AGENT BROKERAGE

Worried about a tech breach? 26 ways to minimize your risk

Suggestions for brokerages and individual agents from real estate tech experts

BY AMBER TAUFEN !

AUG 2

87SHARES

Key Takeaways

Use different (strong) passwords for every account; don't log onto public Wi-Fi; never leave your devices unattended.

Training employees on email and physical security best practices is a good investment for real estate companies.

Don't miss Hacker Connect SF

Take a deep real estate technology dive, Aug 7, 2017

LEARN MORE

SPONSORED CONTENT

Your online reputation will make or break your business

Now that we are living so much of our lives online, the risk of identity theft and data compromise — which has always been

around — has increased by leaps and bounds.

Hackers can install malware on your devices from across the world, holding your personal information for ransom, or send

an email from “your” email server to your buyer clients instructing them to wire their earnest money payment to a different

bank account.

Sometimes they target entire companies.

And if large companies like Yahoo, Sony or even Keller Williams are unable to prevent breaches, then what chance do you

have?

Some. At least according to tech security experts who specialize in real estate. And the more security measures you take,

the better your odds of escaping a hack attempt unscathed.

“There’s no such thing as ‘secure,'” noted Matt Cohen, principal consultant at real estate software and consulting firm

Clareity. “It’s just like when you buy a safe; they’re rated in minutes to show how long it would take someone to break into

the safe, and there is no ‘infinity-minute’ safe that takes forever to break into. It’s about reducing risk, not about eliminating

all risk.”

Here’s a summary of suggestions for how to reduce your own risk, both for individual agents and larger enterprises.

For individuals

1. Care enough to take action

“This stuff is real, it’s not made up,” noted technology educator Juanita McDowell. “What tends to happen is, someone

waits until their friend or company has this identity theft crisis and then says ‘Oh my gosh, I’d better start doing something

here.'”

But it’s probably better to lock the barn door before all the livestock escapes — right?

2. Strengthen your password game

We know: Passwords are annoying, and there’s no humanly possible way to remember 800 different passwords for all your

different logins.

However, if (like many technology users) you are reusing the same password for a bunch of different platforms — stop it.

Alex Camelio, another real estate tech educator, notes that if a tech breach at a big company leaks your user name and

password, that’s probably not a big deal … unless you use the same password elsewhere.

“What they do is use that user name and password to immediately go after your email, banks — everything you can

imagine,” he noted. And if you’re recycling passwords, they just might get in.

“If you are a victim of a hack in any way, the first thing to do is change every password of any associated account,” said

Craig Grant, CEO at the Real Estate Technology Institute (Grant also teaches tech best practices with McDowell and

Camelio.)

“Most people just focus on the one company that gets hacked,” he added, “and they don’t think about other platforms

where they use the same or a similar password.”

Password vaults are one option, but those are also hackable. Camelio suggests this memory trick: Invent a strong “base”

password with lowercase and capital letters as well as numbers and special characters, and then append a “trailer” to that

strong base for every website. (So, for example, maybe your Twitter password is p@S$w0RdDorsey and your Facebook

password is p@S$w0RdZuckerberg — that said, please don’t create a “strong” base password out of the word “password.”)

3. Implement two-factor authentication

Google offers this for its email platforms, and Facebook and Twitter also give users the option of two-factor authentication.

Two-factor authentication adds an extra step when you’re logging into an account on a new device — typically a text

message is sent to your mobile device with a code to complete logging in. Your hacker would need access to your phone

in order to get into your account, and since a malicious stranger is not likely to have physical possession of your

smartphone, two-factor authentication can keep your accounts safer.

You’ll also get a notification when anyone logs into your accounts from a new device.

4. Be wary clicking links or downloading attachments when checking email

One easy way to keep yourself safe, Grant says, is “don’t click on anything anymore.”

He means it, too. “Unless you know it’s 100-percent legit, clicking on any link in any email or text message is dangerous

these days,” he added. “A lot of people are using your own friends list against you.”

What to do instead? Hover your mouse over a link to see where it redirects — or Google the link and find it via the search

engine instead.

And most definitely do not download strange attachments either.

5. Back it up

Ever heard of “ransomware”? That’s what the “WannaCry” attack earlier this year was. It held files “hostage” until victims

paid a ransom for their files.

“What that’s playing on is that people don’t want to back up their data because they don’t understand the importance of it,”

McDowell explained. But if you do regularly back up your data, then your files can’t be held for ransom … because you still

have them all.

