In recent years, the real estate industry (REIT) has seen a rise in digital threats ranging from phishing to email-compromised attacks to breaches. These threats have also targeted builders and others in the housing space.
Consider the hack that targeted real estate and title insurance giant First American. The breach exposed the financial information of 885 million customers and pulled records dating back to 2003. Here are a few other cybersecurity statistics to be aware of:
- More than 50% of cyber attacks target small businesses. While small businesses may not seem as lucrative for hackers as large companies, their security methods tend to be laxer, and hacking them is generally much easier for bad actors. Today, small businesses comprise 13% of the cybercrime market, yet the average small business tends to invest less than $500 in cybersecurity.
- Experts estimate $6 trillion in damages by 2021. This number means that cybersecurity-related damages and costs will account for more than all natural disaster-related damaages in a year.
- Only 10% of U.S. cybercrimes are reported each year. Even though the U.S. is regarded as a technology hub, cybercrimes remain very underreported. This is because they tend to be challenging to solve and even harder to prove.
- There is a ransomware attack every 14 seconds. According to the 2019 Official Annual Cybercrime Report (ACR), businesses fall for ransomware attacks every 14-15 seconds. This is a stunning rate of frequency and drives home exactly how common these attacks are.
When we consider the future of the real estate industry, it’s evident that sound investments in cybersecurity are the only way to secure data and keep customers safe.
Why do Cybersecurity Threats Target the Real Estate Industry?
While a title insurance company, or any business in the real estate world, may seem like an unlikely target for an attack, these threats are actually quite common. After all, the real estate market is worth an estimated $31.8 trillion, and companies within it keep a massive amount of customer data, ranging from social security numbers to financial and banking information. Here are a few of the other factors that make real estate such an exciting target for hackers:
- Real Estate is a Valuable Sector for Hackers.
According to Forbes, “one recent study by IBM put the average value of a single data breach at $3.86 million per company.”
- There’s Plenty of Opportunities.
Real estate involves massive fund transfers happening daily. Because of this, the sector has always been a lucrative target, especially given the fact that it has historically been slow to adopt technology that could prevent hacks.
- There’s Minimal Education Around Tech.
When the real estate agency does attempt to adopt technology, it can inadvertently place them at risk of hacks. According to a recent Forbes article, “One area that is potentially at great risk is that of “smart everything,” with IoT enabled devices connecting HVAC systems, alarms, and even trash cans. The Mirai malware attack in 2016 is an example of the enormous scale of the problem. In this case, insecure IoT devices were targeted, causing a massive internet outage on the East Coast of America.”
- Real Estate Companies Struggle With Visibility.
Despite their best attempts, many real estate companies struggle to develop a full picture of their connected devices, much less secure them adequately. This leaves them vulnerable to ongoing attacks and makes it hard to secure a network sufficiently enough to prevent infiltration.
To prevent ongoing attacks, real estate organizations are scrambling to build programs to meet the best practices of standards like NIST or ISO 27001. These programs close security loopholes and help protect valuable information.
The Rising Tide of Cybersecurity Threats
First American wasn’t alone in being targeted. Back in 2018, a Memphis-based real estate company known as Crye-Leike was wrapped up in an international online fraud and phishing scam. One year before, in 2017, the FBI issued a warning about spiking cyberattacks designed to target real estate companies specifically. According to the Auth0 blog:
“They noted that fraudulent real estate transactions jumped 5,000%, from $19 million in 2016 to nearly $1 billion (US $969M) in 2017. The FBI also saw inbound complaints of cyberattacks related to real estate jump 480% between 2016 and 2017.”
Although cybersecurity threats are becoming increasingly common throughout all industries, the real estate sector is at particular risk, not only because of the factors listed above but also because there is no federal law mandating that these companies must deploy cybersecurity programs. This means real estate data systems are especially vulnerable to cyber-attacks.
7 Ways Real Estate Companies Can Resist Cyberattacks
Considering the risks laid out above, it’s no surprise that every real estate company wants to protect itself from a data breach. In addition to protecting the company in question, these approaches also help customers stay more secure. Here are a few ways local and national companies alike can bolster their defenses and make themselves less vulnerable to a cybersecurity attack, both now and in the future:
1. Develop Standards Around Wire Transfers
Under no circumstances should wire transfers be conducted via email. Email is a very sensitive system. In fact, it’s what initially led to the Crye-Leike beach in 2018. Real estate companies should establish a standard of never wiring funds through email.
This keeps customers and organizations safe from phishing scams and reduces doubt around which practices are legitimate and which are not. While there’s no way to avoid the risks associated with wire transfers altogether, you can educate your customers on top safety approaches, and help make your organization more secure when it comes to wire transfers.
2. Familiarize Yourself With NIST Best Practices
While there's no formal mandate that real estate companies hold themselves to NIST best practices, self-imposing these standards is a great way to maintain security. According to NIST.gov:
“The need for cybersecurity standards and best practices that address interoperability, usability, and privacy continues to be critical for the nation. NIST’s cybersecurity programs seek to enable greater development and application of practical, innovative security technologies and methodologies that enhance the country’s ability to address current and future computer and information security challenges."
