by Richard Hanson, JigsawTek
Technology is the cornerstone of your business and knowing how to apply the National Association of Realtors (NAR) Cybersecurity Checklist is crucial to your client’s private information security. Hackers are getting more sophisticated and targeting your business through wire fraud, phishing, business email compromise and malware. FBI reports show real estate wire fraud alone has nearly tripled in the past two years. Putting up a secure firewall by working with a technical expert to secure your technology and setup your IT services properly is critical to your success. Let’s take a closer look at your NAR Cybersecurity Checklist.
“Don’t just click.”
Create Your Culture of Awareness
According to Verizon’s annual Data Breach Investigations Report, in 2019, 94% of malware was delivered by phishing emails. Unfortunately, many people click. Hackers create emails with a sense of urgency from familiar brands you trust and recognize.
So, if you get something from Amazon how do you know if it is legit or phishing? A cybersecurity awareness training curriculum and phishing simulation policy throughout your agency, and other companies you may own, reduces clicking on phishing emails. That’s because an awareness training program makes people better at recognizing scam emails, which means you have a workforce trained to recognize and report suspicious behavior.
Cybersecurity awareness training companies have access to thousands of simulated emails—from free donuts, to banking information and emails that can be customized to look like they come from a trusted friend. Simulated emails can even be sent by level of difficulty and ease of recognition.
Also, educate your buyers with a cybersecurity training package with videos and information on wire fraud specifically. While you may already have them sign a wire fraud advisory, taking this extra step of awareness education is even more effective.
Add More Layers
Along with awareness training, get an email safety tool, such as Trustifi. This simple add-on to your Outlook or Gmail analyzes emails for you and lets you know if there is something suspicious in the email or about the chain of attributes hidden from you but used to move the email through the internet. You can provide this tool to your buyers as well and it will allow them to send you encrypted emails and encrypted documents during the entire timeframe of the transaction.
Encryption and Beyond
Simply encrypted email is not enough. Encryption depends on the receiving side also being encrypted using the same technology for it to work. As a real estate professional, you work with companies outside of your control. Add to this buyers or sellers who may not understand the importance of email encryption and you have a dangerous exposure point.
Your Transaction Platform Explained
Of course regular email is the most convenient, but it is also where you are likely to be hacked. Instead, move documents through a secure transaction management platform or a secure document-sharing platform like ShareFile. Typically, the receiver needs to login to a cloud-based product to download or view the file, but the files can be managed and heavily controlled without exposure. Use this platform to communicate with your customers privately and exclusively. This means no more sending information back and forth over unsecured regular email and all communications are through a protected portal.
Remember Good Email Habits
If you choose to use regular email, then have your emails branded and use a specialized signature on all of them. This helps to make a strange email stand out to your client.
Regularly purge your old emails and archive important emails in a secure location. This helps to protect any historic information you may have if a hacker is able to get into your email account. This will move those emails out of your account and keep them accessible from a local resource.
A secure location is an encrypted drive or cloud storage area that is not built into your computer. This can usually be achieved by implementing creative rules for your inbox.
Yes to DocuSign
There is an option for California based Realtors® membership with The California Association of Realtors (CAR) which includes an agreement with DocuSign to provide a platform for protected contract signatures. This is a very good offer and has a specific focus on protecting real estate transactions—it is a good step to protecting your client’s information and should a part of your overall cybersecurity platform.
Documents shared between agencies should follow the same rules as those shared between an agency and it’s client.
Secure Your Passwords
To “carefully guard” logins and credential access is a subjective term. What one person considers “carefully guarded” will not be the same to others. The more you have everyone committed to transaction security, the stronger protection you have.
It is unreasonable to think anyone can keep track of 30+ unique passwords that are not familiar items to them, that have symbols and numbers and capitals and lowercase letters. While this is true, you should have different passwords for each account, it is unthinkable to do this without a password manager.
Use A Password Manager
A robust password manager generates complicated passwords for each login, but you should still commit to changing your passwords every 60 to 90 days. Free password managers, such as LastPass, maintain website logins for an individual. Business-focused password managers, like Keeper Business, also allow you to maintain other types of information such as payment methods, additional notes and custom fields. Keeper also performs dark web scans on your logins and identifies logins that may be in jeopardy of exposure. Finally, Keeper also provides a shared vault among specifically identified members so certain logins can be shared amongst a designated group of trusted members.
Maintain Good Password Habits
Repeating passwords (and not changing them) is one-way hackers get into your sites. They may have an email and password from one site, but if you use the same email and password on your banking site, then hackers get access. Use long, complicated passwords such as phrases or a combination of letters, numbers, symbols.
