I think it was my recently departed Mum that first introduced me to the great old saying: “if you’re not part of the solution, then you’re part of the problem”…. 

Some of you will have read my recent thoughts on the 2 big red flags I see waving in the face of the real estate profession in Australia.

If you’ve already read the article you’ll know I was talking about the obligations on employers that commenced in April to ensure they’re genuinely looking after the mental health of their employees, and the potential dire consequences if they do not.   

Employers have the obligation to ensure that Employees are fully trained to do their jobs, are properly resourced, and rewarded appropriately for their skill level, and their performance reviews are set and measured on realistic outcomes.  Your Team need to know that it’s not acceptable for them to cop crap from customers, clients, or in some cases, each other and that they are fully supported by management, and that abusive or inappropriate behaviour or advances will be dealt with head on by management. 

The other waving bright red flag of course is the rapidly disappearing number of Property Managers from the profession and the fact that they’re not being replaced by the same rate at which they’re disappearing.   Its being agreed in many circles that the real estate profession is today paying the price for not investing appropriately in rewarding existing Property Managers, for not training the next wave of Property Managers, and for actively promoting profit-sapping fee-discounting offers that have resulted in a race to the bottom where the expectations of consumers has been set to seek the lowest possible cost above quality and professionalism. 

As a profession, the actions of the cheap and nasty wham-bam-thank-you-Ma’am fee discounter agency has taught consumers that the first question they should ask is ‘How much are you’ rather than “ How good are you?”… 

Now I’m not suggesting that fees can’t or shouldn’t be competitive. I support free markets. But if your fee model is preventing you from paying key people appropriately, lowering service levels, and you’re not investing in nurturing new talent, I think you’re part of the problem. 

After the recent article ‘She just needs to take a cup of cement and harden the f#ck up’ appeared, I received a text message from a senior figure in our profession that read, 

“Peter, any advice on this mate? – An agent (female) verbally abused face to face this afternoon by a drunk seller (male). Agent shaken and felt very vulnerable. Seller tole her to ‘get your fucking sale board down etc etc’”  

My response was quick and simple:

“Business owner needs to step up and formally release the Seller from their obligations under the Form 6 (Selling agreement) *Qld . 

Business owner needs to report the abuse to the Police (if it was threatening). 

Business Owner needs to offer (insist) that the Employee receives counselling using the businesses EAP.  And if they don’t have an EAP, then they need to initiate one and at the very least ensure the Employee receives professional counselling immediately.   

Business owner needs to call a meeting of the entire office and reaffirm to all that the company policy is to not accept any physical or verbally abusive attacks from anyone, and that any abuse, or sexual or inappropriate advances are to be immediately reported and acted on by the business owner.” 

That text message wasn’t the only message I got after that article aired.  Around a dozen Property Managers from across Australia messaged me expressing their thanks for shining a light on their challenges.  Some of those notes were highly emotional and contained horror stories of the way they’ve been treated over many years. I was also chuffed to receive a call and several emails from Principals and Directors who took the time to give their thanks for awakening them to their obligations and the severity of the challenges at their feet.    Needless to say, I also received some hate mail from business owners who hated the thought I was making them publicly accountable.   I’m 100% ok with that.  Hopefully they’ll move on to a discounted retirement village. 

I started this musing quoting my Mum, “If you’re not part of the solution, then you’re part of the problem.”  My Mum, one of the wisest people i’ve known, would be saying to me right now, ‘Peter, you can’t stir up a hornet’s nest if you don’t have a solution to eradicate the hornets.’

So, in order for me to be true to my word, and to honour my Mum’s words, I offer this friendly food for thought.

After growing, managing, and selling a significant Property Management business over several decades; after studying the profitability of hundreds of Property Management businesses across Australia, NZ and the USA over several decades; and after taking a deep dive into the stale labor intensive business model still being employed by way too many businesses, I’m ready to say that the property management profession in its current form in many businesses is on life support in the ICU with little chance of survival without undergoing major surgery. 

