Implementing Safeguards To Reduce Office Cyber Risk

With cybercriminals focusing on the real estate industry, CRE professionals are finding it crucial to put certain protections in place to guard against common threats. In part one of this piece, we will discuss some safeguards used to protect companies against cyber attacks. In part two, we will discuss the top five cybersecurity risks faced by real estate companies [NEED LINK TO SECOND PART HERE].

Here are some effective methods that can substantially reduce the risk of cyber attacks.

Implement a wire policy – One of the simplest yet most successful ways to cut down on the risk of falling for a Business Email Compromise (BEC) scam is to put a policy in place of never sending a wire based on email alone. In a BEC scam, a legitimate-looking email from a trusted party (such as the CEO of a company) requests money. However, when the recipient transfers funds, the money goes to a criminal party that has gained access to the email address in question.

Your policy against email-only wires will help prevent loss of money due to this method.  Adding a phone call or other wire confirmation method is a process known as two-factor verification. This can prevent money that was supposed to be delivered to an attorney or contractor from winding up in the hands of a hacker.

Cybersecurity training: The majority of hackers still use phishing, or misleading emails to get people to click on links to attachments that will put malware on their computers. Simple as these methods may be, a sizable 65% of CISOs are deeply concerned about phishing scams. Training to raise awareness of methods like these can reduce the risk of falling victim to ransomware. In an organization, individuals are the most vulnerable points for attacks like these, making cybersecurity awareness and discussions that much more important.

Negotiate provisions for information security with counterparties to real estate agreements: One complicating factor is that scam emails from criminals can appear to come from valid addresses, rather than spoof addresses. In many cases, this is because a hacker compromised a legitimate email and is using it for illegal money transfers. In situations like these, people argue over who is responsible for the lost funds, the company with the email system vulnerable to hacks, or the one that sent the money and failed to follow protocol.

To guard against wiring funds to criminal accounts, it is best to have contracts that provide for the counterparty to exercise reasonable security controls. That way, if the counterparty is ever hacked, there is a potential cause of action under breach of contract emerging from the hack, which could cover wiring funds to the wrong account through an email address breached by a hacker.

Back up all systems: Ransomware is most significant for businesses that do not have a workable backup. Without sufficient backup, an organization may be more quick to agree to pay a ransom out of panic over the threat of lost data. When you have backup data, you are more resilient after the attack and have the peace of mind necessary to ignore ransom threats when they emerge.

Figure out cloud computing agreements: Real estate businesses should try to negotiate added protections that are not part of typical cloud computing provider terms and conditions due to the sensitive nature of the stored information. By adding information security standards and notification requirements in the case of data breaches against the cloud provider, as well as additional indemnification for occurrences and limits of liability that offer relevant solutions in case of an attack, a business can get better protection in the event that a cloud provider is breached.

Cyber liability insurance: Given that all security systems are imperfect, cyber liability insurance can be a key part of reducing risks. There is a massive disparity in what is covered by any given policy for cyber liability, so it’s important to make sure that policies cover risks like BEC scams, ransomware threats, ransom payments, and even interruption of business because of attacks.