data and looking for trends and patterns which might indicate fraudulent activity or compromised data.
Having achieved these high standards, Countrywide is committed to maintaining and exceeding it, and already lenders and other clients have responded positively to the accreditation. With the difference we have seen to date, it’s easy to think that the ISO 27001, which now also includes fraud prevention standards, will become the new ‘badge of honour’, just as ISO 9001 was a decade ago.
And why shouldn’t it? Fraud is simply a symptom of inadequate preventative systems and risk management controls. The sooner the industry catches up to the international standards to tackle this, the sooner its reputation can be restored.