6. Reconsider free Wi-Fi

“Public Wi-Fi is the easiest way on earth to get hacked, and I can’t tell you how many Realtors work out of a Starbucks,”

Grant said. “That’s a prime location for a hacker; think about how many people a day jump into a Starbucks to get coffee

and use their computer.”

“Absolutely, positively never ever get on a free Wi-Fi network,” agreed McDowell. Both Grant and McDowell suggest using

a personal hotspot when you’re out in public.

And remember: the more people that are likely to be on a network, the greater the risk. “It’s always a numbers game,”

explained Grant; you’re likely a lot safer logging onto the Wi-Fi on your flight than you would be connecting to the airport’s

free network while you’re waiting to board because there are fewer people who have access to the plane’s Wi-Fi than the

airport’s Wi-Fi.

The point is, it might be free now, but it could cost you later. “The reality is, these days — to be safe — you have to spend

some dollars,” Grant added.

7. Invest in a strong anti-virus solution

It’s a huge misconception that any computer comes with “built in” anti-virus protection, experts say. (And that includes your

iPhone!)

“Having good anti-virus solutions on every device — not just your computers, but also your mobile device — is important,”

Grant said.

“In my data security classes, you’re not allowed to call it a phone,” McDowell said. “You call it ‘a mini computer that

happens to have a phone function.'”

8. Vet your vendors

When Grant sees a real estate agent using a Yahoo email account, he has to wonder what they’re thinking.

“Yahoo was always bad at security, and they had a big breach and didn’t admit it,” he noted. “If you’re still using an AOL or

Yahoo email account, it could come back to bite you.”

Try Google instead. “Google isn’t only good at security, they create almost every single security protocol — they invented

two-factor authentication and tokens,” Grant added. You can sign up for a domain-specific Google email account for $50 a

year, or just use the free @gmail.com domain, and take advantage of all Google’s resources — it can replace less secure

file-sharing options (like Dropbox) with its Drive features, too.

Just a little bit of research on that vendor and how it treats security can save you a big headache down the line.

10. Arrange for alerts if something happens

A credit-monitoring service might sound like overkill — but it will let you know if and when someone is trying to use your

personal information to create a new account. So if you’re worried that your data might already be “out there,” think about

it.

Keller Williams is offering a free year-long membership in Experian ldentityWorks for any associates whose information

might have been compromised in its recent breach.

11. Don’t leave your devices unattended

“I’m in the library a lot,” McDowell noted, “and somebody gets up to go across the way, and they don’t take their phone or

computer with them. Now you’re setting yourself up because someone could sit down and put spyware on your computer

that they know how to do in less than 30 seconds.”

It sounds obvious, but it still bears mentioning: Don’t do that.

12. Update, update, update

You’re not necessarily getting that update notification just because Apple or Microsoft thought you needed a cool new

feature.

Update your operating systems as soon as an update is available. “I can’t emphasize that enough,” McDowell said. “They

might know about a virus that you don’t know about,” and the update includes the patch. So use it!

13. Slow down!

All of these scams are preying on one common reality: Everyone is in a hurry and has little energy to spare to pay attention

to details.

So taking some time to slow down and consider the email you just received could be one of the biggest ways you can

reduce your risk.

“If you slow down, you might notice that the link isn’t really the right link, that there are spelling and grammar errors that

aren’t normal,” Grant said. “That’s a huge thing anyone can implement without being a geek.”

For companies

14. Encrypt

If it’s necessary for you to keep sensitive information — like passwords or Social Security numbers — then it’s a good idea

to encrypt them. “Any system I’ve ever built, even if you got in, you couldn’t get the passwords,” Camelio explained. “Even if

someone could get to them, it’d be a bunch of jumbled letters and wouldn’t mean anything to anyone.”

Grant also endorses encryption, noting that hackers “just kind of go for the lowest-hanging fruit, and they’ll typically move

onto an easier target” if you’ve bothered to encrypt your data.

Encryption isn’t an end-all be-all, though. If someone really wants that data, they can still access it; there’s usually a piece of

code stored somewhere on the network that de-encrypts the data, noted Cohen, so don’t count on an encryption-only

strategy.

15. Explain email best practices to employees

Remember when hackers stole 40 million user names and passwords from Sony? That happened, Camelio said, because

“one of their employees clicked on one bad email and got a virus on their computer, which opened up the network —

which let somebody else in to get the whole thing. It was literally one bad link in one email.”

“If you look at ‘black hat’ hackers, their target is the employee,” McDowell said. “That’s the easiest route in because

employees have a natural inclination to want to open up an email” — it’s their job, after all.

