How to Fill In the Cracks of Your Business Continuity Plan
It’s time to update the disaster recovery plans for your business. February 27, 2018 was a wakeup call for mortgage sellers and servicers. That date...
5 Critical Gaps We Keep Finding
The Illusion of Security
We love a good dashboard. Green bars. Big numbers. High-fives. But here’s the thing: a shiny security score and blanket MFA don’t automatically mean you’re safe. In mortgage, “looks secure” can still hide the kind of blind spots that stop closings, panic borrowers, and light up your compliance inbox.
We recently reviewed a lender with a top-tier score and textbook controls. On paper: flawless. In reality: a few well-placed gaps that an attacker would spot in minutes. The kind that turn into “why can’t we access the LOS” and “why are we writing regulator notifications at 2 a.m.” moments. Let’s talk about those gaps—and how to close them without turning the place into Big Brother, Inc.
Takeaway One: Your Scorecard Isn’t Your Security
Metrics are helpful. They’re also incomplete. Scores usually measure what’s easy to count, not everything that matters. We routinely find three “invisible” items hiding behind great scores:
- Unprotected personal devices: personal phones and tablets quietly reading borrower email, docs, and links without any mobile security controls.
- Policy exceptions: service accounts, legacy tools, “just for now” rules that bypass Conditional Access or MFA and never got cleaned up.
- Straggler accounts without MFA: the few that slipped through, which is all an attacker needs.
Attackers specialize in the one door you didn’t lock. Scores don’t chase exceptions, shadow BYOD, or “temporary” workarounds that became permanent. You have to look past the dashboard to see the whole story.
Takeaway Two: Personal Devices Are the New Back Door
BYOD often translates to “Bring Your Own Risk.” If a personal phone has borrower data and zero safeguards, you’ve created an undocumented attack surface. Lose the phone? No selective wipe. Click the wrong link? Congrats, you just handed over a foothold.
The fix isn’t banning phones. It’s putting work data in a secure container on those phones and drawing a bright line between “yours” and “ours.” Keep people productive, keep borrower data protected, and don’t peek at anyone’s camera roll. Simple, respectful, enforceable.
Takeaway Three: A Cyber Gap Isn’t an IT Problem—It’s a Business Problem
A cyber incident in mortgage isn’t abstract. It delays funding, resets locks, jams the call center, and rattles investor confidence. One unmanaged phone or a single non-MFA account can snowball into frozen pipelines, borrower notifications, and very public cleanup. This isn’t about “more tools.” It’s about keeping operations on schedule and customers calm.
Takeaway Four: The Smart Fix Earns Trust Before It Demands It
Our approach is deliberately boring—in the best way. It works, people accept it, and it doesn’t torch productivity. It goes like this:
MAM now. Start with Mobile Application Management. Think of it as putting your work apps and data inside a locked briefcase that lives on a personal phone. You can set a PIN, encrypt what’s inside, block copy/paste to personal apps, and—if needed—wipe the briefcase clean without touching the rest of the device. No “IT can see my photos” drama.
MDM next. Once the briefcase is normal, move up to Mobile Device Management where it makes sense. That’s where you enforce OS versions, encryption, screen locks, jailbreak/root checks, and mobile threat defense. Use it for roles and scenarios that truly require device posture, or when users insist on native mail. Adoption is higher because you earned it.
Takeaway Five: Security Moves at the Speed of Leadership
Tools don’t enforce themselves. The mortgage teams that win do three things:
- Set a date and mean it: a clear executive note that says “after this day, work data lives in a protected app—or no access.” Friendly, firm, and privacy-aware.
- Show the scoreboard: monthly reviews that track BYOD coverage, exception cleanup, and MFA completion. If it matters to leadership, it happens.
- Make managers owners: give leaders their team lists, paste-ready reminders, and office hours. “We’re all responsible” isn’t a slogan; it’s a routing rule.
That’s the difference between a policy that lives in SharePoint and a program that actually protects borrowers—and your brand.
From Scorecard to Secure
Real security isn’t just the number on your dashboard. It’s the boring, durable stuff: no unmanaged back doors, no lingering exceptions, no orphaned accounts. It’s connecting those fixes to business outcomes: loans close on time, customers stay confident, examiners nod instead of frown.
If your score looks great but your gut says “something’s off,” you’re probably right. Start with the phone in everyone’s pocket. Lock the data today, raise the device bar next, and let your leadership cadence turn policy into muscle memory. That’s how you turn “secure on paper” into “secure in production.”
