Paula Monroy Dec 15, 2021 3:21:52 PM 11 min read

Security vulnerabilities: How to avoid them in digital collections

From a deficient maintenance routine to slow detection of data breaches, companies collecting from past-due customers can make mistakes that lead to security vulnerabilities.

Often, businesses’ payment systems are targets of cybercriminal groups. No company is safe—even prominent players have been subject to fraud. For instance, in March 2021, CNA Financial experienced a ransomware attack that disrupted the company’s operations and services for three days. The company paid $40M to the hackers to regain access to their network.

Malware, particularly ransomware, has increasingly become a serious problem for companies. According to the 2021 Data Breach Investigations (DBRI) Report, 10% of the reported breaches involved ransomware, twice the frequency observed in 2020.

The Identity Theft Resource Center (ITRC)’s 2021 Q3 Data Breach Analysis Report indicates a general 17% increase of data compromises in the first three quarters of 2021 compared to the entire 2020. 

Not falling victim to cybercrime and security breaches takes awareness 

It also requires a willingness to recognize that mistakes can happen to anyone.

“The sophistication and scale of cyber-attacks will continue to break records,” said Maya Horowitz, VP Research at Check Point Software, in an article by Nasdaq. As such, she advises companies to “remain aware of the risks and ensure that they have the appropriate solutions in place to prevent, without disrupting the normal business flow, the majority of attacks including the most advanced ones.” 

Although prevention is a shared responsibility globally because it concerns everyone’s digital identities and data, companies can take a few preventive measures to reduce security vulnerabilities.

This blog will explore five preventable mistakes you might be making that increase your security vulnerability.


Top 5 mistakes compromising data security in digital collections

  1. Lack of training
  2. Deficient maintenance routine
  3. Weak passwords
  4. Imprompt incident responses
  5. Third-party exposure


1. Lack of training

When collection agents don’t get proper training on security protocols, other best practice efforts are useless. They should be hyper-alert to any potential danger and follow protocols with confidence in case something happens.

The 2021 DBRI Report notes the misdelivery of emails as the main error-based breach (55%) in the financial services industry. It appears that employees are prone to send emails with confidential information to the wrong people, primarily by accident.   

Cybersecurity training should be mandatory for all collection agents to prevent that level of negligence and standard in the onboarding process. That means designing and implementing a straightforward process for your team members to identify early signs of a cyberattack, such as suspicious requests for money transfers or software updates with incorrect URLs or email domains.

2. Deficient maintenance routine

Not staying current with software updates increases your vulnerability to external mischief. Avoid becoming easy prey by continuously updating your website and system or any other collection software solution you're using.

Also, set up a control process in which specific people in your IT team receive notifications when thresholds are transpassed. They should be available to react fast and address the trespassing immediately. 

Similarly, make it part of their routine to monitor the system.

If you're still in the process of acquiring a collection software solution for your collection strategy, security should play a decisive role. The provider should ensure it follows security operation standards. The most recognized certification for SaaS providers in the fintech space follows the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) Trust Services Criteria (TSC). Learn more about it here.

3. Weak passwords

58% of data compromised in North America came from credential theft (2021 DBRI Report, 2021). Avoid this type of human error by enforcing strong passwords to protect your company and customers’ data.

The PCI Security Standards Council states that a strong password should contain 12 characters, varied capitalization, one number, and one special character. It would take about 344,000 years to crack compared to a six-character password with no capitalization, no numbers, and no special characters—which would take a mere 0.077 seconds to break.

As well, keep a hierarchy of accounts to access hardware and software, so you know who is responsible for what and why.  

Take it a step further to consolidate your commitment to protecting your customers’ data by opting for a secure payment processor that tokenizes all of your customers’ payment information. Doing so will ensure that no one in your team sees or accesses that data. 

4. Imprompt incident responses

When a potential vulnerability is detected, address it immediately. In the Cost of a Data Breach Report 2021, IBM calculates that the average time to identify and contain a data breach was 287 days in 2021—59 days more than the 2020 report!

Imprompt responsiveness to a breach can lead to significant fines and a negative reputation. 

Avoid getting in this situation by having tools to monitor your systems regularly. Also, have a clear plan of action that identifies the necessary steps and involves the right team members.

5. Third-party exposure

If you involve a third-party cloud service provider, set the appropriate access credentials for them and keep an eye on any other plugins and integrations. It’s good practice to remove any service that is no longer in use but still has access to your system.



Of course, there is no guarantee that your system won’t ever undergo a cyberattack or security breach. Life is unpredictable, after all.

Nevertheless, common sense can be a great ally to diminish risk by taking necessary measures like blocking and preventing access through apparent openings. Doing so will prepare you to mitigate the unexpected. 

So, it’s critical to select the right partner to collect from past-due customers online

That’s right. An imminent step to minimize risk is looking for a collections software provider that will be a true partner to your business. 

Look for a company that has in place critical controls helping reduce any chances of fraudulent activity. Make sure it supports security priorities and limits contact with your sensitive data, including your customer’s financial information.

To learn more, connect with one of our experts about how you can ensure up-to-date security measures so you and your customers can have peace of mind.


Paula Monroy

Paula is Communications Specialist at Lexop. With a formal background in urban planning and creative writing, Paula writes about pretty much anything.