Protecting your data — and your clients’ data — should always be top of mind. We sat down with Don Boian, Security Outreach Director at Huntington Bank and former Defense Intelligence Senior Executive at the National Security Agency (NSA), to talk about how you can ensure your safeguards are effective.
CR Magazine: Scammers are everywhere, and during the COVID-19 pandemic, there was a real uptick. What steps can REALTORS® take to help protect consumers, as well as themselves?
As REALTORS®, scammers may target you and your business. Every natural disaster, including the current pandemic, has an inherent sense of urgency behind it. We all conduct business either online or over the phone, providing scammers the opportunity to leverage that urgency to elicit a quick response and lure you into divulging sensitive information or clicking on a malicious link.
It is critical to establish strong verification procedures to validate all requests for confidential data, financial transactions, or other non-public information. All phone calls, emails and texts should be verified through a secondary communication channel. Be particularly cautious when responding to text messages, as links in those messages can be malicious.
Be aware that caller ID can be “spoofed”, making it appear to be from a local number or agency you may already know and trust. Also, never download software or applications during unsolicited phone calls, even if the caller claims to be from technical support.
CR: If you get an email that doesn’t quite feel right, what do you do?
We tend to know our clients and suppliers and their respective communications styles. If something seems off, it’s worth the time to take the extra steps to make sure the request is valid. Check for common red flags, such as poor grammar, misspellings, sense of urgency or uncommon salutations.
Look very carefully at the sender’s email address, specifically the domain name. Oftentimes, scammers will change a letter or character to look similar to a trusted domain in an attempt to trick you into sending sensitive data.
CR: That’s great for when you’re working with outside vendors and clients — but what about your own data? We carry sensitive information around on our personal phone and laptop. What are some of the data protection basics that we need to be investing in?
The very first step is to understand that we all have sensitive data on our devices.
As a business owner, you should know what kind of information you collect and store as part of your business. Whether it’s financial information or basic contact information, you should be prepared to contact those impacted in the event of a security breach, as some states (including Illinois) have legislation that dictates how you need to inform consumers that their information has been compromised.
If you have employees, you likely have sensitive personal information about them, such as contact information, social security numbers, HIPAA-related health plan information, and financial account data for direct deposit.
Backing up all data regularly on multiple media types is highly recommended to help ensure any data lost due to a breach or loss of hardware can be restored.
Data on smart phones may be backed up to the cloud, but you may want to also have a local copy on a removable device to store in a different location as an added precaution against fire or other natural disasters.
In addition to backing up your data, it’s also important to encrypt your laptop and other devices to help prevent data from being compromised in the event a device is lost or stolen. Most laptops now provide built-in encryption options.
CR: What if you don’t have an IT department and you’re not necessarily tech savvy — how can you DIY a more secure environment?
Now that most of us are working from home, ensure all your home network devices are updated with the latest software and have the latest security patches. Make sure all of your devices are up to date and are
using the most recent version of the operating system. Turning on auto-update is one way to ensure security patches are installed in a timely manner.
Only download software from reputable sources and app stores. Also, make sure you’re using anti-virus or some form of anti-malware software on your system.
It’s ideal to create a separate network segment called a subnet for your professional devices to isolate them from your personal connected devices, like your Alexa or Google Home, DVR, home systems and WiFi thermostat; those devices could create a vulnerability to your professional environment.
It’s a good financial practice to set up limits and alerts on your accounts, which will notify you when purchases are made without a card being present or are outside of your established limits. Monitor your account statements carefully and check your credit reports and scores often.
Finally, make sure you change the default passwords on all your home devices, as most of them come with a default password; scammers and hackers know this and they will take advantage of it. Any device on the internet, especially those with audio visual capabilities, are hackable, including robot vacuums and doorbells.
CR: What should you do when you get a notification that says, “your data has been exposed in a breach?” And, what should you do if somehow your data or your clients’ data is compromised?
Try and get some clarity around what exactly has been breached. If you’ve been notified of a breach by a company, contact them and find out what specific information.
If you or your clients’ sensitive or personal data was breached, freezing credit at all three credit reporting agencies is an option to reduce the probability of identity theft. Additional information about this free service can be found on the credit reporting agencies’ websites.
If the data breach is financial in nature, notify the impacted financial institution and request a flag be placed on the account(s) to raise the institution’s awareness of potential misuse of the account.
If you become the victim of identity theft as a result of a breach, follow your state attorney’s direction for both reporting identity theft and for taking action.
CR: That’s great for when you’re working with outside vendors and clients — but what about your own data? We carry sensitive information around on our personal phone and laptop. What are some of the data protection basics that we need to be investing in?
The very first step is to understand that we all have sensitive data on our devices.
As a business owner, you should know what kind of information you collect and store as part of your business. Whether it’s financial information or basic contact information, you should be prepared to contact those impacted in the event of a security breach, as some states (including Illinois) have legislation that dictates how you need to inform consumers that their information has been compromised.
If you have employees, you likely have sensitive personal information about them, such as contact information, social security numbers, HIPAA-related health plan information, and financial account data for direct deposit.
Backing up all data regularly on multiple media types is highly recommended to help ensure any data lost due to a breach or loss of hardware can be restored.
Data on smart phones may be backed up to the cloud, but you may want to also have a local copy on a removable device to store in a different location as an added precaution against fire or other natural disasters.
In addition to backing up your data, it’s also important to encrypt your laptop and other devices to help prevent data from being compromised in the event a device is lost or stolen. Most laptops now provide built-in encryption options.
CR: What if you don’t have an IT department and you’re not necessarily tech savvy — how can you DIY a more secure environment?
Now that most of us are working from home, ensure all your home network devices are updated with the latest software and have the latest security patches. Make sure all of your devices are up to date and are
using the most recent version of the operating system. Turning on auto-update is one way to ensure security patches are installed in a timely manner.
Only download software from reputable sources and app stores. Also, make sure you’re using anti-virus or some form of anti-malware software on your system.
It’s ideal to create a separate network segment called a subnet for your professional devices to isolate them from your personal connected devices, like your Alexa or Google Home, DVR, home systems and WiFi thermostat; those devices could create a vulnerability to your professional environment.
It’s a good financial practice to set up limits and alerts on your accounts, which will notify you when purchases are made without a card being present or are outside of your established limits. Monitor your account statements carefully and check your credit reports and scores often.
Finally, make sure you change the default passwords on all your home devices, as most of them come with a default password; scammers and hackers know this and they will take advantage of it. Any device on the internet, especially those with audio visual capabilities, are hackable, including robot vacuums and doorbells.
CR: What should you do when you get a notification that says, “your data has been exposed in a breach?” And, what should you do if somehow your data or your clients’ data is compromised?
Try and get some clarity around what exactly has been breached. If you’ve been notified of a breach by a company, contact them and find out what specific information.
- Was it just my name and my phone number?
- Was it more personal information about me?
- Was it my social security number?
- Was it my banking information?
If you or your clients’ sensitive or personal data was breached, freezing credit at all three credit reporting agencies is an option to reduce the probability of identity theft. Additional information about this free service can be found on the credit reporting agencies’ websites.
If the data breach is financial in nature, notify the impacted financial institution and request a flag be placed on the account(s) to raise the institution’s awareness of potential misuse of the account.
If you become the victim of identity theft as a result of a breach, follow your state attorney’s direction for both reporting identity theft and for taking action.