16. Create (and implement) policies and procedures

Do you vet people before you hire them? Do you know what steps to take when you’re letting someone go?

If not, then you need to get your arms around your personnel practices — and it definitely doesn’t stop with hiring and

firing; you need a document retention policy and much more, too.

“Almost every breach boils down to a lack of appropriate policies and procedures: laying out how things are supposed to

be done in the company, followed by contracts,” noted Cohen. You need tech security policies and procedures both for

your internal staff and any contractors you’re using.

17. Understand the threats to consumers — and take steps to mitigate them

One of the absolute worst things that could happen to any buyer in a real estate transaction is losing the down payment or

earnest money deposit. And hackers are increasingly targeting these wire transfers as a low-hanging source of easy

income.

“Some of those scams are so robust that they exactly match the steps and the email between the parties, which means

they’ve been sitting on someone’s computer for easily a month-plus, waiting for a deal to go through so they can see every

step of that wire transfer before they try to scam any clients,” Camelio noted.

Asaf Cidon, vice president of content security services at tech security firm Barracuda Networks, noted that sometimes a

hacker might set up a forwarding rule in an email system to deliver copies of incoming emails to them directly. “They’re

doing reconnaissance, and once they see a deal is about to happen, they wait for a time when the buyer is super stressed

out, needs to close the deal and doesn’t have a lot of time and needs to wire money. They then email the buyer right

before.”

Cidon suggests that agents and brokers prep their buyers by informing them that any wiring instructions or details should

be confirmed over the phone — voice call only. “Text is also vulnerable; you can impersonate text messages,” he said.

“Sometimes the folks who are more senior are aware of the risks, but the agents who are handling the deals or the folks

more on the operations side don’t have awareness,” Cidon added. “And unfortunately when these things happen, the

customers essentially don’t have a way to get their money back. The title company’s not going to return the money; the

bank isn’t going to return the money. It’s really scary.”

18. Monitor actively

The days of “having your own servers in your own building and having an IT guy try to build your defenses” are over, said

Grant. “The truth is that hackers are so sophisticated that local people won’t be able to keep up.”

So that means active monitoring, possibly using a third-party vendor that specializes in enterprise tech security.

19. Have a data strategy

“Go into all of this with a plan as to what data you’re actually collecting, when you’re collecting it, why you’re collecting it

and when you’re getting rid of it,” advised Camelio.

Most states have data disposal laws regarding how (and sometimes when) to purge your data, “and a lot of people have

never looked at them,” Camelio added. So that might be a good jumping-off point.

20. Passwords matter here, too

Camelio remembers working with a large city association on a conference event; he needed to arrange for a registration

email to blast out to attendees, but it was after hours and he didn’t have the association’s MailChimp password.

“I put it out to one of the folks I worked with,” he recalled, “and two minutes later, he’s like, ‘We’re in.’ He guessed their

password. We had access to information from 20,000+ members from a verified account by guessing their password.”

And the thing is, you don’t need to spend hundreds of thousands of dollars on security consulting to create passwords that

a hacker can’t guess in two minutes.

21. Consider the physical threat

None of these fancy risk-mitigation techniques are going to make a bit of a difference if it’s easy to get access to data in

the physical world.

There are lots of ways this can happen — lost files or devices is just one. “At the heart of it, it’s really straightforward: it’s

about building defense and depth,” noted Cohen. “You have a file in a locked filing cabinet, which is inside a locked room

inside a locked employee area inside a locked office inside a locked building. Those physical barriers are supplemented

with tools like webcams and shredders and alarm systems. I think we all know how these things work.

“That’s a complex view of physical security,” he added, “but even in an agent’s office or home office, keep the file locked

up; it doesn’t belong on the dining room table when you’re not there.”

Checks are one of the biggest risks in real estate, according to Cohen. “It has an ABA and a routing number,” he noted.

“They are extremely sensitive things, and you do see them on printers and fax machines, sitting in unsecured areas of

brokers’ offices and homes. One thing goes awry, and it’s a breach.”

McDowell remembers teaching a class at a small association where she showed up in her suit and told the receptionist she

was there to teach a class. She was taken to an empty floor to wait, “and now I’m in the association office,” she

remembered.

Of course, she tried a drawer … and it was unlocked. “They’re all unlocked. I had access to every member’s files —

everything.”

22. Perform vulnerability tests

“We need to see where we may have some holes, and every system in your network needs to be tested,” McDowell said.

