Meg White is the former managing editor of REALTOR® Magazine.
Real estate professionals live and die by their data. Without contracts and contacts, transactions wouldn’t happen and pipelines would go dry. But the bits of information that help you run your business aren’t solely of interest to you; hackers may also be hoping to take advantage of the hard work you’ve put into your data management system. The risk of getting “pwned”— tech slang for being tricked online—has become a modern hazard of the profession, and for life in general.
You may think you’re not large or important enough to get the attention of cybercriminals, but your business’ size may be a greater draw than you’d think. As large institutions tighten up controls on their data, smaller businesses could be at increased risk of hacking, notes Chris DeRosa, managing director of financial information systems at the National Association of REALTORS®. “It’s hard to hack Chase Bank these days, so who’s the most vulnerable?” she asks rhetorically, citing studies from the U.S. Small Business Administration that show that 50 percent of small businesses have been hacked and 60 percent of those have been hacked more than once.
Where to Find Help
NAR offers a range of tools, videos, and reports on cybersecurity at nar.realtor/data-privacy-security. The Department of Homeland Security has cybersecurity advisers available to help businesses keep their data safe, whether it’s answering questions about how to remain secure or what to do if you’re in the midst of a damaging cyberattack. The Small Business Administration offers an online class and in-person workshops to small-business owners who want to learn more about managing their risks. The Federal Communications Commission has a custom planning guide where business owners can select the recommendations most relevant to their needs and download a personalized security tool kit. The Department of Justice offers best practices for before, during, and after an attack.
Brokers and agents may be more vulnerable to cyberattack because the line between business and home is often blurred. “They might use a device to do both personal and business functions,” says Tony Perez, head of the business security unit at Scottsdale, Ariz.–based website service company GoDaddy. “The attackers know this. They use [social media and other nonbusiness apps] to gain access.”
While sexy stories about espionage may grab bigger headlines, DeRosa says, the everyday attacks by spammers looking for fresh profiles to scrape are more common and worrisome for real estate pros: “Even if it’s not the North Koreans, think of what a marketing group would do with your customer data.” So how can you ensure that your contacts don’t fall into the hands of spammers, scammers, and crooks? Here are some of the latest recommendations in the fast-changing world of cybersecurity.
If you don’t have the data, there’s nothing to steal. While real estate agents and brokers may need to collect sensitive client information during a transaction, information required for follow-up, such as names and contact information, doesn’t usually fall into the legal category of personally identifiable information, known as PII, that must be protected and disposed of regularly. Be sure to check your state’s laws (and the laws for states where your clients live) for their specific requirements. Driver’s license information and Social Security numbers are definitely in the sensitive category, however, and business owners with such data on file are often legally required to ensure it’s protected from hackers. In case of a breach, brokers and agents often have to contact all past clients whose PII may have been exposed, often by mail. This not only is expensive but threatens your reputation as well.
Some states have specific secure disposal requirements for PII, which will help guide you in how to purge your databases of such information. Beyond state law, the Federal Trade Commission applies a “reasonableness” standard in this area. That means businesses are not required to break the bank or spend inordinate amounts of time protecting or erasing PII. But many programs allow deleted data to be restored with the click of a button through versioning or tracked changes. If data that you’ve deleted remains easily accessible to a hacker through such programs or in your computer’s trash file, the FTC or the courts could find you liable. Brokers may also want to consider an email retention plan that states when emails will be automatically deleted from their databases. Such a plan would include the added benefit that agents can’t rely on brokerage email to function as a CRM, leading to better record-keeping in a stable, secure database. Keep in mind that agents who use their private email accounts for business purposes may put all parties at increased risk.
With more and more brokerages and agents operating professional websites, it’s important to create a firewall separating a business’ public face from its private data.
