Earlier this year, Cloudvirga earned SOC-2 and ISO 27001 certification, which means that the way we store and process customer data meets rigorous international security standards.
The process of earning those certifications took several months and required every employee at Cloudvirga to participate in some degree of security training. We quickly realized that this meant we couldn’t just tack secure practices onto what we were doing; we had to adjust all of our processes and attitudes so that security was a primary concern for everyone at the company.
Here’s how becoming SOC-2 and ISO 27001 certified helped us build a culture of security.
A Culture of Security Starts with Training
When many people think of security, they first think of things like firewalls, encryption, and multi-factor authentication. While those technical elements are certainly essential to maintaining data security, they’re far from the only way we keep data secure.
In fact, one of the most important components of organizational security is human behavior – and with good reason. About a quarter of all data breaches happen because of human error.
That’s why SOC-2 and ISO 27001 certifications emphasize employee training in their security standards. To stay in compliance with our certifications, Cloudvirga employees must take training modules on…
- Standard security awareness, which includes practices like locking your computer screen when you step away from it and not leaving financial data lying around on your desk.
- Writing secure code, which includes strategies for ensuring that new code developers write doesn’t introduce known vulnerabilities to our software. Every piece of code we write is scanned against a known vulnerability database (KVD) to ensure that anything our customers use is secure.
- Anti-phishing training, which explains how scammers trick people into clicking nefarious links or sending information to bad actors. (And trust me: phishing has gotten way more sophisticated than the Nigerian prince scams of the late 1990s. Read about how “business email compromise” is affecting even savvy email users.)
Our training isn’t one-and-done, either. To stay in compliance with SOC-2 and ISo 27001, we have to complete training modules on an annual basis.
Besides security training, our certifications require us to have and enforce certain security-focused policies around the Cloudvirga offices, including…
- A clean-desk policy (no stray papers lying around for people to see)
- Screens must lock automatically within 10 minutes of disuse
- No “tailgating,” or standing behind someone while they work at their computer
- No letting people in the building behind you (everyone must have their own entry credentials)
The result of the training and new policies is that our office now has a culture of security: secure practices are baked into the way we do things so that the normal, default behavior around the office keeps information secure.
What Our Culture of Security Means for Our Customers
Our customers are mortgage lenders, which means they have to provide their consumers with a streamlined lending process that’s also secure.
Now that we have SOC-2 and ISO 27001 certifications, we’re better able to demonstrate to customers and potential customers the extent to which we take security seriously, and therefore the benefits they’ll be able to offer to their customers.
For example, we have clients who lend to homebuyers in New York. To be able to serve them, Cloudvirga has to comply with 23 NYCRR 500, the state’s stringent cybersecurity law that requires any organization operating in New York that takes any financial information to use multi-factor authentication and provide a certain level of encryption. Our system does those things, which means lenders who wish to lend to New York-based consumers can do so while using our system.
Another benefit to our customers stems from the fact that they’re often legacy companies. Their lending infrastructure is solid but they don’t always have the resources to maintain robust cybersecurity protections. When they partner with us, they suddenly have those protections. This translates to a significant increase in peace of mind; data breaches, after all, are expensive and damaging to a company’s reputation.
Now that we have these security certifications, lenders know that they can decrease their risk exposure by working with a partner that puts security first.
What Our Culture of Security Means for Consumers
While consumers may never know they’re using Cloudvirga’s software, we build everything with them in mind. Our secure platform means that their data won’t get into the wrong hands. Our end-to-end digital system means that Originators don’t have to ever take their data outside the platform, where it might be vulnerable.
We believe that if consumers have an excellent and secure experience, they’ll return to the lenders who made it possible. When those lenders are our customers, everyone wins.
Interested in learning more about our secure, fully digital mortgage lending software? Read about how we’ve reengineered the origination workflow.