Not every real-estate business can rely on an in-house team of IT engineers to keep them operational 24/7 and protect the network from intrusion or theft of client data.
The growth of the managed service provider (MSP) sector over the past ten to 15 years – enabled by huge improvements in broadband speeds and integrated remote access software – has provided a lifeline for SMEs that simply do not have the budget for dedicated staff to maintain robust, cost-effective cyber security. Even with expert third-party support, however, the real-estate sector faces a number of unique challenges that need to be met if firms are to ensure that their clients' data is kept safe and secure.
In addition to the growing trend for remote working in the wake of the COVID-19 pandemic, the real-estate sector already employs a vast number of staff who attend property viewings, meet prospective clients and conduct surveys.
Your cyber-security plan should ensure that remote staff are using mobile devices that operate industry-standard protocols, such as two-factor authentication (2FA), requiring users to confirm their identity using a combination of preconfigured features such as biometric information or a text message to a company mobile phone.
If your staff are on the road visiting properties and conducting meetings, make sure that they only connect to verifiable networks; this will help prevent so-called evil twin attacks that mimic the name of a venue's wireless connection and harvest data from unsuspecting users, or packet-sniffing attacks that monitor traffic to and from a device. Public wi-fi networks are after all low-hanging fruit for cyber criminals who are looking to piggyback on unsecured connections and steal company and client data.
All your remote staff without exception should also use a virtual private network (VPN) that is linked to a company router or firewall. VPN tunnels encrypt company data over public wi-fi and place remote workers on the same local network as office staff, with all the associated file access rules.
Your agency may operate managed premises including technology that connects to the internet, also called the internet of things (IoT). In that case, you should be very careful in the deployment and management of these devices. Don't be fooled by the marketing: IoT device security needs to improve significantly before it can be reliably described as safe and secure.
Where possible, make sure such equipment is centrally managed via an online portal, and conduct regular security reviews across your IoT network to ensure that passwords are of a good standard, and that equipment is locked down for use only by those who require it. Ensure that your employees are generating passwords that contain a complex string of alphanumeric information and symbols, rather than using common phrases or combinations of numbers.
'Public wi-fi networks are low-hanging fruit for cyber criminals who are looking to piggyback onto unsecured connections'
If you run a real-estate firm, you don't need me to tell you that the data you hold on your clients is extremely personal, pertaining to property ownership, banking details and large money transfers.
The theft of personally identifiable information will not only be financially damaging to you as an organisation, but can also cause enormous reputational damage. Firms are legally bound to report a data breach to the Information Commissioner's Office (ICO) and to all their clients. Buyers, sellers, landlords and tenants don't take kindly to emails telling them that their information has been exposed to cyber criminals.
Like any other sector real estate needs to get the basics of cyber security right, and be able to rely on staff to be conscientious employees.
Quite often, the best way to manage IT is to manage people. Firms can spend as much as they like on industry-leading cyber security, but unless staff are continually mindful of the risks inherent in the sector it can all be for nothing.
Each firm has a unique set of challenges from turnover to staffing numbers and underlying business model. A well-managed, far-reaching IT policy that commits staff to remaining compliant and conscientious in the issues discussed above is the bread and butter of sound security.
Your staff need to understand how to use the cyber-security tools they've been provided. IT training doesn’t need to be time-intensive. After staff have been inducted, refresher training can be scheduled in time slots of between 15 and 30 minutes every few weeks, if required. This is a small price to pay when considering the alternative is business disruption that results from an employee clicking on something they shouldn't have.
If you've given staff the ability to whitelist and blacklist email addresses, make sure they understand how to do it. If your antivirus software flags up a potential intrusion on their machine, they should instinctively know what the next steps are.
'IT training doesn't need to be time-intensive'
I run my own IT company, and I've been approached by many prospective clients with tales of lax support practices and broken promises. If you're not able to employ your own dedicated cyber-security staff, your prime consideration should be choosing a reputable IT support provider that can fulfil your requirements and add value to what you're trying to achieve as an organisation.
Scrutinise a potential provider's cyber-security practices throughout the sales process. Ask its staff how they would react to a security breach and what its internal support procedures are in the event of a ransomware attack. If they know what they're doing, they'll be able to rattle off these in an instant; if they take an age to reply to an email or seem unsure of the particular challenges faced in real estate, your best bet is to move on to the next prospective provider.
Prof. Sara Wilkinson FRICS, Dr Gill Armstrong, Dr Kusal Nanayakkara, Mark Willers FRICS, Prof. Jua Cilliers and Dr Robert Fleck 08 December 2023