A cybersecurity plan is not something that you create once. As a business owner and even a smart consumer, you should be aware of current cybersecurity issues, what to watch for and how to help protect yourself and your business. And, as we know in the real estate industry that if one of our real estate partners is at risk, everyone in the transaction can be exposed.
At the recent National Settlement Services Conference in San Antonio, TX on June 8th, the Federal Trade Commission and SunTitle presented on cybersecurity. Here is an overview of what was presented along with tips and tricks to help protect your business and your customers.
According to the panel:
- 70% of organizations have been hit by cyberattacks in the past 12 months.
- 60% of all targeted attacks strike small and medium businesses.
- 50% of attacks result in insolvency within 6 months.
Companies have a blind spot both culturally and procedurally. Fraudsters are smart, connected and according to the FTC have unlocked the last few pieces of our business processes to fully understand how we do business. Fraudsters are playing the long game. After a data security breach they typically wait 200 days before acting. Fraudsters are in the system prior to fraud on average 150-180 days.
First they learn your business, look for opportunities they have while biding their time, and then sweep in. Recently the Wall Street Journal reported that out of all emails with attachments; 50% are malicious. This number is staggering. And, to top it off, fraudsters are preying on the social relationship.
We need to understand what we are up against. There are several types of fraud, including:
- System penetration
- Social engineering
Threats to your business
- Brute force attacks (low tech solution – tries to get into your network by continuing to use credentials)
- Targeted penetrations
- The “entry point”
- Installation of malware or ransomware
- Screen scraping, mirroring, etc.
- Inadequate funding and ID verification procedures
- Acceptance of “new” information through a different process or that you are not expecting (This is the biggest concern right now for our industry.)
- Social engineering and Business Email Compliance (BEC)
- “I got tricked”
- Real-time interaction and compelling manipulation strategies
- Hover over hyperlinks, do not just click links in emails.
- Educate yourself, your employees and your real estate partners.
- Review and implement the Federal Trade Commission Protecting your Personal Information: A Guide for Business
- Create a culture of compliance:
- Take stock – know what personal information you have in your files and on your computers.
- Scale down – Keep only what you need in your business. Identify how long do you need the info, and understand that data is a liability.
- Lock it – protect the information you keep (Physical security, electronic security, Employee training (biggest vulnerability), vendors
- Pitch it – properly dispose of what you do not need.
- Plan ahead – Create a plan for responding to security incidents.
Layer on Best Practices
To help defend your security and data, the panel recommended to layer on Best Practices for hardware, software, people and processes to protect your business. Please see the outlined best practices below:
Technological Best Practices:
- Secure remote access and active sessions
- Encrypt data in transit and at rest
- Segregate data
- Tether machines
- Install firewall, VPN’s and other devices (Needs to be a pre-vetted device with VPNs. Can use multiple firewalls. Create a honey pot – a rouse to draw in fraudsters to keep info safe and protected.)
- Don’t share devices
- Restrict device activity
- Third party penetration testing (ABSOLUTE MUST: Need to understand where your vulnerabilities lie. Vendors that can provide you a report.)
- Complex passwords
- 3rd party password manager
- 2FA (2-factor authentitifcation)
- Monitor networks in real time
- Use email “spam” service
- Limit permissions and rights
Process Best Practices:
- Policies and procedures:
- System access
- Password management
- Information receipt, custody, retention and destruction
- Wire and ID confirmation
- Restrictions on access
- Suspicious and “surprising” emails must be screened and verified
- Educate yourself and train your people
People Best Practices:
- A culture of compliance and curiosity
- Observe and react in real time
- Never enter login info
- Don’t click on attachments without verifying
- Save information on the server not the computer
- Secure all information
- Be curious, skeptical and think before you act
Here are a few resources for you as you create your cybersecurity plan:
- Federal Trade Commission Protecting Personal Information: A Guide for Business @ https://www.ftc.gov/tips-advice/business-center/guidance/protecting-pers...
- Federal Trade Commission Start with Security: A Guide for Business @ https://www.ftc.gov/tips-advice/business-center/guidance/start-security-...
- Federal Trade Commission Copier Data Security: A Guide for Businesses @ https://www.ftc.gov/tips-advice/business-center/guidance/copier-data-sec...
- Federal Trade Commission Data Breach Response: A Guide for Business @ https://www.ftc.gov/system/files/documents/plain-language/pdf-0154_data-...
- Federal Trade Commission Small Business Center @ https://www.ftc.gov/about-ftc/bureaus-offices/bureau-consumer-protection...
- Federal Trade Commission Business Blog @ https://www.ftc.gov/news-events/blogs/business-blog
Don’t forget, your cybersecurity plan is not a “one and done”. It is a living document that continuously changes and is updated.
To receive updates from Tandy on Real Estate direct to your inbox, please subscribe here.