In information security, we’ve been talking about resiliency for a long time. The goal is to survive the attack, recover quickly, and return to normal operations. However, in today’s environment where attackers adapt and evolve daily, resilience alone is no longer enough. we must go further. We must embrace anti-fragility.
Nassim Nicholas Taleb coined the term “antifragile” in his book, Antifragile: The Goods of Anarchy. Taleb’s research originally focused on financial risk management, describing systems that not only withstand shocks, but also improve with them. Unlike resilience, which aims to restore the status quo, antifragility means that stress, instability, and disruption actually strengthen the system.
We felt this concept was essential for cybersecurity, especially in industries like mortgage, real estate, and title, where vast amounts of financial and consumer data are constantly targeted. Williston Financial Group (WFG) experiences an average of 80,000 to 120,000 cyberattacks each month. Every week, we encounter hundreds of phishing emails, wire fraud attempts, and other malicious intrusions. The reality is clear. Our enemies are relentless and the status quo is not good enough.
Learn from Kintsugi
To illustrate antifragility in a way that resonates, I often use the Japanese art of kintsugi, which means “golden fittings.” I first heard this analogy during a conversation with a colleague at an information security leadership conference, and it immediately struck me. Rather than throw away broken pottery, Japanese craftsmen repair its cracks with gold, creating entirely new pieces that are stronger, more beautiful, and more valuable than the original. Corruption is not hidden. It is celebrated as part of the object’s history.
Cybersecurity needs to work the same way. When we experience a breach, phishing attempt, or suspicious event, we shouldn’t just patch the cracks and expect things to go back to “normal.” We must be stronger, smarter, and ready to withstand the next attack. Every incident, large or small, is an opportunity to add money to the cracks in our defenses.
Beyond resilience
The difference between resilience and antifragility is profound.
Resilience means recovering and getting back on track after an incident. Anti-vulnerability means using that incident to move forward and create a new, stronger baseline of protection.
Most organizations treat major breaches as lessons learned. They conduct postmortems, update processes, and implement new defenses. But what about smaller-scale events, such as a phishing email caught by a filter, an employee nearly clicking on a malicious link, or an attempted wire fraud? Often, these events are dismissed as routine “noise.”
The anti-vulnerability model treats every event like an incident. Every close call prompts an analysis: “Why did this happen?” How could it have been worse? What can you do to ensure you’re better next time? This mindset allows you to continually strengthen your defenses, turn every attack into intelligence, and force attackers to work harder with each attack attempt.
Why is it important for mortgages and real estate?
For mortgage and real estate professionals, cybersecurity may seem like a background concern and something for IT teams to address. But the truth is, our industry has unique attractions for cybercriminals. Wire transfers, personal financial data, and the rapid movement of large sums of money are our main targets.
Even a single misstep can have devastating consequences, including decreased customer confidence, financial loss, regulatory scrutiny, and reputational damage. However, in the anti-vulnerability model, each attempted attack is an investment in stronger defenses. Rather than fear disruption, we leverage it to continually improve how we protect our business and clients.
real example
Consider a recent incident where scammers used phone-based phishing strategies instead of regular email links and attachments. An unsuspecting user called the number, spoke to a persuasive “support agent,” and was persuaded to download remote access software. Our systems contained the damage, but the lesson was clear: the threat landscape is constantly changing.
Rather than simply recover, we changed our response protocols, blocked unnecessary tools, and adjusted our training. As a result, we are better equipped to prevent the same tactics from succeeding again. That is the practice of antifragility.
Building a vulnerability prevention security program
To build a vulnerability protection system, organizations need to address the following:
See every event as an opportunity. Don’t wait for a catastrophic breach. Let’s learn from small things. Consistently perform post-mortems. Think not only about what happened, but also why it happened and what new measures you can take to prevent it from happening again. Celebrate improvement, not just recovery. Just as kintsugi highlights fissures filled with gold, recognize and accept how your defenses are strengthened with each test. Stay dynamic. Cybersecurity is not static. Each event changes the baseline, forcing the attacker to work harder each time.
call to action
Cybersecurity in the mortgage and real estate sector is no longer just about maintaining boundaries. The volume and sophistication of attacks will only increase. Resilience is important, but so is anti-fragility.
We need to view each intrusion, phishing attempt, and fraud scheme not as a setback, but as an opportunity to emerge stronger. Like Kintsugi pottery, our defenses must bear the marks of past battles. This is a tangible reminder that we didn’t just survive, we improved.
By adopting antifragility, we don’t just protect our business. We evolve them. In doing so, we protect the trust that is at the heart of every mortgage, every real estate transaction, and every closing.
Bruce Phillips, CISSP, is Chief Information Security Officer at Williston Financial Group.
This column does not necessarily reflect the opinion of HousingWire Editorial Department or its owners. To contact the editor responsible for this piece: [email protected].
