Collection agencies possess a plethora of data about their client’s customers who have past-due accounts. Protecting that data is essential. Consumers expect it, clients demand it, and regulators require it.
“Recent insurance renewals are requesting more details about information security because insurers are seeing more claims filed in that area,” said Lauren Valenzuela, counsel at Actuate Law. “Our industry should expect more and more scrutiny from licensing authorities, regulators insurance companies, and, of course, clients.”
Data breaches targeting large companies and institutions receive a lot of public attention, but companies of all sizes are at risk. Hackers continue to seek information they can sell – a “traditional” reason for accessing companies’ data – but ransomware attacks, hackers lock up their victims’ technology systems and data, holding it hostage until the individual or company meet specific payment demands.
One of the biggest potential vulnerabilities for many collection agencies is the use of outdated technology. Upgrading systems is time-consuming and expensive, but using legacy systems carries increased security risks.
“A lot of data breach incidents result from legacy systems,” said Kim Phan, partner with Ballard Spahr. “Some of the more evolved software doesn’t properly integrate with legacy systems. The same protections that are available on today’s updated systems. Companies need to find ways to shift their data to newer systems with greater security.”
Protecting data requires a complete program of proactive practices, including:
- Install updates and patches on software and operating systems. Developers update their products to help protect against threats, but many users don’t promptly apply them, leaving their data vulnerable.
- Routinely force password updates, and require employees to use complex passwords that include a combination of capital and lowercase letters, numbers and symbols.
- Implement multifactor authentication for system and software access whenever available. This process adds a layer of protection beyond password access.
- Regularly audit user accounts with administrative privileges to ensure they aren’t abusing their access.
- Implement network segmentation to limit the scope of a potential breach. When one zone of the network is attacked, the others remain safe.
- Encrypt data so if it does fall into the wrong hands, they aren’t able to easily understand or use it.
- Install and update antivirus and antimalware protection software.
- Train, retrain, and test employees about identifying potential threats and taking proactive measures, like avoiding public wifi networks.
- Implement a system that adds a prominent notification at the top of emails sent from external sources to help employees identify phishing attempts
Beyond these basic practices every company needs to have in place, there are several additional “gold standard” best practices for extra protection. They include ethical hacking and penetration testing, which entails hiring a reputable data security vendor to perform an authorized system attack, mimicking the actions and attempts used by hackers. This practice detects vulnerabilities so companies can implement practices and training that targets weak spots.
Because collection agencies work with many service providers, they should ensure all such vendors have systems that match or exceed their own. Understand their practices and hold them accountable for responsible data use, periodically auditing their technology and data use.
“Classify your information into different tiers and risk levels and then classify vendors the same way,” Valenzuela said.
Many proactive technology security measures may seem cumbersome to implement and maintain. Today, it may be easier and cheaper to delay updating systems and improving practices. However, today’s savings will be exponentially exceeded in the costs to clean up after a cyberattack if your systems fail a week, month, or year from now.
Originally Published in ACA International’s Pulse Newsletter – Tim Dressen is a communications consultant and former editor of Collection Magazine.