Last year, more than 143 million people had their data exposed by a data breach perpetrated against Equifax. Cybercrimes against large corporations such as Target or The Home Depot are top news stories. However, hackers are far more likely to target small businesses like your brokerage. In fact, companies with less than 250 employees are the most targeted by hackers, according to a report from Symantec.
Because of the nature of the job, REALTORS® are often on-the-go, using a personal phone and public WiFi network, putting you and your clients at a much higher risk of exposure. As REALTORS®, you’re trusted by your clients with sensitive information, such as Social Security numbers, bank account information and drivers’ license numbers. While you’re collecting this data for credit checks or mortgage documents, you’re also opening your clients up to irrevocable damage if it ends up in the wrong hands. Though there aren’t federal laws on data breaches that specifically apply to brokerages, there are laws in many states, including Illinois. State law requires companies to notify clients of a security breach and to encrypt or destroy client data companies collect. Yet, a survey by Manta found 1 in 3 small businesses have no type of cyber protections, including encryption, antivirus software or firewalls in place. If your brokerage does not have a data security program in place, the Federal Trade Commission has five simple principles to keep in mind:- Take Stock – Ensure you know what personal information you have on file.
- Scale Down – Don’t hold onto data you no longer need.
- Lock It – Secure the data your business needs.
- Pitch It – Get rid of data you don’t need.
- Plan Ahead – Create a data security plan.
- Back up old emails: Criminals can use keywords from old emails you sent five years ago against you. If you need to hold on to older emails, consider storing them in an external hard drive.
- Use a Password Manager: Everything requires a password now. As tempting as it is to use the same password for everything, recall recent hacks from Best Buy and MyFitnessPal which exposed logins and passwords for their sites. With tens of millions of records exposed, you may not even know that your password for another site is easily accessible on the web. That’s why a password manager, a service that securely stores complex passwords for many sites, is so useful. Many password managers offer a yearly subscription plan that typically costs less than $30.
- Educate Staff: Hackers only need one click on a fraudulent link to gain access to your entire company’s network. Managing Brokers should reiterate the importance of being vigilant and using good judgement online for all staff.
- Hire an IT adviser: Given Illinois’ data laws, brokerages should ensure they are compliant and safeguarded against possible exposure. For a smaller brokerage, using an IT adviser may be a more affordable option than hiring someone full time. An advisor can set up a security plan and perform maintenance monthly, as needed.
- Check to See If You’re the Victim of a Breach: You can type your email address into HaveIBeenPwned.com, a website created by a software developer that checks your account against publicly shared data by hackers.
PROTECT YOUR CLIENTS AGAINST REAL ESTATE CYBER CRIME
A growing scam among hackers is real estate wire fraud, which has cost consumers over $5 billion in financial losses from real estate wire fraud since 2013, according to FBI statistics. In this scam, hackers send an email to a buyer about to close on a home with fake wiring instructions. The perpetrators pose as a real estate attorney, seller, representative of the title company or other trustee to trick buyers into wiring away their savings – and technology has allowed this scam to flourish. One way scammers can accomplish this impersonation is through email spoofing. Spoofing allows a scammer to forge an email address to make it appear that it’s coming from a colleague or client. These criminals can gain access to your company’s network and send an email posing as you if anyone in your office clicks a malicious link. Another less technical way crooks can fool you is by creating an email address that is one letter off from the legitimate one, i.e. “@ChicagoRELATOR.com,” which can be difficult to spot at first glance. If you or a client clicks through a spoofed email, sophisticated criminals may even use company letterhead and forged signatures to make their bogus wire instructions appear more legitimate. The best way to prevent your clients from becoming the victim of wire fraud is by educating them early. Wire instructions rarely change, so tell your clients to always confirm by calling you and the title company before wiring any amount. If instructions do change, they won’t come without a phone call first. More and more of our personal data is being used online every day. News stories detailing hundreds of millions of stolen records continue to grow, not dissipate, so it’s critical for you to ensure you and your clients are protected against costly cyber crime.
As the managing broker of Urban Real Estate, Matt Farrell is well-versed in helping maintain data security. Here are a few of his tips!
ENCRYPT IT
Always make sure that your data at rest is encrypted. This means, anything you save on your computer’s hard drive, a portable hard drive or USB thumb drive should be encrypted. Windows 10 Professional includes BitLocker, which can encrypt your files for you. This also makes it safer when you “retire” your computer, as even deleted files remain encrypted. It is also important that any cloud provider you use for online storage is also encrypting their stored data (not just encrypting the connection). At Urban Real Estate, we have an Enterprise Box account with our own encryption key, so even if Box were to get hacked, the data they have stored is useless, as only we retain the key to unlock it. Box also has an easy integration into DocuSign, so a contract residing in the Box cloud can be sent for signature, and upon execution, immediately updates the Box folder with the completed document.MULTI-FACTOR AUTHENTICATION
Only use services that allow for multi-factor authentication, and make sure you enable this! This means there will be at least two methods required for any new login. Banks often use this to text you a security code that you must use in addition to your password, so that if your password is ever stolen, that hacker would also need your phone. Some of the services you use already allow for multi-factor authentication, including Google Gmail, Office 365 (requires administrator to enable), Dropbox and Box. To really help lock things down, consider purchasing a YubiKey, which is a physical USB key that acts as that second form of authentication. Services like Dropbox have integrated the YubiKey into their services.USE A VPN
If you are going to use a public Wi-Fi network, such as at your hotel, airport or favorite coffee chain, then you should just assume everything you are doing can be seen and captured. A virtual private network (VPN) creates a secure & encrypted tunnel between your computer and your VPN provider’s server. All of the data that you transfer on this public network when using a VPN will be routed through your VPN provider and is encrypted end-to-end. A very user-friendly solution is NordVPN. www.PrivateInterenetAccess.com, is less user-friendly, but one of the best solutions, with servers all over the country and the globe to keep your speed from slowing down (a common VPN side-effect). Dashlane is an excellent password manager that also offers a VPN service to their premium subscribers.