From breached to bulletproof: The new rules of cybersecurity are about survival

First, stop thinking you can build an impenetrable fortress. You can’t. The most successful approach is to assume you’ll be attacked and prepare accordingly. It’s no longer just about prevention but resilience and rapid response.

Let’s get real about what cybersecurity means in 2025.

Underfunded security is an invitation to disaster 

In my opinion, if you’re not allocating at least 10% of your technology budget to security, you’re essentially leaving your front door wide open. Don’t think of cybersecurity as a cost center; it’s your organization’s lifeline. Don’t make the mistake of seeing cybersecurity as something you can skimp on. Every dollar you save today could cost you millions in a potential breach. The landscape of cyber threats has transformed dramatically. 

What was once a simple concern about an end-user clicking a suspicious link has evolved into a complex ecosystem of sophisticated vulnerabilities. And speaking of which, your biggest security vulnerability isn’t your software—it’s your people. Your front-line employees are your most essential security sensors. Create a culture where every single employee understands their role in protecting the organization. Implement continuous risk awareness programs. Conduct regular phishing tests. Make security training engaging and mandatory, and remove the fear of raising concerns. 

Your tech stack is a threat vector — simplify it or suffer

We’ve made a conscious decision to simplify our infrastructure—not just for efficiency but also for security. Managing multiple cloud providers might seem like a way to spread risk, but in practice, it increases complexity and creates blind spots. That’s why we’ve centralized our environment with AWS, leveraging their vast security infrastructure and resources that far exceed what most internal teams can support.

But picking a cloud provider isn’t enough—we’ve built a true partnership. AWS alerts us to early-stage threats and collaborates with us on quarterly security reviews. This is not a vendor relationship—it’s a joint defense operation that we continuously evaluate and improve.

We’ve also tightened our entire tech ecosystem. Every new vendor or piece of software is a potential entry point, so we’ve streamlined our stack and subjected every component to rigorous scanning. Our single sign-on solution provides secure, centralized access across all platforms, and we back this with twice-yearly disaster recovery testing to ensure we’re always ready to respond, not just react.

Security isn’t just about tools; it’s about strategy. We’ve embedded cybersecurity into our overall risk framework, aligning IT and risk management to make decisions based on real threat modeling. And for an extra layer of protection, we operate entirely within a virtual desktop infrastructure, which prevents employees from downloading or locally storing sensitive data.

Assume you’ll be attacked, because you will be

This is no longer theoretical. In recent years, sophisticated cyberattacks have escalated. In 2024 alone, multiple prominent non-bank lenders faced ransomware and data breach incidents that compromised the personal information of millions of customers. These events affected organizations responsible for both originating and servicing mortgage loans.

The exposed data included highly sensitive personal and financial information such as names, Social Security numbers, bank account details, and in some cases, complete identity profiles including addresses, phone numbers, and dates of birth. The scale of these breaches ranged from hundreds of thousands to nearly 17 million individuals affected in a single event.

Notably, these breaches not only disrupted operations but also eroded customer trust and exposed firms to litigation risks, regulatory scrutiny and long-term reputational damage. For lenders, this reinforces the urgent need for robust cyber defenses, proactive risk management strategies, and comprehensive incident response planning.

The threat has already evolved

These aren’t isolated incidents. They’re the blueprint for what happens when cybersecurity is under-prioritized in an industry handling enormous volumes of highly sensitive data.

Mortgage lenders and servicers are prime targets, and the threat is only accelerating. If you’re not investing in end-to-end security protocols, empowering employees with real training and testing your response strategy regularly, you’re gambling with your customers’ trust and your company’s future. 

Today’s cybercriminals use machine learning to mutate malicious code in real time, outpacing human detection. In this environment, static defenses are obsolete. Your cybersecurity posture must be as intelligent, adaptable and relentless as the threats you face.

As these technologies evolve, so must your mindset. Cybersecurity isn’t just about firewalls or zero-day patches — it’s about protecting the people and institutions your business depends on. Every security measure you implement is an act of trust-building with your employees, your customers and your partners. It signals that you take their safety seriously and are committed to preserving operational continuity, reputation, privacy, and long-term viability.

To the IT professionals out there: your job is no longer just about uptime — you are now the front-line defenders of your organization’s most valuable asset: its data. This is your battlefield. Treat it accordingly. And to the C-suite: if you’re still treating cybersecurity as an IT line item, you are failing your company. This isn’t a tech issue. It’s an existential threat. Every executive decision must consider the security implications, because one breach can destroy everything you’ve built.

The question is no longer if you’ll be attacked. The question is: Will you survive it?

Derrick Hadzima is the Chief Information Officer at Dark Matter Technologies.

This column does not necessarily reflect the opinion of HousingWire’s editorial department and its owners.

To contact the editor responsible for this piece: [email protected].