Hands up if you’d happily leave your car unlocked with your windows open and your keys and wallet in the console.
Please also keep your hands raised if you’d expect your insurance company to replace that car if thieves simply jumped in and headed off into the sunset never to be seen again.
Of course anyone with an ounce of business smarts would never conscientiously support either scenario. As business owners we accept a higher level of responsibility to demonstrate we can secure our own assets, but more importantly, the assets of our Clients. It simply just doesn’t make sense to give any crim an open license to hit the road in your prized possession along with easy access to your drivers license and credit cards. Aka 100 points of ID
OK, now for ships and goggles, let’s keep pointing ten fingers to the heavens if you’d happily leave copies of the most private and personal banking details of your clients sitting on the front desk of your office for the world to freely see?
Again, the answer from anyone with an ounce of business acumen is that they’d never dream of such a career limiting and reputation-crushing lunatic of an idea.
It goes without saying that it’d be deemed irresponsible and reckless to publicly expose the private information of others to anyone to freely download and do with it whatever they desire. I’m not a gambling man, but I’ll take a punt that the likely outcome of willingly or unwillingly sharing a clients data isn’t gunna end well.
The recent attacks on Optus and Medicare should be sounding alarm bells ringing right across our profession. But team, i’m here to say that i’m not entirely convinced that the message is sinking in…
Lets be frank here, If, like me, you’ve been at a BBQ, Party, Pub chat, or in a Facebook Chat, you will have seen and heard the seemingly endless and arguably deserved profanities being hurled at those 2 corporate giants for the frankly crappy way they’ve abrogated their responsibilities to keeping their customers data safe.
Its very clear that Optus's and Medibank's reputations around data security have been trashed, and will be for some time to come. Aussies have great memories. I’m not sure who once said,“Aussies will forgive a f#ck-up, but they’ll never forgive a cover-up”
Seemingly the crims simply walked through a figurative ‘open door’ at Optus and Medibank and made themselves comfy on the couches, put their feet up on the teak desks, and just paged through Optus and Medicare’s data at their leisure. (AKA your most private and personal information)
The ‘license of trust’ that customers expect with corporate Australia, and the shabby way in which customers have been (or have not been) communicated with through those breaches has seriously compromised that license.. Believe me. I’m an Optus Customer. No warm and fuzzy feel-good TV ad is going to repair my trust, and make me sleep better knowing that my passwords, passport, drivers licencce, bank deets, personal identifiers photos, credit card numbers, and transaction history is being traded on the dark web for rupees, drachmas, or a carton of Fosters.
It might have been an ambitious goal, but I was personally hoping that the hacks on Optus and Medibank might have sent some long overdue shockwaves through the corridors of every real estate profession.
Our profession retains an enormous amount of personal data, and mounting evidence of a growing number of claims being made on cyber related crime by real estate insurance giants like AON’s professional indemnity expert Peter Lynch says there’s an opportunity for many business owners to be playing some very urgent catch-up.
Sadly, it seems that for many in our real estate profession, the warning bells are still falling on deaf ears in the belief that cyber security is not an issue in Australian real estate businesses.
If the Optus and Medicare hacks don’t do it for you, then please let me explain why I disagree vehemently with the apparent apathy across the profession on this issue.
For many moons, one of my favourite nocturnal pastimes was to see how many usernames and passwords I could gather from yellow post-it notes stuck to the sides of computer screens on full display to the world through offices windows at night. My record still stands at 23 in one night on the Sunny Coast.
Those exposed passwords provided me free access to a smorgasbord of Bank log-ins, Google accounts, Property Management software, RPData logins, Facebook and Youtube accounts, and my absolute personal favourite, an Uber Eats login. (For noting, I didn’t order pineapple on that pizza)
And by the way, my interest in collecting passwords isn’t confined to nocturnal pursuits.
Some of you have been kind enough to alphabetically sort those usernames and passwords into a little black book secretly labelled ‘passwords’ that sits in way too many business owners top drawer. That one time-saver hack might make it easy for you to remember passwords, but its possibly opening you up for the biggest cyber-hack to ever empty your bank accounts.
Post-it notes on monitors, and little black books of passwords don’t rank high as the wisest cyber security strategy for secure password management, and would make your Clients shudder if they knew that was your 2022/23 version of protecting their private data.
Peeps, are you picking up what i’m putting down here? We’ve gotta raise the bar!. And pretty dramatically, and bloody quickly in some cases.
We’re not just leaving the keys to the Porsche in the console here, we’re actually filling the tank up for them by not taking the rapidly advancing world of cyber security a whole lot more seriously than many of us have been til now.
Many of you will be aware that a Melbourne based PM business had visitors to their database a couple of weeks back, and just yesterday a NSW based major franchise office have also reported a visitor and I assume have had to endure the unenviable and embarrassing responsibility of communicating to their landlords, tenants, buyers and sellers that a mix of their own private ID’s and banking details has quite likely been compromised.
There are any number of ways that these hacks may have occurred. In fact, it might not have even been a hack.