Perez says most small-business owners will want to rely on an outside company to manage firewalls around their sites and data, unless they have a dedicated security professional on staff. Products such as Cloudflare or GoDaddy’s Sucuri offer website protection and monitoring; Perez says owners of smaller sites may pay as little as $10 to $20 a month for such services. But make sure you understand what you’re getting; other systems such as Amazon’s AWS are fully managed by the user, which puts the onus of monitoring and dealing with potential cyberattacks on you. Perez suggests real estate professionals check with their web service team; many “platform as a service” site hosts, such as Wix or Squarespace, may be already managing this type of security as part of their service agreement with your business. And finally, make sure your site is using the secure protocol, https—not the insecure http—to serve up your online presence to consumers.
Relying on an insecure protocol may affect your standing in search results; many browsers are also beginning to alert users who visit http-based sites that their sessions are not safe, and that’s not an experience that inspires confidence in your brand.
Apart from a firewall that monitors hacking attempts and works to circumvent them, it’s important to encrypt sensitive information, which essentially means creating a secure, electronic key to unlock and access your data. Many basic data storage products can encrypt data that’s “at rest,” as in it’s sitting on a server in your office, a storage provider’s space, or in the cloud.
This type of encryption is commonly offered by data storage providers, including Google Drive, Dropbox, and Microsoft’s OneDrive, with options starting at around $100 per year per user. But remember that the least expensive plans often impose data storage restrictions.
While databases containing sensitive information should be encrypted, it’s also important to consider the levels of security you’re providing to data when it’s in transit. When you send an email, it’s like “you’re sending a postcard in the sense that everybody who handles it can, in fact, read the full content of what you’re sending,” says Protonmail CEO Andy Yen. Though many feel their email is private, in reality, “there’s no envelope,” he adds.
Protonmail is one of a few email providers offering end-to-end encryption for email. They offer limited free options; enterprise accounts will run business owners just over $6 per month for each user. For sending secure files through the Outlook or Gmail platforms, Perez recommends Citrix’s ShareFile program, which encrypts emails and files and works around restrictions on sending large files.
How NAR Protects Your Data
Thanks to the many firewalls protecting NAR’s member information, the association’s databases have never been infiltrated (though there are hundreds of attempts each day).
Because NAR handles credit card information, the association must comply with the Payment Card Industry Data Security Standard, a set of guiding principles that the credit card industry implemented in 2006. This means annual training for staff and frequent audits of NAR’s systems and security protocols.
Chris DeRosa, managing director of NAR’s financial information systems, says auditors are generally impressed with NAR’s efforts. “They don’t even have big corporate customers that have audits as clean as we do,” she says. “We go above and beyond the requirements. For who we are, they are blown away by that.” DeRosa herself has two separate computers that don’t interact with each other so that if hackers gain access to public-facing sites like nar.realtor and apps like email programs, they can’t reach the association’s valuable member and e-commerce data.
If your password is “password,” set this article down right now and go change it. The majority of breaches can be traced back to poor password management, according to DeRosa. Brokers should not only evaluate the level of security provided by their own passwords but also find ways to enforce the use of strong passwords by others accessing their business software and hardware. You likely already know you should use complex passwords, avoid sharing login information, and create unique passwords for each platform.
But there are lesser-known best practices that change over time, based on advice from the U.S. Commerce Department and others. For example, companies are no longer encouraged to require employees to change passwords every three months because it’s not realistic for humans to remember something that switches up that frequently. Instead, complex passwords based on a personal phrase or rule only known to the user are preferred. Also, two-factor or two-step verification is an additional precaution that companies can set up for sensitive databases. This requires the user to provide two sets of information: their username and password and a temporary code that is emailed or texted by the authentication program.
Another common way hackers gain access is through outdated plugins or software vulnerabilities. While there’s no foolproof solution, Perez says one easy—but often neglected—way to stop hacks is by keeping programs current. “We’ve got to get better at these updates,” he says. Updates can be an unwelcome interruption in workflow that sometimes cause unintended glitches when the updated software interacts with other systems on one’s device, but safety should always take precedence over convenience, Perez says. “I always prefer a little bit of ‘bugginess’ over a loss of security.” He will sometimes put off installing “core” updates pushed out by a software company, such as a new version of an operating system, to make sure the bugs are worked out. But anytime he sees a “point release”—something named 4.2, say, instead of simply 4.0—he updates right away. “They’re not doing any major revamps with that,” he says. “They probably patched something very important.” Many companies will offer a reason for the update, which should include information about any patched security vulnerabilities.
