Does your brokerage have good “cyber hygiene”?
It’s the concept of employing strong preventive measures against cyberattacks at your company and having an action plan in place in case networks are hacked. With email phishing schemes accounting for 95 percent of cybersecurity threats, according to FBI statistics, brokerage owners need to think ahead about how their agents and staff are vulnerable when communicating with clients over digital platforms.
During the Illinois Department of Financial and Professional Regulation’s Cybersecurity Conference in Chicago, legal and law enforcement experts offered advice on how broker-owners can beef up their company policies to safeguard their networks.
First and foremost, brokers should be aware of the email platforms agents are using to conduct business communications, said FBI special agent Daniel Wierzbicki, who manages a team of cybercrime watchdogs in the agency’s Chicago field office. He recommended encouraging agents to use company email accounts rather than private ones. “A lot of people use private Gmail accounts to do transactions with customers instead of company accounts. But a lot of companies have measures to protect from hacking activity; Gmail does not,” he said.
Still, having your agents and staff stick to company email isn’t a foolproof plan. About 25 percent of email users open suspicious emails, Wierzbicki said, and 11 percent open attachments or click on links in those emails—which activates the malware that compromises systems. “Even when companies send out emails to their employees saying this is a malicious email and don’t click on the link, some people do anyway,” he said. “It’s human nature.”
Limit the number of people who have administration-level access to your company’s system, including social media, which is also a target for hackers. That way, fewer people have the opportunity to open your entire system to cyber threats. “It’s who you give access to your system that makes for good ‘cyber hygiene,’” Wierzbicki said. “It only takes one click to compromise a network. And on average, it takes more than 200 days to identify that hackers have gotten into your system.” Also, he suggested, have a security team you can call on immediately if anyone in your company receives a suspicious message.
Of course, you should use strong passwords that would be hard for anyone to guess, Wierzbicki added. He said that longer passwords—at least 26 characters—are better than complicated ones with capital letters and symbols.
Education is fundamental to combat cyberattacks, and that starts with brokers setting the tone, said Jessica Edgerton, associate counsel for the National Association of REALTORS®. Encourage agents and staff not to open suspicious emails or click on links, even if they look benign. Wire fraud is hitting the real estate industry particularly hard, Edgerton said, noting a typical scheme in which hackers gain access to practitioners’ email accounts and send fraudulent wire-transfer instructions to their clients. “People aren’t aware of what’s happening,” she said. “When it comes to a real estate transaction, you have so many different players, and all it takes is one person in that transaction not being aware of the signs of fraud to make the whole thing implode.”
Brokers must lead the effort to inform agents about these schemes and encourage their role in educating clients. Calling agents the “initiators of a transaction,” Edgerton said they must be taught that it’s their responsibility to make sure everyone involved knows what to do if they get suspicious messages related to a real estate deal. For example, agents should tell their clients to verify with them any wire-transfer instructions they receive via email.
To get agents to take cybersecurity education seriously, brokers should have specific company policies in place addressing cyber threats, Edgerton said. “Do you have a security breach policy? Do you have a system where, if anything bad happens, all your agents and employees know what steps to take? Do you have a document retention and destruction policy? Don’t just write it down on a piece of paper and leave it in your bottom drawer,” she said.
The potential legal repercussions of not having such policies are great, said John Costello, an attorney with Cincinnati-based law firm Dinsmore & Shohl. “Litigation in this area devolves into ‘Let’s sue everybody and settle with their insurance policies,’” he said. “It’s negligence, breach of fiduciary duty, breach of standard of care.”
Costello said most states define a standard of care that businesses must meet in terms of cybersecurity. Most brokers will need extra or separate insurance policies to cover specific events related to cyberattacks—but you shouldn’t rely on that to get you out of trouble. What you want to avoid most is “the profound waste of resources” that come with litigation, he said. “Think strategically about your insurance policies. You’re going to hope for the best but plan for the worst.”
Ultimately, fighting against cyberattacks requires you and your agents to be alert and to develop a keen sense for what is suspicious language in emails, Wierzbicki noted. “Hackers want to give a sense of trust to their victims, which will allow an act that will compromise them,” he said. “You have to know not to fall for it.”