Hackers are incredibly skilled at penetrating poorly protected processes, taking what they want and then covering their tracks on the way back out. How the Melbourne or NSW breach occurred might never be known. I’ve seen a fair bit of finger pointing going on of where/how the Melbourne breach might have occurred, but i’m yet to see anyone own it. (Remember, Australian’s will forgive a f#ck -up, but they won’t forgive a cover-up)
What’s becoming evident is in a high number of cases poorly secured businesses would never know their inaction and tardiness had exposed and compromised their clients most private data. The investigation into the Melbourne ‘hack/breach’ and the root cause/s of how Clients data was compromised will make for interesting analysis when it makes the light of day.
I’ve made a conscious decision to not either of the Agents/Brands that are going through this living hell because frankly, I have a feeling that ‘there for the grace of god’ goes potentially a significant percentage of the real estate profession who could, under different circumstances, be spending their next few days/weeks attempting to explain their lack of data security to a few hundred or thousand) incredibly unhappy and unforgiving customers and clients.
We’re at the pointy end of things in cyber security folks. Its no longer a matter of if the crims come knocking at your front, or back door, its now just a matter of when.
Make no mistake, our profession is a prime target. We’re entrusted to securely protect thousands of incredibly valuable records for our clients.
It’s no secret that many in our profession hold huge deposits on behalf of clients, and transact them in good faith, often on the instructions of an email from someone we’ve never met to an account we don’t know. That in itself is scary.
Bad stuff happens when good processes aren’t documented and vigilantly followed, and tested.
I’m not meaning to be overly sanctimonious here. I totally get it. Mistakes get made. It can happen easily. I mean, If corporate giants like Optus and Medibank are struggling to lock the doors to keep the cyber criminals off the couch, then it certainly sends a message that your local suburban real estate agent needs to be much more vigilant than ever. I’m just checking in and ringing a warning bell.
I ain’t throwing rocks. I’ll confess that I’m the guy who used to think it was OK from 1990 to 2000 to send a 15 year old receptionist on a walk to the local bank each day, passing by the wolf-whistlers at the local hotel beer garden, at 4.00pm, with up to $15,000 in cash in a calico bag marked ‘Deposit.’ Brilliant security I know. But at the time it kinda seemed like an acceptable behaviour.
But that’s my point! Times change, just like we have to change our behaviour when the market changes, we also have to change our behaviour when new threats come. And its far from Breaking News folks, we’ve been in the spotlight for hackers and data thieves for over a decade because we are, in the eyes of the scammers and hackers, a soft and simple target.
Peak industry bodies like The REIQ, have for at least a decade been rattling the cage on the need for real estate professionals to be super vigilant and have excellent processes and ongoing internal education in place. Every business owner needs to actively implement processes that minimise the massive risk to their business and to stop the next cyber hack headline featuring their business name, and overnight, decimating their personal brand and reputation
And based on the increasing volume of insurance claims for hacks and cyber theft it would seem so far that messaging largely appears to be falling on deaf ears.
There is an array of best practice resources available from The REIQ to assist real estate business owners to navigate this new world.
Specialist companies such as Cloudstaff who proudly boast gold standard ISO 27001 data security certification, have assembled a library of their best practice resources that businesses can avail themselves of to minimise the risks associated when the hackers and cyber crims decide that you’re next. And they will.
Leading International Data security authority, and CEO of Cloudstaff, Lloyd Ernst today offered a 6 point checklist
Tip number #1 – Never Share Logon
Never share Logons to systems. Never. Shared logins means it is very hard to figure out who has done what and hard to use systems like 2FA (see next)
Tip number #2 – two factor authentication (2FA)
You and Your staff should use two factor authentication on every system you access. (After the user enters their password they are prompted for a second form of authentication like a SMS, Code from an App or hardware device like a Yubikey). This means if they are using an easy password or a third-party guesses or finds their password they still can not access the system until the second factor
authentication is used.
Tip number #3 – Enterprise Grade Security
Virus checkers went out with Windows 8. Some of the best technology to use now is called EDR – Endpoint Detection and Response. EDR is the mainstay of security in every large corporation. EDRprevents malware infection, detects and defuses potential threats in real time, and automates response and remediation procedures.
Tip number #4 – Enterprise grade VPN & Firewall
In your Office, your staff’s PC are behind a firewall protected from the Internet. When staff work from home on their personal internet this does not reduce the risk, it increases it. A VPN – Virtual Private Network re-directs all the traffic from the home user, encrypts it and tunnels it to a router in an office then an enterprise grade firewall provides the same protection as staff working in the office.
Tip number #5. No Train No Blame
Train your staff and test your staff. If your staff could be potentially exposed to phishing, then consider running exercises to test that they are practising good email techniques and that they have via.
Tip number #6. ISO 27001
Consider using suppliers who are certified for ISO-9600 and ISO-27001 standards. The suppliers have demonstrated their commitment to having the correct systems and procedures in place and undergo rigorous auditing.
Believe me, its not a matter of if, you get hacked but when. The real question is whether you’ve done enough training and raised awareness, trained new behaviours, and created sufficient vigilance and implemented best practice processes to survive that hack..
Or will you still be leaving your car in the driveway with the keys in the console, and the post-it notes stuck to your office computer screens. I know what my plan is. What’s yours?
Photo attribution: <a href=”https://depositphotos.com/stock-photos/abstract.html”> – depositphotos.com</a>
