Security is a major topic when it comes to our collection systems and how integrated they have become in all aspects of our business. We now grant employees, clients, and debtors access to our systems in and out of our offices. As we hear of data breaches more and more often, the number of consumers that are affected are no longer in the thousands but in the millions. We must continue to build our systems with security as the prime objective instead of as an afterthought.
Many people think data breaches and cyber attacks are only happening to large companies. They probably think, “even if they did get into my systems, what good is the data they obtain on past due debts? Why would anyone want data from a collection agency?” Well it may not be about the data. Not all hackers are out there to make money. Many are out there to cause your business hardship and maybe even put you out of business. Just like the hacker who sends you an email link that if clicked will download a virus that wipes out the data on your PC; that hacker did not make any money from this so why did he do it? Because he can! If a person hacks your system, the time, bad publicity andthe cost of notifying consumers that their data has been exposed will definitely cause you a major headache and could even cost you your business.
In a Verizon report from 2013, 76% of network intrusions came from exploited weak or stolen credentials. With the technology we have today, it just reflects the fact that there are too many IT people out there not taking security seriously enough to protect their data. To avoid intrusions there are many types of Multi-Factor Authentication from a range of RSA tokens to biometrics. These are a must in today’s environment. Being in our line of work where we have daily confrontations with a lot of people, making sure our systems are safe and secure is as important to us as it is to the credit card companies, health care companies and government agencies. There are many security standards today; SSAE 16, PCI, ISO 27002 and FISMA just to name a few.
If you are looking to do any government collections, FISMA (Federal Information Security Management Act) is the standard guide to securing federal data. Using FISMA as your security standard is the proper and safest standard to implement to secure your data that is assigned to you by a government agency.
As data breaches and cyber attacks are on the rise, the importance of protecting our data both from a systems stand point and physical stand point has never been such an important part of our business model than it is today. FISMA covers data security to physical security measures you should utilize. If you have a SSAE 16, PCI or ISO 27002 you have a great start at FISMA compliance. However, there still is a good possibility that you are not yet 100% FISMA compliant. Many of these certifications are directed to the private sector and will not necessarily make your organization FISMA compliant. Your organization could still have some work needed if your government contract requires FISMA compliance.
If you are considering government collections this will affect your entire company from sales, operations, and technology. Just one personal example I can give you is when I became VP of Technology for a company that was awarded the IRS contract around 2006, I could not believe the physical requirements. They included a totally separate building, lockers so collectors could not have anything at their desk, and no outside network connectivity to that location. I can assure you that the government data was secure, but at a very high cost as you can imagine. To be totally clear, those were requirements of the IRS contract, not necessarily FISMA requirements.
If you are not currently FISMA compliant and want to get into government collections make sure you take a good look at the IT cost and have money in your annual budget to cover your additional expense. Depending on your current IT infrastructure those expenses can be sizable between additional hardware, software, and IT man-hours to complete the task. I am not saying “don’t do” government collections, just go into it with your eyes wide open.
Brian Cutler is Sr. Director of Business Development at Ontario Systems. Previously he served Sallie Mae as VP of IT and its predecessor Arrow Financial for over 30 years.