It seems like a week doesn’t go by without a company announcing it experienced a cyber attack, often with dire consequences for its bottom line and stock price. The security company Symantec reports that more than 500 million personal records were lost or stolen in 2015.
And while small- to medium-sized businesses may not face the $4 million average cost of a data breach that larger firms do, the costs in terms of revenue and time lost can be substantial for any business, including those in real estate.
Experts say it’s not a matter of if a business will be attacked, it’s when the business will be targeted. Although there’s a good deal of fearmongering in the information security industry about the need for hardware and software to protect against threats, smart real estate businesses are taking steps now to reduce their vulnerability to attack.
Threat Level: Red or Green?
Security experts say that real estate businesses face essentially the same cybersecurity threats that other businesses do. And while it may seem like good news that the industry doesn’t face a heightened risk of targeted attacks, many firms store the same personally identifiable information (PII) that other businesses do, making them just as vulnerable as an entity like Target.
“Ultimately it’s all data,” says Mark Stamford, founder and CEO of OccamSec, an information security and risk management company. “The PII stored by a real estate firm is similar to the PII stored by a retail organization. The difference is in how that data is used, and how disrupting that usage can affect revenue.”
That said, Stamford says there are some differences between types of real estate companies when it comes to information security. “An organization involved in residential property is going to be concerned about protecting information provided by property buyers (banking information, etc.), while a commercial real estate firm may be more concerned with protecting deal information. This should be taken into account when defending that data and those processes,” he says.
How concerned should investors, property management firms and other real estate companies be about information security? The answer depends on how much the company relies on internet technology and what assets it needs to protect. Firms with potentially salable information (Social Security numbers and credit card information, for example) are at a greater risk of being hacked, according to Stamford.
“As more real estate organizations store personal information about clients online, the more attractive a target they become,” Stamford says.
Sometimes hackers don’t come to steal data but to hijack computers and other devices to attack another company, according to Andrew Plato, owner and CEO of Anitian, a security intelligence firm.
“We had a client a few years ago who got hacked, and their computers were used to commit advertising fraud,” Plato says. “The hackers were part of a group that was raising money for terrorist organizations in the Middle East. This company was unintentionally helping to fund terrorists. There are sophisticated groups that carry out hacking activities for all manner of illegal activities.”
Reasonable Precautions Against Hackers
According to the Online Trust Alliance, a whopping 90 percent of data breaches it examined were preventable. This suggests that taking prudent precautions against cyber intrusions should make it possible for hackers to look elsewhere for data to steal, according to Stamford.
“Unfortunately, security is still very much about not being able to run faster than the bear, but just being able to run faster than the other guy,” he says. “Attackers will often go after the lowest-hanging fruit, so in whatever industry you are in, if you are the weakest from a security perspective, you are the most likely target.”
Here are some common sense practices from Stamford, Plato and other experts that real estate firms could adopt to minimize their risk of being hacked:
• Have a security policy that will be adhered to, Stamford says. Inform employees that information security is to be taken seriously.
• Control access to data. “The single most effective way to protect anything is to limit access to only those people who must have it,” Plato says. “Never share passwords. Never share user accounts. And protect your user identities at all times.”
• Keep computer systems updated and run a reputable anti-virus program such as BitDefender or Symantec, Plato says.
• Don’t click on links in an unfamiliar email. According to Trustwave, 5 percent of spam contains a malicious link or attachment.
• Become familiar with good information security practices. There is a wealth of information online, including information from the Department of Homeland Security and antivirus companies like Symantec.
Real estate companies that don’t feel confident about setting up basic cyber security measures can call in experts like Stamford or Plato to assist. “When to bring in a third party will depend in a large part on how much an organization determines they are potentially exposed by the use of technology. If the likely impact of a breach or attack is going to exceed what it would cost to bring in someone to improve the level of security, then the third party should be engaged,” says Stamford.
Plato adds that cyber security is simply one of the costs of doing business in 2017. “You would not think of buying a house without door locks or windows, so the same applies to a computer system. You need to put these controls in place to safeguard your business,” he says.
Is Cyber Insurance the Answer?
According to the National Association of Insurance Commissioners (NAIC), standard liability policies do not adequately cover business losses from most forms of cyber attacks, and a special cyber liability policy is required for coverage. While many insurance carriers are offering these policies, questions remain about their usefulness and what they cover.
The NAIC says that coverage is determined by the type of business. “As a result, policies for cyber risk are more customized than other risk insurers taken on, and, therefore, more costly,” the association says on its website.
Stamford says that the cyber insurance industry is still in its “infancy.” “If an organization believes the cost of a breach is going to be severe, then yes, insurance may be a worthwhile investment,” says Stamford. “Insurance tends to cover items such as breach notifications and identity theft monitoring.”
Stamford adds that some companies erroneously believe that “they can just insure their risk away, which is not the case.” Businesses won’t be reimbursed for losses if they haven’t met minimum security requirements, explains Stamford.
While cyber insurance may not be a must-have for real estate businesses, an ounce of prevention today will go a long way toward preventing ontline threats from becoming actual break-ins. “Given the growing reliance on technology, the organizations that realize this sooner are likely to fare better in the long run,” Stamford says.