Security is an important topic for all types of business including those operating in the property sector. Here, security is traditionally associated with protecting homes from physical damage and break-ins, through increasingly sophisticated intruder alarm and home security systems. However, in our digital age, estate and letting agents are fast becoming aware of the urgent need to protect themselves and their clients against cybercrime.
According to the UK Government data, nearly 40% of businesses across the UK experienced a cyber-attack in 2020 including a third of estate agents. In 2019, cyber attacks against property-related businesses more than doubled.
How are businesses vulnerable?
Property companies such as estate and letting agents hold a significant amount of sensitive data including client addresses, personal information and account details that are particularly vulnerable to attack.
Under GDPR regulations in Europe including the UK, businesses can suffer heavy fines if identifiable personal customer data has been lost, stolen or leaked. The UK GDPR and DPA 2018 set a maximum fine of £17.5 million, or 4% of annual global turnover (whichever is greater) for infringements. Meanwhile, the EU GDPR sets a maximum fine of €20 million (about £18 million), or 4% of annual global turnover, for infringements.
Financial losses as a consequence of a successful cyberattack can be significant, particularly in the case of ransomware attacks. According to official US figures, $590 million in ransomware-related activity was recorded in the first half of 2021 alone.
From an operational perspective, companies are likely to experience significant downtime if they’ve been successfully targeted by cybercrime. The added repercussions in terms of client confidence and brand reputations are difficult to quantify but could be serious.
What are the most common forms of cyberattack?
Below are some of the most common cybersecurity threats affecting estate and letting agencies, and some useful suggestions on how to minimise the risk of attack.
Phishing is a form of social engineering initiated by an attacker who sends a fraudulent message (usually by email but increasingly by text message too) to the prospective victim with the aim of tricking them into divulging sensitive information. Phishing attacks have been rising steeply in recent years. Effective staff training to enable team members to learn to recognise phishing emails and the damage they can do is key, as is enabling Multi-Factor Authentication on devices.
Ransomware is a type of malware that can take over a system or network, threatening to block access permanently unless a ransom is paid. This type of malicious cyberattack has also been increasing sharply, compounded by the recent preference among cybercriminals for double extortion tactics.
Protecting your business against ransomware attacks is not a simple task, relying as it does on effective network security including powerful antivirus software for detection and remediation. Regular security audits with a cybersecurity expert are a useful starting point. “Without awareness of activity inside your organisation’s network, it can be impossible to know if systems and data are in danger of being compromised” explains one expert in the field.
A ransomware threat is not only for data encryption (rendering it unusable) but also for data exposure, compromising organisational security and protection. Greater remote working among estate and letting agents as a result of the pandemic has inadvertently increased the attack surface, benefitting the hackers’ opportunities to gain unauthorised access to systems and install ransomware.
- Insider threats
Cyber threats coming from inside the organisation as opposed to an external attack can be hard to deal with. They can originate from current or former employees, contractors or business associates who have access to information about the company’s data, computer systems and security protocols.
The way to minimise the risk of insider threats is to implement and maintain a strong culture of security awareness within the company. Constant vigilance and the ability to spot early signs of attack can be extremely useful in foiling cybercrime. It goes without saying that rigorous IT systems and processes must be in place for authorised access, storage and transfer of data, including the swift removal of access for former members of staff.
- Weak passwords
A weak password can be guessable or easily breached by brute force attacks – these tend to be passwords that are either too short, not unique or just too common. According to a recent NordPass survey of Fortune 500 companies, employees were using passwords that could be hacked in less than one second. Even worse, once your server containing usernames and passwords has been compromised, the data is usually shared on the dark web for other hackers to gain access to your systems too.
There is a clear and urgent need for basic training around the appropriate choice of passwords for everyone in the organisation, and the introduction of a company-wide secure password management system.
- Missing updates and unpatched systems
For maximum protection, every device that is connected to the internet should receive regular security patches to correct any identified operating system or software vulnerabilities. Systems that are not up to date or old software versions, constitute a security flaw that can easily be exploited by cybercriminals. The best fix is regular monitoring of the patch status on all devices and updating as and when required.
Is insurance the answer?
As is seen above, the dangers of cyberattack are all too real, but luckily there is much that estate and letting agencies can do to protect themselves against cybercrime. Effective IT security protocols are key of course, such as putting strong passwords in place, conducting regular systems and software updates, enabling MFA and maintaining a vigilant company culture. That said, cyber risk exposures are constantly evolving and with it, the growing potential threat of financial and reputational damage.
Specialist cyber insurance is a form of cover designed to protect the business against digital threats, such as data breaches or malicious cyber hacks. Should the worst happen, having the right insurance in place can provide crucial support to help the business stay operational. Cyber insurance cover can help the business quickly restore network systems and data while seeking to minimise business disruption and covering loss of income during downtime periods. Other support measures may include developing IT risk management procedures, access to breach response teams, legal advice and forensic IT consultancy services.
At a time when cybercrime represents a persistent threat that employs ever more sophisticated methods to gain unauthorised access to computer systems and networks, it has never been more important for estate agencies and letting companies to adopt a multi-layered approach to cybersecurity as the best means of defence.