- Use different (strong) passwords for every account; don't log onto public Wi-Fi; never leave your devices unattended.
- Training employees on email and physical security best practices is a good investment for real estate companies.
Now that we are living so much of our lives online, the risk of identity theft and data compromise — which has always been around — has increased by leaps and bounds.
Hackers can install malware on your devices from across the world, holding your personal information for ransom, or send an email from “your” email server to your buyer clients instructing them to wire their earnest money payment to a different bank account.
Sometimes they target entire companies.
And if large companies like Yahoo, Sony or even Keller Williams are unable to prevent breaches, then what chance do you have?
Some. At least according to tech security experts who specialize in real estate. And the more security measures you take, the better your odds of escaping a hack attempt unscathed.
“There’s no such thing as ‘secure,'” noted Matt Cohen, principal consultant at real estate software and consulting firm Clareity. “It’s just like when you buy a safe; they’re rated in minutes to show how long it would take someone to break into the safe, and there is no ‘infinity-minute’ safe that takes forever to break into. It’s about reducing risk, not about eliminating all risk.”
Here’s a summary of suggestions for how to reduce your own risk, both for individual agents and larger enterprises.
For individuals
1. Care enough to take action
“This stuff is real, it’s not made up,” noted technology educator Juanita McDowell. “What tends to happen is, someone waits until their friend or company has this identity theft crisis and then says ‘Oh my gosh, I’d better start doing something here.'”
But it’s probably better to lock the barn door before all the livestock escapes — right?
2. Strengthen your password game
We know: Passwords are annoying, and there’s no humanly possible way to remember 800 different passwords for all your different logins.
However, if (like many technology users) you are reusing the same password for a bunch of different platforms — stop it.
Alex Camelio, another real estate tech educator, notes that if a tech breach at a big company leaks your user name and password, that’s probably not a big deal … unless you use the same password elsewhere.
“What they do is use that user name and password to immediately go after your email, banks — everything you can imagine,” he noted. And if you’re recycling passwords, they just might get in.
“If you are a victim of a hack in any way, the first thing to do is change every password of any associated account,” said Craig Grant, CEO at the Real Estate Technology Institute (Grant also teaches tech best practices with McDowell and Camelio.)
“Most people just focus on the one company that gets hacked,” he added, “and they don’t think about other platforms where they use the same or a similar password.”
Password vaults are one option, but those are also hackable. Camelio suggests this memory trick: Invent a strong “base” password with lowercase and capital letters as well as numbers and special characters, and then append a “trailer” to that strong base for every website. (So, for example, maybe your Twitter password is p@S$w0RdDorsey and your Facebook password is p@S$w0RdZuckerberg — that said, please don’t create a “strong” base password out of the word “password.”)
3. Implement two-factor authentication
Google offers this for its email platforms, and Facebook and Twitter also give users the option of two-factor authentication.
Two-factor authentication adds an extra step when you’re logging into an account on a new device — typically a text message is sent to your mobile device with a code to complete logging in. Your hacker would need access to your phone in order to get into your account, and since a malicious stranger is not likely to have physical possession of your smartphone, two-factor authentication can keep your accounts safer.
You’ll also get a notification when anyone logs into your accounts from a new device.
4. Be wary clicking links or downloading attachments when checking email
One easy way to keep yourself safe, Grant says, is “don’t click on anything anymore.”
He means it, too. “Unless you know it’s 100-percent legit, clicking on any link in any email or text message is dangerous these days,” he added. “A lot of people are using your own friends list against you.”
What to do instead? Hover your mouse over a link to see where it redirects — or Google the link and find it via the search engine instead.
And most definitely do not download strange attachments either.
5. Back it up
Ever heard of “ransomware”? That’s what the “WannaCry” attack earlier this year was. It held files “hostage” until victims paid a ransom for their files.
“What that’s playing on is that people don’t want to back up their data because they don’t understand the importance of it,” McDowell explained. But if you do regularly back up your data, then your files can’t be held for ransom … because you still have them all.
6. Reconsider free Wi-Fi
“Public Wi-Fi is the easiest way on earth to get hacked, and I can’t tell you how many Realtors work out of a Starbucks,” Grant said. “That’s a prime location for a hacker; think about how many people a day jump into a Starbucks to get coffee and use their computer.”
“Absolutely, positively never ever get on a free Wi-Fi network,” agreed McDowell. Both Grant and McDowell suggest using a personal hotspot when you’re out in public.
And remember: the more people that are likely to be on a network, the greater the risk. “It’s always a numbers game,” explained Grant; you’re likely a lot safer logging onto the Wi-Fi on your flight than you would be connecting to the airport’s free network while you’re waiting to board because there are fewer people who have access to the plane’s Wi-Fi than the airport’s Wi-Fi.
The point is, it might be free now, but it could cost you later. “The reality is, these days — to be safe — you have to spend some dollars,” Grant added.
7. Invest in a strong anti-virus solution
It’s a huge misconception that any computer comes with “built in” anti-virus protection, experts say. (And that includes your iPhone!)
“Having good anti-virus solutions on every device — not just your computers, but also your mobile device — is important,” Grant said.
