CBE has never had a successful cyber intrusion—and this is why
At an individual level, cybersecurity attacks can lead to everything from identity theft, extortion attempts, and the loss of critical data, such as family photos. And now, given the evolving nature, increasing frequency and complexity, sophisticated cyber actors use vulnerabilities to thieve information and money and are developing powers to disrupt, destroy, or jeopardize critical services. In 2020, cybersecurity researchers identified a breach at Solarwinds, which gave cybercriminals access to 18,000 government and private computer networks. And more recently, LinkedIn suffered a massive breach that affected 92% of its users.
CBE’s cybersecurity posture
For CBE Companies, cybersecurity is an intricate practice. According to Bill Atkins, Director of Information Security, the best way to prevent attacks and secure information is through a multilayered approach to cyber security. Atkins explains that the information security posture of CBE is based on the fundamentals outlined in major national and international security standards, which intertwine staff, processes and technologies. Their successful cybersecurity approach has several layers of protection stacked on top of the computer, network, software and data they aim to secure.
This wide-ranging group of standards ensures that the CBE framework is based on security and privacy protection best practices from multiple industries, including the federal government, healthcare and financial sectors. This diversity means that CBE’s security and privacy protection posture is well-rounded in various control families, so CBE can better anticipate future risk areas and formulate proactive approaches to emerging threats. Employing this forward-looking approach provides information CBE can operationalize to create flexible, accurate defense-in-depth solutions that withstand the ever-changing environment of the global information network.
CBE’s established policies
CBE has established policies that protect the consumer’s personal information, identify risks and prevent identity theft. They take the following steps to protect consumer’s personal information used in the pursuit of collections, including Social Security numbers, account numbers, loan numbers, banking information, references, credit card numbers and phone numbers:
- All new employees must attend Privacy and Security Awareness training. After that, additional training takes place twice per year. They sign a Privacy & Security Standard Operating Procedure (SOP) document agreeing to protect the consumer’s personal information from inappropriate use and only use it to collect the debt on behalf of the client. Atkins makes it clear that violation of this policy may result in disciplinary action up to and including termination.
- CBE adheres to a strict Clean Desk policy in all its operational facilities, limiting access to printed documents to maintain an environment free of consumer PII and Sensitive Data of any nature. If required, once obsoleted, printed materials are immediately placed in locked shredding containers for appropriate disposal. Daily Clean Desk audits are performed to ensure the policy is being adhered to.
- Associate and administrative computer displays are set to go to screensaver and password protection after 10 minutes and must change passwords every 60 days.
- CBE uses proven encryption technologies to protect data during electronic transmission.
- CBE uses the Secure Sockets Layer (SSL) protocol using at least 128-bit key lengths to encrypt traffic on our corporate websites.
- CBE’s approved method for remote access is based on VPN technology.
- To further protect sensitive data, CBE operates in secure facilities. All employees wear access control identification badges that limit access to the designated office buildings and other areas.
In addition to the rigorous client requirements and security framework controls, CBE believes its people are the first line of defense. Leaders talk with them on their first day at CBE about their critical role in securing their systems. Ongoing employee communications and training reinforce their responsibilities in protecting the systems and data.
Atkins describes the company’s differentiators: “CBE has a defined vulnerability review and patching cadence that exceeds any client requirement, including weekly internal vulnerability scans and reviews and monthly external vulnerability scans and reviews. CBE also has a SOC 2 Type 2 report. This attestation of controls says CBE has proven that we follow stated controls over some time, rather than having controls in place at a point in time.”
CBE’s security teams regularly perform invisible yet critical work for the business, work that doesn’t usually appear as bullet points in a board deck, and work that isn’t seen as “revenue generating.” While CBE security may not be profitable, its security teams are saving hundreds of thousands, if not hundreds of millions, of dollars by mitigating risks. This is money CBE would have spent had anything awful happened.
To learn more about CBE Companies, visit their website at CBEcompanies.com.