- Times have changed since the "lock and key" days
- Mitchell Redshaw of BDO discusses issues surrounding email and mobile phone security
- BDO saw data breaches more than doubled last year
Protecting the private information of your stakeholders has always been one of the priorities for property management professionals and agencies. However, the way we protect that information has changed significantly over the last 10 to 15 years.
In the old days, we would store clients’ bank details securely behind locks and keys.
We would file contracts, client contact details, and other private information in the office.
A protocol would prevent the originals from leaving the office without management’s approval.
Keys could only leave the office if someone logged them out via a paper logbook.
Today’s challenges bring the question of protecting private information to a whole new level. Information is kept and shared on the cloud 24/7. Property managers and agencies are always online and always out sharing their stakeholders’ private and confidential information.
Of course, we still do our due diligence in protecting our stakeholders’ information.
Still, are we doing the bare minimum, the maximum, or something in between when it comes to making our processes secure?
An example of a tool that puts information at risk is email.
The Department of Mines, Industry Regulation and Safety teaches real estate agents about the risk of sharing bank details via email. Through their CPD training, the department shared cases where scammers interfered with the emails, changed the bank details, and got the agency’s clients to transfer money to another bank account.
“This form of ‘social engineering’ attack is known as Payment Redirection Fraud and often occurs after a business email is hacked,” explained Mitchell Redshaw of BDO.
“BDO’s 2020 Cyber Security Survey found a fourfold increase in payment redirection fraud attacks compared to the prior year – and it’s no coincidence that this coincided with Covid-19 and remote working arrangements,” Mitch continued.
“With greater reliance on digital technology comes greater risk. There is no ‘silver-bullet,’ but the solution relies on both technology and business controls.
“By implementing Multi-Factor Authentication, coupled with email monitoring to detect suspicious activity (such as logins from unusual locations or times), small to medium enterprises can put cheap roadblocks in place for hackers.”
“The second half of the solution involves the agency’s staff.
“Educating the accounts payable and finance staff about these types of attacks empowers your ‘human firewall’, which is often the last line of defence.
“Employees should be engaged and empowered to recognise and challenge suspicious activity (such as a seemingly urgent email from an executive requesting immediate payment of an unusual invoice or changes to employee remuneration details).
“This should be supported by business processes which require the teams to double-check by calling known phone numbers of internal staff and external creditors who request changes to payment details, to ensure the requests are legitimate.”
Encryption and strong passwords a must for mobile phones
Another example is our mobile phones.
Everybody carries their personal information on their phone. Property managers also have the opportunity to log into the property management software from their phones. This flexibility comes with risks to information that agencies must be familiar with.
For instance, processes should be in place to ensure that should a staff member lose their phone, the information of the agency and their stakeholders remain secure.
Mitch provided us with some handy tips around mobile phone usage and protecting the agency.
“Mobile devices are handy portals to massive amounts of personal and sensitive data. From information about our lives to those of our clients and the ways our business interacts with them, mobile devices contain a wealth of information that hackers consider lucrative.
“Australia has data privacy laws that require businesses to notify the Office of the Australian Information Commissioner, and sometimes impacted people when a data breach introduces serious risks of harm.”
“BDO saw data breaches more than double in 2020 compared to the prior year, and one of the many ways we see this occur is when unsecured mobile devices are hacked or simply lost.”
“Ensuring mobile devices are encrypted and secured with strong passcodes, can be remotely located and wiped if lost, are kept updated, and are restricted to prevent users from downloading irrelevant and risky applications are cost-effective and simple first-steps in protecting them.”
Remote working a risk
Finally, in the old days, all staff had to be in the office to access the computer systems and files.
Today, especially during the challenges of Covid-19, many property managers can log in remotely and work on their clients’ cases without close supervision from management and IT.
This situation creates a risk for the agency, and management must manage it.
“Remote working introduced new opportunities and new cyber risks,” said Mitch.
“Most organisations rapidly adopted new digital technologies as quickly as possible in order to adapt and survive. Organisations must now focus on bridging the cyber risk gaps across these new processes and technologies.
“Last year, BDO’s 2020 Cyber Security Survey found that in response to COVID-19, one in four Aussie organisations invested in increased cyber security education and awareness training for their staff.
“Educating people on recognising cyber threats is important in remote working environments because the staff are on the cyber front-line and will be targeted by hackers.”
Unfortunately, breaches do take place from time to time.
“Cyber practitioners know that we’re beginning to see a rise in attacks against real estate sectors not just in Australia but globally,” said Mitch.
“Whilst we provide end-to-end security services across all things cyber, we have a dedicated team to work solely on planning for and responding to cyber incidents”
“A considerable risk we see continuing to increase is double-ransom attacks; where hackers break into systems, steal sensitive information, encrypt computer systems, and demand a ransom payment for the safe restoration of both – threatening to leak or sell stolen data on the dark web if payment isn’t made.”
“Cyber resilience and incident readiness is more important than ever, and requires a holistic approach across people, process and technology.”
The way we manage property has significantly changed from only a few years ago. We must prepare ourselves against cybercrime and protect ourselves and our stakeholders. Contacting professionals could be the first step to one of the best decisions for your agency.