Opinion: The Great Resignation’s title cybersecurity risk5 min read
While retention, engagement and automation are the hottest topics coming out of a growing labor shortage, employee turnover can also cause cyber risk and other operational issues for title companies.
The Great Resignation and lack of available labor has been a hot topic in the general media for some time now. It’s significantly impacting the title insurance industry now and will only become more prominent as the boomer workforce continues with retirement plans.
Financial and operational headaches
While this conversation naturally turns toward important matters like retaining existing talent or digitizing the most menial tasks, there are other significant threats arising out of this labor shortage that aren’t being discussed widely, such as cybersecurity or unnecessary expense.
Forgotten passwords and VPN connections of former work-from-home employees, while difficult to manage or track, are prime targets for sophisticated cybercriminals. Phantom licensing, unmonitored portals, or abandoned Software as a Service (SaaS) application accounts as the result of employee departure can cause financial and operational headaches at a time when most are seeking to battle margin compression.
The solution to these rising threats — as is the case with most cyber-defense strategies, is proactive planning, oversight, and training. But before title businesses can forge effective plans, they need to understand the nature of these threats.
Threats of data exfiltration
The exodus of skilled labor from the title industry, whether because of retirement, resignation, or even layoff due to changing market cycles, creates its own set of unique threats. While the industry and business owners remain focused on the threat of cyber criminals, there is another prominent threat hiding in the shadows — insider threat.
It comes from current or ex-employees in the form of data exfiltration. Far too often, employees with access to sensitive documents, non-public information (NPI), passwords, and business data may still have access to those assets days and even weeks after leaving or being asked to leave the company.
If the parting is on bad terms, it’s a far too common occurrence for ex-employees to access and take client contact lists or proprietary knowledge to another firm.
The solution is simple
Fortunately, as common as the problem of exfiltration is, the solution is simple. Employers should have a proactive and comprehensive policy for off-boarding employees. Passwords should be cancelled and access to programs, databases, portals, and other entry points to the firm’s data should be ended before the employee has left the office on their last day. It’s amazing what one motivated or disgruntled former employee can do in a short amount of time when allowed to maintain access to proprietary information.
Oversight and management
Another major threat resulting from employee departures involves oversight and management. Far too many title businesses fail to accurately document their software assets, services, processes, and operational policies. Even when documentation is in place, neglecting to oversee the people administering those business assets can be just as damaging.
We all know that a title agency is chaotic — especially around month’s end. It’s not uncommon to see staffers using hacks, work-arounds, or shortcuts to solve the pop-up problems that so often threaten a closing. When that person departs, it may not be readily apparent to management or to the person’s successor that they were creating new files or manually modifying workflow until months down the road when a client requests a file or a claim is made.
The solution is to create a structured cross-training program for employees. Regular required PTO or even the rotation of personnel through different elements of the workflow is one great way to accomplish this. And, of course, clear oversight and documentation start with attentive management and training.
Tracking third-party apps
Another challenge for title businesses seeking to protect their NPI and data systems arises from the many commonly utilized online portals and third-party software or services. The problem, in many cases, is that such apps or portals can be difficult to track at a management level.
Great examples include Salesforce, Adobe Suite, QuickBooks Online, and the like. While these tools are popular with title businesses for their costs and ease of use, it can become a challenge to track usage, especially in times of higher employee turnover. Some companies continue to pay for licensing fees or similar costs because the financial team assumes them to be necessary costs and fails to tie the number of licenses to the employees (or former employees) using them. As a result, a lot of unnecessary expense goes toward licensing that hasn’t been used in weeks, months, or even years.
Have a clear exit plan
Finally, the little things can really mean a lot when they go unattended. That applies especially when an employee leaves the organization without a clear-cut plan in place, leaving a virtual hole in the firm’s cyber defenses. Examples could include usernames and passwords that aren’t cancelled or blocked; or “rogue” third-party apps or tools employed by single employees without company approval, but which create access to the approved company systems without management’s awareness.
Even new employees create a cyber risk when not properly onboarded. Sophisticated cyber-criminal syndicates can easily spot new personnel coming into a title business. They simply need to monitor LinkedIn or the trade press, in many cases. New employees often get wide access to a company’s cyber infrastructure almost immediately.
Without effective and immediate onboarding, these employees can often unwittingly accommodate ransomware, data breach, or business email compromise (BEC) within hours or days of joining the organization. The solution is to have a comprehensive, effective, and up-to-date onboarding plan. Consulting with cyber defense and IT experts is a great way to create, review, or update such plans.
As is the case with almost any kind of business threat — be it fraud, data exfiltration, or avoidable loss — there is no perfect solution. While flaws in technology can create the doorway for such threats, it is the people using that technology who are targeted. Accordingly, the best way to mitigate a business’s risks is the use of common sense, effective and informed planning, clear policies that are regularly updated and, above all, oversight and consistent enforcement of these policies. Whether it’s onboarding, off-boarding, or access modification, it starts at the top.
As the Great Resignation continues, compounded by the industry’s full pivot to a competitive purchase market, planning and executing these policies and procedures can both protect your business and create a substantial competitive advantage.
Kevin Nincehelser is COO of Premier One.
This column does not necessarily reflect the opinion of HousingWire’s editorial department and its owners.
To contact the author of this story:
Kevin Nincehelser at [email protected]
To contact the editor responsible for this story:
Sarah Wheeler at [email protected]