There have been numerous cyber attacks in the news recently inclulding Sony’s embarrassing breach. But despite this high profile attack, two thirds of all cyber attacks are on small and medium sizes companies.
Roy Murphy, Systems Architect at Jupix says that the potential for DDoS – Distributed Denial of Service – attacks, as suffered by RBS, hacking and data scraping is more prevalent than ever. “There are various methods of ‘script’ injection’ and brute force hacking that every data provider should understand in order to plan an effective, pro-active defence,” he says. “We have a specialised team of experts in database architecture, network security and computer forensics.”
It isn’t only giants like RBS that are under attack – Diarmid Sloan at Rentpro says that, “Widened data access brings opportunities for agents to increase involvement with landlords, vendors, tenants and prospects, but with it comes greater responsibility for agents and service providers.”
Foxtons is a high profile agency but not a super-huge company and yet, apparently, it suffered a major data security breach last summer, when the names, email addresses and passwords of nearly 10,000 of its users were leaked online. The information belonged to people who had registered their details with the firm’s online property search portal, MyFoxtons.
Foxtons confirmed that it was “running checks to determine (the data’s) veracity”, before assuring users that no credit card information had been compromised. “Immediate action… has been taken to safeguard your account and an investigation will continue,” their advisory letter stated.
At the time, Ross Parsell, Director of cyber security at the infosecurity experts, Thales UK, said, “The recent spate of high-profile data breaches, such as this alleged attack on Foxtons, are evidence that organisations are either not taking cyber security seriously or are bewildered by the problem.” said Parsell.
Peter Grant at VTUK quoted a new report, the 2013 Cost of Data Breach Study, by the internet security firm Symantec and the Ponemon Institute, which found that the average cost of a data breach for a UK organisation has risen to over £2 million, up from £1.75million the previous year, with human error responsible for most cases.
THE WEAKEST LINK
Negligence is the most common cause of data loss, as employees either lose devices containing confidential information or fail to secure data in the first place.
However, says the report, malicious attacks are the most costly form of data breach, with criminal attacks as a cause of data loss rising to become the key factor in 34 per cent of cases.
The Cost of Data Breach Study claims that data breaches cause individuals to take their custom elsewhere; organisations most affected by data breaches include those in the financial, pharmaceuticals and communications industries.
The cost is not just directly financial, victims of a data breach suffer lost reputation, brand value, possible lawsuits and time and productivity while the issues are resolved.
According to Symantec, the best way to prevent a data breach is to train employees to be more careful with data and more aware of the risks associated with losing it.
“With more than a third of UK data breaches involving negligent employees or contractors, the ‘human’ is still the weakest link, so training and awareness should be a priority from the outset,” said Mike Smart, product and solutions manager at Symantec, who also warned against the rise in criminal attacks.
“But in the UK it seems that malicious attacks are becoming nearly as big a problem. More data breaches have been down to malicious attacks, but when it does happen, it’s far more costly.”
ARE AGENTS AT RISK?
Foxtons were undoubtedly targeted because of their high press profile, but are UK estate and letting agents really under a cyber threat?
Mark Goddard, at Vebra, says that cybercrime can occur in any market and any size of business, “The majority of agents robustly monitor systems, but there are of course times when these can be manipulated. We recommend that agents work alongside a credible IT company to ensure that data security is at the forefront and consider areas such as physical security, access controls, patching and penetration testing.”
Peter Grant at VTUK says, “When you consider that data is the whole value of a business in property management and a large part of any sales operation, it represents a winning lottery ticket worth millions – why anyone would allow someone else to ‘look after’ this is beyond me. Apart from lack of control, data is under attack in three ways: external attack (including data hostage situations), internal, attack and corruption, we see this every week and the greatest threat by far is internal.”
THE ‘INSIDE JOB’
Glynn Trott, at LetMC believes that the main issues tend to be around landlord lists being sold to competitors. “Risks can come from disgruntled staff members who can easily export data in a PDF or Excel report. The biggest risk we have come across is from staff members having login to deposit scheme websites, with most of the deposit schemes allowing access to download the agents entire client lists from home. “I would keep any deposit scheme login and password information tightly guarded and change the password on a monthly basis.”
Nobody is exempt from this threat, says Peter Grant, VTUK, “Our clients have, in varying degrees, placed procedure in place to avert the threat; however, sometimes this happens after the metaphorical horse has bolted. With correct preparation and process we can make our clients bulletproof and we have conducted some notable ‘resuscitations.’ One Boxing Day our Ops Director took a call on his mobile to be told by a client in Salisbury that their server had inadvertently become a Christmas gift – it had been stolen. We had them back up and running over a four branch network by the 27th.”
WHAT ELSE CAN BE DONE?
Firstly, says Peter Grant, “We ensure that our clients ‘own’ their data and cannot be held at gunpoint over its possession; then to avert internal attack, by far the most common threat, we employ data monitoring services, protecting the data and monitoring manipulation.
“External attack cannot be 100 per cent defended so we have fully tested restorable backups that are accessed at a seconds notice and this is repeated as a defence against corruption also the latest Microsoft SQL database is superbly robust.”
Roy Murphy at Jupix says that they develop all of our applications against the very latest system architectures, application frameworks and security protocols. “The foundations of security have to be systemic before you start building any application. This is our security philosophy. All passwords are encrypted by our own secret variation of the SHA-256-B algorithm, which locks down private information such as usernames and passwords. We have double firewalls both in-front and behind all application nodes in the cloud.”
LetMC supplies lettings software but it also has it’s own agency, Pinnacle Letting Agents, which has experienced issues with data security. “A few years ago a competitor approached a temporary staff member and offered £3000 for our landlord list. It made us teach and test our staff on data security and identity fraud. We ran a simple test of pretending to be a landlords using a fake email, requesting a change of bank details for the rent to be paid into. More elaborate tests included sending fake Inland Revenue letters with a stamped addressed envelope requesting a section 19 report, asking for a list of all landlords and properties. Our accounts team spotted these tests.”
Mark Goddard at Vebra says that data loss is usually a result of having little or no data security systems in place, untested back-up regimes or inadequate access controencourage our customers to revisit these and ensure that critical data is reliably backed up to a trusted off site location, as this will help if their equipment is damaged by fire or theft. All our software requires login credentials to ensure only authorised employees have access to the data and Vebra Alto now provides two step SMS authentication to control access on new devices – even if you know the password!”
CLOUDS AND SILVER LININGS
Cloud-based software seems to be the current recommendation from most leading software suppliers. Mark Goddard says, “Reputable cloud companies have high security systems in place to safeguard data and have invested millions of pounds to deliver protection from the ground up.” And Glynn Trott agrees, “Being cloud software since 2004, we recognised the importance of security with software that is accessible anywhere. We don’t use email addresses as logins as it is too simple to work out, and our clients are forced to change their passwords every 30 days. Login on your iPad and you are automatically logged out of the PC you were using. Some of our clients have locked down access to our software to certain locations (IP addresses), which is a simple setting within LetMC.com.”
To avoid a visit from the cybermen, ask your IT supplier if you are as protected as possible and be vigilant with staff, your clients and links to other organisations.