“In my data security classes, you’re not allowed to call it a phone,” McDowell said. “You call it ‘a mini computer that happens to have a phone function.'”
8. Vet your vendors
When Grant sees a real estate agent using a Yahoo email account, he has to wonder what they’re thinking.
“Yahoo was always bad at security, and they had a big breach and didn’t admit it,” he noted. “If you’re still using an AOL or Yahoo email account, it could come back to bite you.”
Try Google instead. “Google isn’t only good at security, they create almost every single security protocol — they invented two-factor authentication and tokens,” Grant added. You can sign up for a domain-specific Google email account for $50 a year, or just use the free @gmail.com domain, and take advantage of all Google’s resources — it can replace less secure file-sharing options (like Dropbox) with its Drive features, too.
Just a little bit of research on that vendor and how it treats security can save you a big headache down the line.
10. Arrange for alerts if something happens
A credit-monitoring service might sound like overkill — but it will let you know if and when someone is trying to use your personal information to create a new account. So if you’re worried that your data might already be “out there,” think about it.
Keller Williams is offering a free year-long membership in Experian ldentityWorks for any associates whose information might have been compromised in its recent breach.
11. Don’t leave your devices unattended
“I’m in the library a lot,” McDowell noted, “and somebody gets up to go across the way, and they don’t take their phone or computer with them. Now you’re setting yourself up because someone could sit down and put spyware on your computer that they know how to do in less than 30 seconds.”
It sounds obvious, but it still bears mentioning: Don’t do that.
12. Update, update, update
You’re not necessarily getting that update notification just because Apple or Microsoft thought you needed a cool new feature.
Update your operating systems as soon as an update is available. “I can’t emphasize that enough,” McDowell said. “They might know about a virus that you don’t know about,” and the update includes the patch. So use it!
13. Slow down!
All of these scams are preying on one common reality: Everyone is in a hurry and has little energy to spare to pay attention to details.
So taking some time to slow down and consider the email you just received could be one of the biggest ways you can reduce your risk.
“If you slow down, you might notice that the link isn’t really the right link, that there are spelling and grammar errors that aren’t normal,” Grant said. “That’s a huge thing anyone can implement without being a geek.”
For companies
14. Encrypt
If it’s necessary for you to keep sensitive information — like passwords or Social Security numbers — then it’s a good idea to encrypt them. “Any system I’ve ever built, even if you got in, you couldn’t get the passwords,” Camelio explained. “Even if someone could get to them, it’d be a bunch of jumbled letters and wouldn’t mean anything to anyone.”
Grant also endorses encryption, noting that hackers “just kind of go for the lowest-hanging fruit, and they’ll typically move onto an easier target” if you’ve bothered to encrypt your data.
Encryption isn’t an end-all be-all, though. If someone really wants that data, they can still access it; there’s usually a piece of code stored somewhere on the network that de-encrypts the data, noted Cohen, so don’t count on an encryption-only strategy.
15. Explain email best practices to employees
Remember when hackers stole 40 million user names and passwords from Sony? That happened, Camelio said, because “one of their employees clicked on one bad email and got a virus on their computer, which opened up the network — which let somebody else in to get the whole thing. It was literally one bad link in one email.”
“If you look at ‘black hat’ hackers, their target is the employee,” McDowell said. “That’s the easiest route in because employees have a natural inclination to want to open up an email” — it’s their job, after all.
16. Create (and implement) policies and procedures
Do you vet people before you hire them? Do you know what steps to take when you’re letting someone go?
If not, then you need to get your arms around your personnel practices — and it definitely doesn’t stop with hiring and firing; you need a document retention policy and much more, too.
“Almost every breach boils down to a lack of appropriate policies and procedures: laying out how things are supposed to be done in the company, followed by contracts,” noted Cohen. You need tech security policies and procedures both for your internal staff and any contractors you’re using.
17. Understand the threats to consumers — and take steps to mitigate them
One of the absolute worst things that could happen to any buyer in a real estate transaction is losing the down payment or earnest money deposit. And hackers are increasingly targeting these wire transfers as a low-hanging source of easy income.
“Some of those scams are so robust that they exactly match the steps and the email between the parties, which means they’ve been sitting on someone’s computer for easily a month-plus, waiting for a deal to go through so they can see every step of that wire transfer before they try to scam any clients,” Camelio noted.
Asaf Cidon, vice president of content security services at tech security firm Barracuda Networks, noted that sometimes a hacker might set up a forwarding rule in an email system to deliver copies of incoming emails to them directly. “They’re doing reconnaissance, and once they see a deal is about to happen, they wait for a time when the buyer is super stressed out, needs to close the deal and doesn’t have a lot of time and needs to wire money. They then email the buyer right before.”
Cidon suggests that agents and brokers prep their buyers by informing them that any wiring instructions or details should be confirmed over the phone — voice call only. “Text is also vulnerable; you can impersonate text messages,” he said.
“Sometimes the folks who are more senior are aware of the risks, but the agents who are handling the deals or the folks more on the operations side don’t have awareness,” Cidon added. “And unfortunately when these things happen, the customers essentially don’t have a way to get their money back. The title company’s not going to return the money; the bank isn’t going to return the money. It’s really scary.”