Criminals are increasingly gaining access to sensitive data through vulnerabilities in infrastructure, such as buildings. Most remember the massive breach at Target Corp. in 2013, where more than 100 million customer accounts are believed to have been compromised. But the bigger story for building managers is how the hackers got in. “Believe it or not, they gained access through a system weakness found in the network of an HVAC vendor, which was in place to control heating and air conditioning in stores,” says Paul Djuric, CEO of Urgent Technology, a facilities management software company with offices in Chicago, the United Kingdom, and Australia.
He notes that as building systems integrate with the internet of things, they become more susceptible to cyberattacks. “It’s essential for building and facility managers to ensure they have the most rigorous security protocols in place. One of the most important steps is to keep a company’s building management systems separate from its main corporate IT systems.”
Not all attacks involve stealing your data and selling it on the black market. Cybercriminals are increasingly using ransomware to lock users from accessing the data on their own computers. This breed of hackers will then send a message offering to restore access to the machine and its files in exchange for money.
As DeRosa notes, following their demands and paying the hackers won’t solve your devastating problem. “They’re not going to send you the encryption key,” she says, noting that even if they wanted to, they’d have no way to identify which computer owners have paid up and should have their data restored. Thankfully, she says circumventing such attacks is very simple: “Keep daily backups stored offsite.” That way you’ll only lose the data you’ve accumulated since the last backup.
While a ransomware attack is announced loudly and unequivocally to victims, hackers who are looking to steal your data and sell it on the black market are often silent. That’s why you’ll hear in media reports about hacks where it took months—or even years—for companies to notice their data has been compromised. NAR’s Chris DeRosa says it’s often auditors or other outsiders who notify companies that they’ve been hacked, which is why she recommends hiring an outside security company to assess your business’ data security system. It’s not good enough to simply have a log of all the accounts that are attempting to access your databases; if no one is checking such logs for suspicious activity, they don’t offer much protection. DeRosa recommends doing this sort of access check at an individual level, too. “Read your bank statement. Do your own logging,” she says. “The health care industry accounts for some of the biggest breaches. But how many people read their EOBs [explanation of benefits]?” This is all to underscore that, as important as security policies are, they don’t accomplish anything if there isn’t real action backing them up. “A lot of brokerages will write a policy, they’ll frame it, but they won’t enforce it,” says DeRosa. She recommends running “fire drills” annually, where security protocols and incident response plans have to be followed and tested out.
The harsh reality is that pretty much every major company out there with valuable consumer data has been hacked, and many have fallen prey multiple times. DeRosa notes that with all the high-profile hacks within the last two years, targeting companies like LinkedIn, Dropbox, DocuSign, Google, and Yahoo, it’s likely that your data is up for sale on a section of the internet that is not indexed by search engines, and is often used for nefarious purposes. “It would be naive to think that most of your information isn’t out on the dark web and available quite cheaply,” she says. One reliable place to check whether your email accounts have been compromised in a data breach is haveibeenpwned.com, a site created by independent Microsoft developer Troy Hunt. It aggregates data from publicly disclosed breaches into a database that you can use to see if you’ve been “pwned” (a hybridization of “owned” and the term “pawned” in chess).
The breadth of data insecurity online can make an individual businessperson feel a bit hopeless. But DeRosa says human interaction will do more than beefed-up firewalls and end-to-end encryption to stop scammers and spoofs. If you get an email requesting sensitive data, reach out to the sender using another contact method. “You can never go wrong having a personal conversation. That’s the best way to validate identity,” she says. While there’s no surefire way to safeguard against hacking, DeRosa says the smartest plan for staying safe is to avoid succumbing to a powerful, and all-too-familiar force: inertia.