October is cyber security month and everyone operating real estate systems needs to be vigilant to reduce the likelihood of getting hacked. This post was inspired by an article in the recent CoreLogic RESMagazine by Matt Cohen about Security Auditing vs. Penetration Testing.
Ransomware is software code that criminals use to break into your network, find critical information, and lock that information or encrypt it so you cannot access it without the encryption key. The criminals make you pay them – typically in some form of crypto-currency – to gain access to the locked data. Sometimes they go even further by demanding that you pay extra not to have your data published on the dark web where other criminals can access it for harmful causes.
How hackers hack
For the most part, hackers use methods that fool people into giving them access to systems. Knowing the popular methods that hackers use to do this is a helpful way to avoid being compromised.
Email and text phishing –
This hacking method has been around for a long time. The hacker cloaks the email address or a text message of the sender to make it look familiar. The email you get might be masked as the name of a co-worker who asks you to click a link or download an attachment that contains the malware. You might see a text message from Netflix telling you that your subscription requires renewal and to “click here to update your card on file,” Sometimes, hackers use this method to also gain access to your email account to send out emails from your address to spread the infection.
Remote Desktop Protocol (RDP) –
Have you ever needed to grant access to your computer for technical support? This functionality which enables you to get remote support also creates a backdoor for hackers to gain access to your computer. Usually, they will use methods to try to hack your computer’s username and password either through trial and error, or by purchasing usernames and passwords that are published about you on the dark web. Experian offers a free dark web scan if you want to understand what information about you is on the dark web; chances are there is much more out there than you might expect.
Software vulnerabilities –
Software is often the culprit in allowing hackers to gain access to your information. The developer of software that you use might have software vulnerabilities in their code that allows hackers to access your information through the software that you install. Remember the ‘Zoom Bombing’ that happened frequently during the early days of the pandemic? Don’t worry, most of the Zoom vulnerabilities were fixed in the spring of 2020. But in the early days of Zoom, this was a concern. Be careful when you install new software.
Online surfing –
Sometimes simply clicking a digital ad or visiting a web site that’s embedded with malware can infect your system.
Your company should have a comprehensive ransomware prevention and recovery strategy, as well as a periodic audit to make sure that you are following best practices.
Data backups –
Regularly backing up your data will allow you to restore from a backup if you are hacked. Best bet is to physically store your backups offline and test your back up from time to time. Some security experts refer to the 3-2-1 strategy – Have 3 copies of your data, 2 different mediums – (one hard drive, one USB), and store at least 1 copy off site (Google Cloud, Amazon, etc.)
As mentioned above, most hacks are a result of user error; like falling for a scam that allows hackers access to information. The best way to close this security vulnerability is through regular training; like performing simulated hacking, such as email phishing simulations.
Apply security patches –
Companies are constantly updating their software to apply security patches that harden your network against common attacks. The failure to apply these updates will often leave you vulnerable to hacking.
Use a reputable anti-virus product –
An anti-virus product can conduct frequent security scans and check for malware. They often can clean up any infection that you may already have.
Develop a disaster response plan –
What would you do if you were hacked today? Often, these situations can cause chaos in your organization. Imagine trying to operate today if you were locked out of every computer, companywide. Being proactive and having an incident response plan, know your insurance coverage, who and how do you notify your employees and customers. Do you have a recovery support specialist on speed-dial?
Use good account and network passwords –
Prevention is the key to handling ransomware attacks. I am sure that there are some of you that are using passwords like “Passw0rd!” Change your passwords to use the ‘suggested strong passwords’. With important passwords, consider using two-factor authentication to minimize the threat. A well-designed password system will keep your information safe.
If you are a mid-size or larger Association or MLS, then you may want to consider a security audit from someone who has deep knowledge of real estate industry information security. Matt Cohen, Principal, Advisory Services with CoreLogic Real Estate Solutions is someone you can reach out to for more information. Click here to email Matt.