You’ve only gotta read the Annual Rent Roll Market Report provided by Brad Robson detailing the number, size, profitability, and multipliers being achieved by business owners who are selling up to get a feel for what some of the bigger challenges are.

It’s bloody expensive to stick your head in the sand and to pray that the bad man is going to go away.  #Protip: He’s not going anywhere. It’s time to think and act. The bad man is not going away and his footsteps are getting louder.   Who is the bad man coming to ‘get’ your business?  

Is it Amazon? 

Is it Google?

Is it a Portal?

Is it your own lack of action?

Is it Mr 1.5% from the next suburb across? 

What will they beat you on? 

There’s no question that models need to change, roles need to change, fees need to change, people management needs to change, and the services our profession provides to investors and tenants largely needs to change. 

What do I think you need to do to survive?  

Find out at my upcoming webinar on October 4th where we’ll be exploring what the new normal looks like, and the 5 key actions my expert panel including Cloudstaff’s Chief of Compliance Wayne Bucklar and others believe you need to implement before the sun sets on 2023.  

Will I see you there? Will you be part of the solution or part of the problem? 

Please also keep your hands raised if you’d expect your insurance company to replace that car if thieves simply jumped in and headed off into the sunset never to be seen again. 

Of course anyone with an ounce of business smarts would never conscientiously support either scenario. As business owners we accept a higher level of responsibility to demonstrate we can secure our own assets, but more importantly, the assets of our Clients. It simply just doesn’t make sense to give any crim an open license to hit the road in your prized possession along with easy access to your drivers license and credit cards. Aka 100 points of ID

OK, now for ships and goggles, let’s keep pointing ten fingers to the heavens if you’d happily leave copies of the most private and personal banking details of your clients sitting on the front desk of your office for the world to freely see?   

Again, the answer from anyone with an ounce of business acumen is that they’d never dream of such a career limiting and reputation-crushing lunatic of an idea.   

It goes without saying that it’d be deemed irresponsible and reckless to publicly expose the private information of others to anyone to freely download and do with it whatever they desire.  I’m not a gambling man, but I’ll take a punt that the likely outcome of willingly or unwillingly sharing a clients data isn’t gunna end well. 

The recent attacks on Optus and Medicare should be sounding alarm bells ringing right across our profession.  But team, i’m here to say that i’m not entirely convinced that the message is sinking in… 

Lets be frank here, If, like me, you’ve been at a BBQ, Party, Pub chat, or in a Facebook Chat, you will have seen and heard the seemingly endless and arguably deserved profanities being hurled at those 2 corporate giants for the frankly crappy way they’ve abrogated their responsibilities to keeping their customers data safe. 

Its very clear that Optus's and Medibank's reputations around data security have been trashed, and will be for some time to come. Aussies have great memories. I’m not sure who once said, 

“Aussies will forgive a f#ck-up, but they’ll never forgive a cover-up” 

Seemingly the crims simply walked through a figurative ‘open door’ at Optus and Medibank and made themselves comfy on the couches, put their feet up on the teak desks, and just paged through Optus and Medicare’s data at their leisure. (AKA your most private and personal information)  

The ‘license of trust’ that customers expect with corporate Australia, and the shabby way in which customers have been (or have not been) communicated with through those breaches has seriously compromised that license..  Believe me. I’m an Optus Customer. No warm and fuzzy feel-good TV ad is going to repair my trust, and make me sleep better knowing that my passwords, passport, drivers licencce, bank deets, personal identifiers photos, credit card numbers, and transaction history is being traded on the dark web for rupees, drachmas, or a carton of Fosters. 

It might have been an ambitious goal, but I was personally hoping that the hacks on Optus and Medibank might have sent some long overdue shockwaves through the corridors of every real estate profession. 