The longer the password, the harder it is to break (and a reason those password managers are the best for generating tough passwords).
Use Two-Factor Authentication
Many sites that handle money or sensitive information have two-factor authentication available, but it may not always be required or on by default. Check to see if it is available on all sites you login to and turn it on if it is. You may also use a tool like Duo that provides two-factor authentication for many situations that do not already have it. Two-factor authentication should be used because it prevents someone from getting into the site without your knowledge and approval.
Avoid Public, Unsecured Wi-Fi
Agents are in the field most of the time—it could be a client’s house or a Starbucks or other uncertain Wi-Fi—and do not have a lot of control over the Wi-Fi’s they need to use. It is not just unsecure, but poorly secured as well. So when in the field, agents absolutely need to be using a VPN like NordVPN to ensure all communications are encrypted throughout all transmissions—including your iPhone or Android for business tasks. Always use a secure VPN like NordVPN for both transactions. Wi-Fi works similar to radio waves. If you are transmitting over unsecure Wi-Fi, someone with the right receiver can read everything you are doing. Hackers stalk places like Starbucks for this very reason.
“Keep all technologies up-to-date.”
Keep Antivirus Software and Firewalls Up-To-Date
Your antivirus must have advanced scanning with artificial intelligence in order to help protect against newly discovered “zero-day” attacks and otherwise as yet unidentified malware. Malware that is effective today has figured out how to avoid being captured by traditional anti-virus software and spam filtering. Additional tools like Huntress scan deeper for items that make it past your antivirus and have live human support to resolve any threats.
Firewalls are the first line of defense for your computer or network and should be managed and maintained by an IT professional with a strong background in network security.
System Backup and Recovery
Your data should be backed up no less than daily and stored away from your physical site or equipment. An even better solution is to have a disaster recovery plan before you need it and have a situation that will allow you to recover from ransomware or a physical issue with your building or equipment within minutes.
Encryption is a Must
When setting up your computer, you should make sure that data encryption is turned on for all your hard drives. If you are using Windows 10 Home, this requires your hardware to meet specific standards or you must have a third-party product like BitDefender Disk Encryption. For Windows 10 Pro users, BitLocker is turned on by default, but you need to make sure you collect the unlock information because without that you cannot use the disk on any other device. For Apple Mac users, you must turn on FileVault for encryption to be enabled.
Use Caution with Downloads
Only use known secure sites to download apps. Verify downloads are legitimate and not installing malware or breaching privacy. To do this, use web-filtering products like like WebTitan and Webroot to keep track of unsafe sites and protect users from unsuspectingly visiting a site that might introduce malware. Also, have a malware scanner like Malwarebytes on your iPhone or Android devices to identify installations that may have malware.
Review IT Privacy Policies
There are many IT providers for all of the IT services mentioned in this article. Before you hire any IT professional, review the applicable privacy policies and contracts with your attorney. This is always a good idea; a good provider should not have any issues with service contracts or modifying their agreements to meet any concerns your attorney may have to further protect your technology interests.
As a client to your IT provider, like real estate agents are to buyers and sellers, your IT provider is a steward of your client data and information, and as such, should have a very strong ethic for keeping your data protected. They should be working for you in your best interest, while understanding that you, as their client, make any final decisions.
“Work with your attorney and an IT professional.”
NAR’s Wire Fraud Email Notice Template
This is a good and necessary reminder for clients about the possibility of cybercrime. It is best to have proprietary wiring instructions template that is used to communicate to buyers, through an encrypted email vault, any wiring instructions. Included on that should be an obvious statement that reads “DO NOT EXECUTE WITHOUT VERBAL VERIFICATION.” Then inform the buyer that you will not send wiring instructions in a plain email—ever. They should only get wiring instructions through the vault using the custom template you have designed.
Develop and implement the following policies:
Cyber and Data Security Policy
Include a qualified IT professional when creating your security policies. This ensures you have all areas covered, such as personal and business devices and email policies, web-browsing policies, Wi-Fi security policies, data encryption polices, data backup and protection policies in place.
Breach Response and Breach Notification Policy
Your qualified IT professional will work with you to create a business continuity and disaster recovery plan in the event of a breach before it happens and according to how you should handle the situation. It is their responsibility to work with you to implement it and this influences the kind of tools you use within your organization. Ensure that your staff and licensees have reviewed and are following all implemented policies.
Cyber Insurance is Good Protection
Having cyber insurance is kind of like having life insurance even though you have health coverage. The plans that CyberPolicy and RealtyCyber offer are specific to real estate agencies and tend to cover the transaction, not just one party. They are different from most cybersecurity insurance policies and should be considered in this industry as part of a backup plan to compliment other technology measures put in place.