More information on NIST best practices can be found on NIST’s website and in their blog. The more you learn about NIST best practices, the better equipped you will be to protect your organization both now and in the future. Because NIST best practices change as cybersecurity threats continue to change, you’ll want to keep up with shifts as they take place.
3. Invest in a Cloud Security Platform
While many real estate industry companies are already digital, many are still using physical paper and filing systems. By just moving their data to the cloud, these organizations could enact multiple security advantages, ranging from distribution to greater behavioral insight and threat detection. This is one of the simplest ways to ensure cybersecurity, as well as being one of the easiest.
4. Practice Good Email and Password Hygiene
This may seem simple, but it’s one of the most potent ways to resist attacks and keep an organization secure. Here are a few things the National Association of Realtors (NAR) recommends to real estate companies who want to prevent cyberattacks:
- Use encrypted email, a transaction management platform, or a document-sharing program to share sensitive information.
- Never click on unknown attachments or links, as doing so can download malware onto your device.
- Carefully guard login and access credentials to email and other services used in the transaction.
- Regularly purge your email account, and archive important emails in a secure location.
- Use long, complicated passwords such as phrases or a combination of letters, numbers, symbols.
- Do not use the same password for multiple accounts.
- Consider using a password manager.
- Avoid doing business over unsecured Wi-Fi.
- Use two-factor authentication whenever it is available.
While organizations can always benefit from practicing these things, it’s not enough to implement them inconsistently. For these measures to be effective, the entire team must be on board. This may require ongoing training or education sessions to ensure such an outcome.
5. Involve the IT Team
In addition to onboarding team members to ensure an organization’s cybersecurity, the IT team must be working for the cause as well. Here are a few ways to ensure that your entire team is on the same page:
- Maintain antivirus software and firewalls. Keep both active and up-to-date.
- Update operating systems and programs on a routine basis, according to manufacturer standards.
- Back up critical data regularly. Be sure also to back up applications, systems, and other information, and keep it separate from your online operations.
- Avoid downloading apps before verifying that they are reputable and legitimate, and will not inadvertently introduce malware or privacy concerns to your network.
- Educate team members about good link policies - specifically, that team members should avoid clicking on links from unknown senders.
- Before hiring an external IT provider, review their privacy policies and contracts to ensure that they do not place your organization at more risk.
6. Work With Your Attorney
To ensure as much security as possible for your real estate company, work with your attorney to develop a written disclosure warning your clients about the possibility of cybercrime affecting their transactions. While this disclosure may seem alarmist, the point of it is to protect clients as much as possible. In this disclosure, advise them against wiring money without first confirming the wire instructions via phone call.
Additionally, your organization will want to stay up-to-date on your state laws, which may impact your handling of personally identifiable information, as well as the development of cyber and data-related business policies. Specifically, focus on establishing and implementing the following procedures:
- Document Retention and Destruction Policies
- Cyber and Data Security Policy
- Breach Response and Breach Notification Policy
Finally, make sure all of your staff and employees have renewed their licenses and are following all implemented policies. You should also review your insurance coverage and check whether cyber insurance coverage is available for your organization. Since cybersecurity breaches can be catastrophically expensive, this is a wise avenue to explore.
7. Use Proprietary Solutions
Instead of using services from free providers (emails from Gmail or Yahoo, for example), use proprietary solutions instead. This makes it much more difficult for hackers to impersonate you and create similar emails to people within your organization.
Create an email with your company’s domain name. Keep in mind that even if you do that, all email services can be hacked. While proprietary services offer some powerful cybersecurity measures, no proprietary service is exempt from all security threats. Because of this, you must always stay vigilant about protecting your accounts.
The Future of Cybersecurity in Real Estate
While the real estate industry continues to grow, cybersecurity will continue to be a primary consideration. Fortunately, companies that take proactive steps to secure their digital information will be less vulnerable to attacks and hacks than their counterparts. In the real estate industry, specifically, cybercrime remains a significant and increasing threat. It’s also a particularly difficult threat to confront. By doing simple things like familiarizing yourself with NIST best practices, protecting your wire transfers, and investing in powerful cloud security, you can decrease the likelihood that your organization will be hacked, or that your customer information will be compromised.
Need Help Organizing Your Cybersecurity Program?
Apptega provides software that can help you build, manage and report your cybersecurity program based on 12+ compliance standards. Apptega helps to simplify the complexity of these frameworks, eliminate spreadsheets and help you document and report on your organization’s change and configuration management as part of its overall plan. Plus, with Apptega's intelligent framework mapping solution, Harmony, you can see how your controls overlap other frameworks you are required to follow like ISO 27001, SOC 2, PCI, NIST, HIPAA, GDPR, CCPA and more.
Contact us today to set up your free trial.