18. Monitor actively
The days of “having your own servers in your own building and having an IT guy try to build your defenses” are over, said Grant. “The truth is that hackers are so sophisticated that local people won’t be able to keep up.”
So that means active monitoring, possibly using a third-party vendor that specializes in enterprise tech security.
19. Have a data strategy
“Go into all of this with a plan as to what data you’re actually collecting, when you’re collecting it, why you’re collecting it and when you’re getting rid of it,” advised Camelio.
Most states have data disposal laws regarding how (and sometimes when) to purge your data, “and a lot of people have never looked at them,” Camelio added. So that might be a good jumping-off point.
20. Passwords matter here, too
Camelio remembers working with a large city association on a conference event; he needed to arrange for a registration email to blast out to attendees, but it was after hours and he didn’t have the association’s MailChimp password.
“I put it out to one of the folks I worked with,” he recalled, “and two minutes later, he’s like, ‘We’re in.’ He guessed their password. We had access to information from 20,000+ members from a verified account by guessing their password.”
And the thing is, you don’t need to spend hundreds of thousands of dollars on security consulting to create passwords that a hacker can’t guess in two minutes.
21. Consider the physical threat
None of these fancy risk-mitigation techniques are going to make a bit of a difference if it’s easy to get access to data in the physical world.
There are lots of ways this can happen — lost files or devices is just one. “At the heart of it, it’s really straightforward: it’s about building defense and depth,” noted Cohen. “You have a file in a locked filing cabinet, which is inside a locked room inside a locked employee area inside a locked office inside a locked building. Those physical barriers are supplemented with tools like webcams and shredders and alarm systems. I think we all know how these things work.
“That’s a complex view of physical security,” he added, “but even in an agent’s office or home office, keep the file locked up; it doesn’t belong on the dining room table when you’re not there.”
Checks are one of the biggest risks in real estate, according to Cohen. “It has an ABA and a routing number,” he noted. “They are extremely sensitive things, and you do see them on printers and fax machines, sitting in unsecured areas of brokers’ offices and homes. One thing goes awry, and it’s a breach.”
McDowell remembers teaching a class at a small association where she showed up in her suit and told the receptionist she was there to teach a class. She was taken to an empty floor to wait, “and now I’m in the association office,” she remembered.
Of course, she tried a drawer … and it was unlocked. “They’re all unlocked. I had access to every member’s files — everything.”
22. Perform vulnerability tests
“We need to see where we may have some holes, and every system in your network needs to be tested,” McDowell said. “You can’t just say ‘we feel like everything is good.'” Because how do you really know?
“Run some tests and make sure at least every quarter,” she advised. “Larger companies do this every week.”
23. Consider random employee monitoring
What’s the use of training your employees on tech safety best practices if they aren’t actually implementing those best practices?
This is why McDowell suggests random auditing or monitoring so that you can be certain everyone is doing what they’re supposed to be doing.
“You need to really see where they are,” she said. “If you’re using my equipment and my network, I need to do some random auditing before a big disaster occurs.”
She notes that this doesn’t have to be a surprise. “You can tell them in advance that you’re going to do some random monitoring from this period of time to this period of time,” she explained. “We don’t want to go back and worry about our brand and everything we’ve built — we want to make sure everybody has this.”
24. Know how a breach could impact your business
Fair or not fair, your reputation will probably take a hit if your company makes it possible for hackers to access data — especially if it’s consumer data.
And if it happens to more than one company in real estate, that reputation nosedive could ripple out to the entire industry.
“If we don’t get our arms around this kind of problem, I have no doubt we’re going to see regulation that we don’t want to see to a level that we don’t want to see,” Cohen opined.
“And really, getting your arms around the problem and reducing a lot of the risk should not be all that hard,” he added.
25. Have a plan for what to do if it happens
Do you know what you would do if the worst happened and there was a breach of your data?
Who would you inform and in what time frame? How would you deliver the news? What resources or follow-up support will you offer?
This is one plan you’ll hopefully never have to use, but at least if you do have to use it, you can be confident you’re handling the situation properly.
26. Train your staff — over and over again
This is last on the list — but it’s by far the biggest, most important way that companies can protect themselves from a data breach.
“The basic Realtor isn’t getting any training in basic things — what to click on in an email and how to handle it when you get hacked,” noted Grant.
“I’m puzzled by the fact that employee awareness is not there,” McDowell said. “As part of the orientation program, the data security policy should be communicated. It should be incorporated into the new employee or new contractor training — and then it needs to be ongoing.”
Monthly is a good place to start with a training agenda, she thinks. “Just think about how people process information. They walk into a training class and have a hundred things going on; they’ll walk away with one or two tips and then go back to what they’re doing.”
So she thinks that incorporating technology security as a learning initiative — as well as into employee training and onboarding — is a good way for companies to build it into their culture.
“If you had this type of culture, then people would understand: ‘slow down, make sure your laptop is encrypted, don’t click on that link, don’t download that attachment.’ If you start with that knowledge and education base, and have a way of pulling it through, then your employees will be more in tune with it.”
