Data security is crucial regardless of industry or sector. But in real estate, it’s never been more important.
Real estate transactions include dozens of parties, servers, networks and countless exchanges of highly personal, sensitive data over extended periods of time. And as more and more big players take their processes digital, the risk grows even higher.
Just look at the headlines for insight. The number of recent data breaches is unsettling, at best, and they’re happening everywhere from title companies and data firms to real estate brokerages and mortgage lenders. No one’s safe—especially not the consumer.
It just reinforces the deep commitment our industry must make to data security—as well as to understanding what makes us vulnerable and how these breaches occur. Knowledge is, as they say, the ultimate power.
What’s at Risk?
The real estate industry has seen countless breaches in the last few years, exposing millions of buyers, sellers and organizations to both personal and financial risk. Often, they lead to instances of wire fraud—a growing problem that’s jumped over 1,000 percent since 2015.
But that’s not the only repercussion. Real estate data breaches run the gamut in terms of methodology and approach. In some, hackers gain access to a vulnerable email account, and subsequently, valuable transaction data, while in others, a hole in security allows prying eyes to see sensitive data, documents and account information.
Data breaches in our industry generally stem from:
Poor Email Account Security
Business email compromise is a leading form of data breach not just in real estate, but across all industries. According to the FBI, it resulted in $1.2 billion in financial losses last year. Real estate accounted for $150 million of those losses alone.
Here’s how it generally works: Criminals use malware, spoofed email accounts or a phishing attack to gain personal information, access to an email account or even to an organization’s entire network. They then spend days, months or even weeks monitoring transaction-related data or conversations, gaining an understanding of all the players and moving pieces involved.
Finally, they use that knowledge to craft a fraudulent email claiming to be a trusted party within the transaction. They usually ask for funds to be wired or some sort of payment to be made (often under the guise of avoiding a closing delay or other unwanted issue).
Unsecured Wi-Fi Connections
Working on the go is common in real estate—especially among busy agents and remote professionals. But using unsecured Wi-Fi networks, especially public ones (at Starbucks, for example), can make data breaches incredibly easy for hackers. When sensitive data is exchanged using these connections, it presents even more of a risk.
These occur when an unwitting party clicks on an infected link or email attachment, giving hackers access to their machines, data, network and or real-time activity. Hackers can also take control of routers and other connected devices using these strategies.
Ineffective or Out-of-Date Network Security
Inadequate security measures and holes in the system are often the problem, leaving backdoors wide open for hackers and unauthorized data access. Some of the industry’s biggest breaches have been due to this issue—with entire servers of documents left unsecured and easily accessed by a simple, publicly available URL.
In all these instances, a properly trained professional can make all the difference. Real estate professionals need to be educated on the vulnerabilities the digital age presents for our data and the American consumer. Learning how to recognize phishing and malware attempts, knowing the signs of wire fraud and understanding proper password hygiene and security protocol is vital, no matter what sector of the industry you fall under.
Companies need to have stringent compliance standards in place to ward off data breaches—breaches of our data, our partners and our customers—but the industry, as a whole, has a long way to go yet. According to a study from Ernst & Young, 91 percent of real estate industry pros say their organization’s cybersecurity measures aren’t enough.
Here are some ways your company can move the needle and up its protective measures:
- Employee Training – The first line of defense is always a properly trained staff. Team members need to understand what attacks our industry is facing, as well as what vulnerabilities cause them. If you’re not able to create an in-house training program to address these issues, consider using an outside source like KnowBe4 or Mimecast.
- Phishing Monitoring and Testing – There are many tools out there that can help you both monitor your email networks for phishing attacks and detect them when they hit. On top of this, you can even do phishing attack simulations to test your employees on their vulnerabilities. This can help guide you on proper training strategies for educating your team.
- Whitelisting – Whitelisting can help ensure your employees aren’t fooled by spoofed email addresses—ones that, on first glance, look quite similar to ones they regularly do business with. With whitelists, you or your administrator adds approved email addresses and domains to a “safe list” of sorts. Only messages from these emails can hit your team’s inboxes, while the rest are resigned to spam or junk folders.
- Advanced Threat Protection – Many email clients come with advanced threat protection add-ons that can help stave off phishing attacks, detect malware attempts and investigate these attempts on your behalf. Microsoft’s Office 365 has one such product, as do cybersecurity pros like Symantec and Proofpoint.
- Intrusion Detection Tools – These tools can protect your business from a network-wide standpoint. They’re designed to add an extra layer of protection to your already existing firewall and help detect any suspicious activity occurring on the network or by its users.
Unfortunately, data breaches aren’t just rare, one-off occurrences. They’re becoming more and more common across all areas of the industry. In fact, data from Proofpoint shows that in just the third quarter of 2018, real estate organizations experienced an average of 54 attempted cyber attacks per company. Between 2017 and 2018, each organization saw around 277 attacks.
Does your company have practices in place to prevent attacks like these? Will you be ready when one hits? These are the questions we should answer now—before it’s too late.
Todd Teta is chief technology officer for ATTOM Data Solutions.