“You can’t just say ‘we feel like everything is good.'” Because how do you really know?

“Run some tests and make sure at least every quarter,” she advised. “Larger companies do this every week.”

23. Consider random employee monitoring

What’s the use of training your employees on tech safety best practices if they aren’t actually implementing those best

practices?

This is why McDowell suggests random auditing or monitoring so that you can be certain everyone is doing what they’re

supposed to be doing.

“You need to really see where they are,” she said. “If you’re using my equipment and my network, I need to do some

random auditing before a big disaster occurs.”

She notes that this doesn’t have to be a surprise. “You can tell them in advance that you’re going to do some random

monitoring from this period of time to this period of time,” she explained. “We don’t want to go back and worry about our

brand and everything we’ve built — we want to make sure everybody has this.”

24. Know how a breach could impact your business

Fair or not fair, your reputation will probably take a hit if your company makes it possible for hackers to access data

— especially if it’s consumer data.

And if it happens to more than one company in real estate, that reputation nosedive could ripple out to the entire industry.

“If we don’t get our arms around this kind of problem, I have no doubt we’re going to see regulation that we don’t want to

see to a level that we don’t want to see,” Cohen opined.

“And really, getting your arms around the problem and reducing a lot of the risk should not be all that hard,” he added.

25. Have a plan for what to do if it happens

Do you know what you would do if the worst happened and there was a breach of your data?

Who would you inform and in what time frame? How would you deliver the news? What resources or follow-up support will

you offer?

This is one plan you’ll hopefully never have to use, but at least if you do have to use it, you can be confident you’re

handling the situation properly.

26. Train your staff — over and over again

This is last on the list — but it’s by far the biggest, most important way that companies can protect themselves from a data

breach.

“The basic Realtor isn’t getting any training in basic things — what to click on in an email and how to handle it when you get

hacked,” noted Grant.

“I’m puzzled by the fact that employee awareness is not there,” McDowell said. “As part of the orientation program, the data

security policy should be communicated. It should be incorporated into the new employee or new contractor training —

and then it needs to be ongoing.”

Monthly is a good place to start with a training agenda, she thinks. “Just think about how people process information. They

walk into a training class and have a hundred things going on; they’ll walk away with one or two tips and then go back to

what they’re doing.”

So she thinks that incorporating technology security as a learning initiative — as well as into employee training and

onboarding — is a good way for companies to build it into their culture.

“If you had this type of culture, then people would understand: ‘slow down, make sure your laptop is encrypted, don’t click

on that link, don’t download that attachment.’ If you start with that knowledge and education base, and have a way of

pulling it through, then your employees will be more in tune with it.”

Email Amber Taufen

Like me on Facebook! | Follow me on Twitter!

Hide Comments

COMMENTS

MOST READ

2 Comments Sort by

Jay R Chernoff · Real Estate Broker Associate at Terrabella RealtyThank you!Like · Reply · 23 hrs

Matthew Cohen · Chief Technologist at ClareityNote that there are ways of mitigating the risk of using public WiFi, for example using a VPN service. But the first example of moresophisticated wire fraud I became aware of about 6 years ago involved a broker offering unencrypted/public Wi-Fi in their officeand the hacker intercepting everyone's email credentials.Like · Reply · 6 hrs

Facebook Comments Plugin

Oldest

Add a comment...

Some big brokerages body slam Zillow in NYC

 | AUG 2BY TEKE WIGGIN

8 things sellers risk when they sell without an agent

 | JUL 26BY CARA AMEER

7 habits of highly effective agents

 | AUG 1BY BRANDON DOYLE

'My last agent failed -- how are you different?'

 | AUG 1BY FABIANA GORDON

What does an agent do all day anyway?

 | JUL 24BY CARA AMEER

Inman

About

Contact

Advertise

Sponsor Connect

Careers

Code of Conduct

Privacy

Terms of Use

Products

Select

Inman Pro

Market Intel

Community

Inman Facebook group

Agent War Room

Broker War Room

Vendor Exchange

Contributor submissions

Image submissions

Awards

Inman 101

Inman Innovators

Inman Influencers

­ ¬ ã ±© 2017 inman All Rights Reserved.

RELATED ARTICLES

Quicken fined $11M in class-action appraisal lawsuit

 | JUL 25BY AMBER TAUFEN

KW security breach compromises associate information

 | JUL 24BY AMBER TAUFEN

NAR: Proposed changes to net neutrality could hurt agents

 | JUL 17BY AMBER TAUFEN