Our profession retains an enormous amount of personal data, and mounting evidence of a growing number of claims being made on cyber related crime by real estate insurance giants like AON’s professional indemnity expert Peter Lynch says there’s an opportunity for many business owners to be playing some very urgent catch-up.

Sadly, it seems that for many in our real estate profession, the warning bells are still falling on deaf ears in the belief that cyber security is not an issue in Australian real estate businesses.  

If the Optus and Medicare hacks don’t do it for you, then please let me explain why I disagree vehemently with the apparent apathy across the profession on this issue. 

For many moons, one of my favourite nocturnal pastimes was to see how many usernames and passwords I could gather from yellow post-it notes stuck to the sides of computer screens on full display to the world through offices windows at night. My record still stands at 23 in one night on the Sunny Coast. 

Those exposed passwords provided me free access to a smorgasbord of Bank log-ins, Google accounts, Property Management software, RPData logins, Facebook and Youtube accounts, and my absolute personal favourite, an Uber Eats login.  (For noting, I didn’t order pineapple on that pizza) 

And by the way, my interest in collecting passwords isn’t confined to nocturnal pursuits.

Some of you have been kind enough to alphabetically sort those usernames and passwords into a little black book secretly labelled ‘passwords’ that sits in way too many business owners top drawer.  That one time-saver hack might make it easy for you to remember passwords, but its possibly opening you up for the biggest cyber-hack to ever empty your bank accounts. 

Post-it notes on monitors, and little black books of passwords don’t rank high as the wisest cyber security strategy for secure password management, and would make your Clients shudder if they knew that was your 2022/23 version of protecting their private data.

Peeps, are you picking up what i’m putting down here?  We’ve gotta raise the bar!. And pretty dramatically, and bloody quickly in some cases.   

We’re not just leaving the keys to the Porsche in the console here, we’re actually filling the tank up for them by not taking the rapidly advancing world of cyber security a whole lot more seriously than many of us have been til now.

Many of you will be aware that a Melbourne based PM business had visitors to their database a couple of weeks back, and just yesterday a NSW based major franchise office have also reported a visitor and I assume have had to endure the unenviable and embarrassing responsibility  of communicating to their landlords, tenants, buyers and sellers that a mix of their own private ID’s and banking details has quite likely been compromised. 

There are any number of ways that these hacks may have occurred. In fact, it might not have even been a hack. 

Hackers are incredibly skilled at penetrating poorly protected processes, taking what they want and then covering their tracks on the way back out. How the Melbourne or NSW breach occurred might never be known. I’ve seen a fair bit of finger pointing going on of where/how the Melbourne breach might have occurred, but i’m yet to see anyone own it.  (Remember, Australian’s will forgive a f#ck -up, but they won’t forgive a cover-up)

What’s becoming evident is in a high number of cases poorly secured businesses would never know their inaction and tardiness had exposed and compromised their clients most private data.  The investigation into the Melbourne ‘hack/breach’ and the root cause/s of how Clients data was compromised will make for interesting analysis when it makes the light of day.

I’ve made a conscious decision to not either of the Agents/Brands that are going through this living hell because frankly, I have a feeling that ‘there for the grace of god’ goes potentially a significant percentage of the real estate profession who could, under different circumstances, be spending their next few days/weeks attempting to explain their lack of data security to a few hundred or thousand)  incredibly unhappy and unforgiving customers and clients. 

We’re at the pointy end of things in cyber security folks. Its no longer a matter of if the crims come knocking at your front, or back door, its now just a matter of when.  

Make no mistake, our profession is a prime target. We’re entrusted to securely protect thousands of incredibly valuable records for our clients. 

It’s no secret that many in our profession hold huge deposits on behalf of clients, and transact them in good faith, often on the instructions of an email from someone we’ve never met to an account we don’t know.  That in itself is scary.

Bad stuff happens when good processes aren’t documented and vigilantly followed, and tested.  

