Today, we’re talking about a topic that doesn’t often come up in conversations despite its importance – cybersecurity in real estate and what steps real estate professionals can, and should, take to protect their businesses online.

In the last week alone, ransomware attacks on the meat supplier JBS, Fujifilm Corporation, and Cox Media Group shutdown operations. These follow the Colonial Pipeline attack last month, which disrupted the global economy, and countless other attacks, which have been on the rise for years and increased sharply after the pandemic pushed us to spend even more time online. Back in 2018, KPMG spotlighted cyber risks for the real estate industry, saying the probability an organization would experience a material data breach in the next two years was 26% and the average total cost of a data breach was $4 million. What’s more, malicious attacks weren’t the only cause of a data breach, though they were the most common. The KPMG report cited data from the Cost of a Data Breach Study by Ponemon Institute and IBM, which outlined the most common causes of a data breach as malicious attacks (responsible for 48% of breaches), system glitches (27%), and human error (25%).

So what can real estate companies, regardless of their size, do to protect themselves against material breaches, whether caused by cyber attacks or not?

Here are a 16 steps to protect your real estate business against cyber attacks and data loss:

  1. First and foremost, have a cybersecurity policy and regular training in place for employees. The National Association of Realtors provides cybersecurity guidance for real estate on its website, as well as a CyberPolicy partner page that provides details about cyber liability insurance available through the REALTOR® Benefits Program.
  2. Email continues to pose the greatest risk. Train employees to avoid clicking on or downloading unknown attachments or links, as that’s one way malware is downloaded onto their device. In general, all emails should be scrutinized closely and if an email looks suspicious, it should be deleted immediately. When in doubt, it’s always better to call the sender to verify if and what they sent you.
  3. If possible, use encrypted email, a secure document sharing program, a reputable transaction management platform, or a secure Intranet (or a combination of these) to share sensitive information.
  4. SMS or text messages should be treated with the same caution as email. Like with email, avoid clicking on links in text messages unless you know the sender and the message appears to be legitimate. Again, when in doubt, call the sender instead of clicking a link or downloading anything from the message.
  5. Avoid emailing login and access credentials to your email and other services.
  6. Use strong passwords with a combination of letters, numbers, and symbols. Use unique passwords for different websites/applications and consider using a password manager if needed (though weigh the risks vs. benefits as there is inherent risk in using password managers as well, no matter how well regarded).
  7. Consider using two-factor or multi-factor authentication whenever it is available. Make sure to use your mobile device for one as, though it may be surprising to some, mobile devices are more secure than desktop computers.
  8. Whenever possible, avoid doing business over public, unsecured Wi-Fi networks (and even public, secured Wi-Fi networks) as they are easy to hack into. If/when you login to a public Wi-Fi network, make sure to turn off the auto-login feature so you have to manually log back in the next time you need to connect to that network. That keeps your device more secure as you aren’t connected to different networks to which you may not even realize you’re still connected.
  9. Consider using a VPN (virtual private network) for all of your employees and all of their devices. A VPN further protects your data and other communications.
  10. Avoid downloading apps on your phone or tablet that didn’t come with your phone. If it’s absolutely necessary to download them, do so through authorized app stores like Google Play and Apple Store only. Read the app’s privacy policy and make sure you’re not granting it access to data it doesn’t need to perform its stated functions.
  11. Install and keep antivirus software and firewalls active and up-to-date on all devices, including mobile devices, which are often overlooked even when desktop computers have protections in place. In addition, ensure your operating system and programs installed on your devices are patched and up-to-date. Patches are important because they fix security flaws and other software weaknesses that cybercriminals love to exploit.
  12. Regularly back-up critical data and keep backed up data separate from other applications.
  13. Stay alert and always question the tools you and your team are using. Widely known, reputable, and popular apps and platforms are often the targets of cyber crime and while using some of these are necessary to do business, it’s smart to add your own protections and not assume the app has the proper security in place for their users. Zoom is a great example of a popular application that was exploited.
  14. When engaging third party providers, especially to provide IT or digital services, review their privacy policies and contracts closely, preferably with your attorney.
  15. Ask your insurance agent about cyber insurance and whether you need anything like a social engineering fraud endorsement or computer and electronic crime rider (C&E Crime Rider). The National Association of Realtors has a CyberPolicy partner page on its website that provides details about cyber liability insurance available through the REALTOR® Benefits Program.
  16. The best protection against cyberthreats is knowledge. Cyber-smart employees are your first line of defense against hacking. Incorporating cybersecurity training into your business operations can be the difference between preventing an attack before it happens or experiencing a breach.

There are a lot of really great resources out there on cybersecurity training and best practices, including on the Data Privacy & Security page of the National Association of Realtors’ site. As always, we’d love to hear from you about your experiences or answer any questions you have.