As cyber-attacks become more prevalent than ever, cybercriminals are actively targeting industries that are in possession of the greatest quantities of sensitive information. When it comes to massive amounts of personal information, the real estate industry is a veritable treasure trove. Buyers and sellers must provide large amounts of personally identifying information and financial data as part of routine real estate transactions. If you then factor in the presence of multiple third parties like loan processors, title agencies, and others, then you have the data security nightmare of large amounts of data at rest, frequent data transmission, and stored data in the hands of vendors that must all be adequately protected.
The Verizon Mobile Security Index showed a 22% increase in so-called "major" cyber attacks in 2022 compared with the prior year, and other research has revealed that 75% of enterprises in the real estate industry that participated had experienced some form of a cyber incident in the last 12-15 months. That data alone shows that bad actors have recognized the worth of the information in the hands of real estate companies and are doing their best to gain access to it. We'll help you understand the risks that are specifically facing this sector and provide tips on preventing real estate industry cyber threats.
Common Attack Vectors
Much like any other potential victim, there are so many possible threat vectors that you have to secure your data from that it can be overwhelming. While any cyber attack is possible, there are a handful that is most commonly used to target real estate companies. That can be for various reasons, whether ease of use, the potential for success, or unique vulnerabilities, but knowing an attacker's likely tactics will help you shore up your security posture better.
Phishing
Social engineering scams like phishing are easily the most popular cyber-attack. It is a cheap, easy way to contact many targets, and even if only a small number of them fall for the scam, the possible upside for cybercriminals is immense. Phishing emails, smishing text messages, and vishing phone call all prey upon unsuspecting employees in an attempt to dupe them into taking an action beneficial for the attackers. This could mean inadvertently downloading malware, changing wire transfer instructions, or compromising important login credentials.
Spear phishing can be even more devastating because it targets a specific individual using information obtained by the attackers to make the phishing appear more legitimate. While this increases the work necessary to launch the attack, it also increases the chance of success. This could be as simple as spoofing an email domain to appear to come from an internal account that the employee was expecting instructions from, or it can be as complicated as obtaining client information from places like social media accounts, calling and posing as the client, and then altering payment details to an account controlled by the attackers.
Lost or Stolen Devices
Real estate agents live a mobile lifestyle. Most spend a disproportionate amount of time outside of the traditional office setting and have the associated mobile devices to support this work environment. Mobile phones, tablets, laptops, and other smart devices are critical to the profession, and the cyber risks posed by their loss or theft of them are equally immense. Improperly stored login credentials, client information, lax password security, and more can lead to larger data breaches impacting other agents or even the entire brokerage if a data breach results from a device compromise. Then consider the implications of a real estate company managing a large residential apartment complex and how much data they stand to lose in a similar event.
Ransomware
The digital nature of modern real estate transactions means that the loss of access to computer systems for real estate companies is a major threat. By preventing real estate industry cyber threats, you reduce the likelihood of falling victim to a ransomware attack in the first place. Most ransomware incidents result from a malware infection rooted in a phishing attack, but other attack vectors like outright hacking or third-party software security risks exist. Ransomware is an increasingly popular cyber attack; the real estate industry is not immune to that threat.
Business Email Compromise (BEC)
BEC is a real challenge for the real estate industry because of the decentralized nature of their work. When attackers take over an internal email account, they gain access to everything stored inside and the ability to potentially alter numerous transaction details, including wire transfers of substantial funds. A compromised account can take time to uncover, and undoing the damage can take even longer.
Enhancing Your Security Posture
With so many angles to cover, what are some of the best ways for preventing real estate industry cyber threats? Implementing some of our recommendations will allow you to firm up your position and prevent or mitigate damage from a number of known cyber risks.
Foster a Culture of Awareness
Raising awareness of cybersecurity's importance is the first step of any meaningful program. Structured training and realistic exercises can help drive home the signs of a data breach or an attempted attack. With the information needed to recognize strange behavior on devices or emails with last-minute, uncommon changes, your agency will be better protected when staffed by a more informed workforce.
Implement an Incident Response Plan
This is a recurring theme in any article where we review best practices or cybersecurity in general. It is an absolute necessity to come to the realization that it is only a matter of time before your enterprise will end up in the sights of a cybercriminal and to adequately prepare for that day. This means developing an incident response plan and preparing your personnel for implementing it. They need to know who to contact, when, and what steps to take and not to take. When something as simple as restoring the system to an earlier state can have disastrous implications, a written plan with a dedicated internal response team and an external team of subject matter experts can make all the difference.
Purchase Cyber Insurance
Cyber risk or cyber liability insurance can be the difference between life and death for your real estate organization. Smaller policies are available to individual realtors and should be encouraged, but enterprise coverage should be noticed. Potential damages can reach extreme levels before even looking at possible civil liability.
Evaluate and Restructure Your Sensitive Data
This step is so critical for the real estate industry that the National Association of Realtors (NAR) provides specific guidelines. Take stock of the PII and other sensitive data you possess and determine if it is something you truly need to retain. If it is, then it must be secured per NAR standards, which means encrypted behind strong passwords with firewalls in place. If it is not essential information, you should dispose of it securely so that it can't be recovered or reconstructed. This goes for information held by your third and fourth parties as well.
At Venture Lynk Risk Management, we provide a host of risk management services to those industries that are the most in need. We employ experts in everything from cyber security to vendor risk management and intellectual property risk management. We service real estate, construction, finance, health care, and government organizations, and we make it our mission to develop a comprehensive plan to address whatever risks you are facing. Schedule a consultation today to see how we can improve your situation.