I’m not meaning to be overly sanctimonious here. I totally get it.  Mistakes get made. It can happen easily. I mean, If corporate giants like Optus and Medibank are struggling to lock the doors to keep the cyber criminals off the couch, then it certainly sends a message that your local suburban real estate agent needs to be much more vigilant than ever.  I’m just checking in and ringing a warning bell. 

I ain’t throwing rocks.  I’ll confess that I’m the guy who used to think it was OK from 1990 to 2000 to send a 15 year old receptionist on a walk to the local bank each day, passing by the wolf-whistlers at the local hotel beer garden, at 4.00pm, with up to $15,000 in cash in a calico bag marked ‘Deposit.’  Brilliant security I know.   But at the time it kinda seemed like an acceptable behaviour. 

But that’s my point! Times change, just like we have to change our behaviour when the market changes, we also have to change our behaviour when new threats come.   And its far from Breaking News folks, we’ve been in the spotlight for hackers and data thieves for over a decade because we are, in the eyes of the scammers and hackers, a soft and simple target. 

Peak industry bodies like The REIQ, have for at least a decade been rattling the cage on the need for real estate professionals to be super vigilant and have excellent processes and ongoing internal education in place.  Every business owner needs to actively implement processes that minimise the massive risk to their business and to stop the next cyber hack headline featuring their business name, and overnight, decimating their personal brand and reputation

And based on the increasing volume of insurance claims for hacks and cyber theft it would seem so far that messaging largely appears to be falling on deaf ears. 

There is an array of best practice resources available from The REIQ to assist real estate business owners to navigate this new world.  

Specialist companies such as Cloudstaff who proudly boast gold standard ISO 27001 data security certification, have assembled a library of their best practice resources that businesses can avail themselves of to minimise the risks associated when the hackers and cyber crims decide that you’re next.  And they will. 

Leading International Data security authority, and CEO of Cloudstaff, Lloyd Ernst today offered a 6 point checklist

Tip number #1 – Never Share Logon

Never share Logons to systems. Never. Shared logins means it is very hard to figure out who has done what and hard to use systems like 2FA (see next)

Tip number #2 – two factor authentication (2FA)

You and Your staff should use two factor authentication on every system you access. (After the user enters their password they are prompted for a second form of authentication like a SMS, Code from an App or hardware device like a Yubikey). This means if they are using an easy password or a third-party guesses or finds their password they still can not access the system until the second factor

authentication is used.

Tip number #3 – Enterprise Grade Security

Virus checkers went out with Windows 8. Some of the best technology to use now is called EDR – Endpoint Detection and Response. EDR is the mainstay of security in every large corporation. EDRprevents malware infection, detects and defuses potential threats in real time, and automates response and remediation procedures.

Tip number #4 – Enterprise grade VPN & Firewall

In your Office, your staff’s PC are behind a firewall protected from the Internet. When staff work from home on their personal internet this does not reduce the risk, it increases it. A VPN – Virtual Private Network re-directs all the traffic from the home user, encrypts it and tunnels it to a router in an office then an enterprise grade firewall provides the same protection as staff working in the office.

Tip number #5. No Train No Blame

Train your staff and test your staff. If your staff could be potentially exposed to phishing, then consider running exercises to test that they are practising good email techniques and that they have via.

Tip number #6. ISO 27001

Consider using suppliers who are certified for ISO-9600 and ISO-27001 standards. The suppliers have demonstrated their commitment to having the correct systems and procedures in place and undergo rigorous auditing.

Believe me, its not a matter of if, you get hacked but when.  The real question is whether you’ve done enough training and raised awareness, trained new behaviours, and created sufficient vigilance and implemented best practice processes to survive that hack..  

Or will you still be leaving your car in the driveway with the keys in the console, and the post-it notes stuck to your office computer screens.  I know what my plan is. What’s yours? 

Photo attribution: <a href=”https://depositphotos.com/stock-photos/abstract.html”> – depositphotos.com</a>