The world underwent a massive shift during the COVID pandemic and some people have had a more difficult time adjusting than others. One of the most contentious changes that took place was the mass exodus of workers from office buildings in favor of the safety and isolation of the home office. While many people have fallen in love with working from home and many more are still hunting nearly full-time for remote work, many others argue that remote work is not only counterproductive and ripe for time theft, it’s also inherently risky.
While the position of this latter group certainly has a basis in reality, remote work is here to stay. Organizations which hire remotely and individuals who work remotely must navigate with open eyes the threats and vulnerabilities that come with the territory.
Depending on which specific task an analyst is charged with performing on a given day, they may obtain access to the entire life story of dozens of borrowers. Even for the more time-consuming tasks like full loan reviews, a worker in this position will typically touch the highly sensitive PII of at least four borrowers in a single day. Consider the damage a threat actor can cause with the right information on just a single borrower and then realize that four borrowers per day adds up to a thousand borrowers per year. An insider threat playing the long game could easily harvest every valuable detail from every borrower they touch for the entire duration of their employment with nothing more than a pen and a pad of paper.
The secondary market is particularly vulnerable because deal packages often contain hundreds or even thousands of loans and each loan has already been touched by six or more different people before it has even arrived at the desk of a QC professional. Add cloud-based platforms accessible from any browser on any device and the exposure compounds further.
The first problem is the home network. A mortgage professional working from home is connecting to the same router as every other device in the house. That router is almost certainly a consumer-grade device that shipped with a default password, has never been updated, and has no network segmentation. The laptop reviewing a loan file sits on the same network as the smart TV, the gaming console, the kids’ tablets, and every other connected device in the house. Any one of those devices can be a point of entry.
The next issue is the work device itself. Many firms allow or simply cannot prevent employees from using personal devices to access LOS platforms and review systems. A personal device has no endpoint monitoring and the firm has no visibility into what happens on it, what else is installed on it, or whether it has already been compromised.
The third gap is VPN usage (or lack thereof). Even firms that have VPN available often cannot enforce its use consistently. Employees disable it because it slows their connection, because it drops unexpectedly, or because nobody is checking.
Fortunately, the firms doing remote work right have already solved most of these problems. They issue company-managed devices with endpoint detection and response software installed. They require VPN as a condition of any system access, not as a suggestion. They use virtual machines for sensitive file review so that the analyst is always working inside a controlled environment that is completely isolated from their personal machine. They enforce multi-factor authentication on every platform that touches borrower data without exception. They have written acceptable use policies that specify exactly which tools are approved, distributed to every employee, and signed.
If all of these solutions seem obvious to you, it is because they are. There is really no mystery left when it comes to securing an organization’s data. None of this is experimental or theoretical and the barrier to secure data is not a technological one. The barrier is simply whether or not leadership has prioritized the implementation of proven systems.
Sometimes, however, leadership has done everything within their power to implement these systems but the systems are rendered ineffective because of a phenomenon known as Shadow IT. Shadow IT in mortgage operations looks fairly mundane. It looks like emailing a document to a personal Gmail account because the VPN is moving slowly. It looks like saving a file to a personal Dropbox because the firm’s storage system was down. It looks like texting a colleague a screenshot of a document because that was faster than the approved workflow. It looks like photographing a page with a phone because the scanner was on the third floor.
None of these people are acting with malicious intent, they are simply trying to get their work done. But the moment that document leaves the firm’s systems it is outside the firm’s control. It cannot be tracked, audited, recovered, or deleted, and the firm bears full regulatory and reputational responsibility for whatever happens to it next.
Ultimately, shadow IT is less of a people problem and more of a tooling and policy problem. In an ideal world, workers would simply bear the burden of mildly inconvenient security measures. In reality, people who are faced with an inconvenience naturally tend to discover shortcuts and workarounds, especially when the choice is between a workaround and being inconvenienced multiple times a day every day in perpetuity. When the approved workflow is slower or less reliable than the workaround, people will use the workaround. Rather than lecturing employees about data hygiene and burying them under hours of generic, compulsory training modules, the solution is to make the approved tools faster and easier than the alternatives.
In order for the industry to catch up to the problem, the controls are actually quite simple. Multi-factor authentication on every platform that handles borrower data without exception. A written remote work security policy that employees read and sign. Security awareness training specific to mortgage operations, not just generic content about phishing and shoulder surfing. Endpoint detection and response software on every device used for work. A formal off-boarding checklist that includes same-day remote access revocation on the employee’s final day. An incident reporting protocol that employees actually know about and feel safe using.
The firms that have not implemented these controls really have no excuse. The technology is already there and most of the controls mentioned above cost less than single regulatory fine. These firms are simply playing chicken with catastrophe, waiting for something to go wrong while hoping nothing ever does.
In the end, remote work in mortgage is not the problem. Inadequate security infrastructure is the problem. The two are not the same thing, and conflating them does a disservice to the millions of people who do sensitive work competently and responsibly from their homes every day. The good news is that this is a solved problem. The controls exist. The technology exists. The firms that have implemented them are running secure remote operations right now.
The rest of the industry just needs to finish the work.