Data security is crucial to all property firms, whatever the organisation. A recent report conducted by PricewaterhouseCoopers (PwC) revealed that 93 per cent of large companies with 500 or more staff had experienced a security breach in the last year, as had 87 per cent of businesses with fewer than 250 employees.

Whilst the number of large firms, including estate agencies, experiencing breaches remained constant over the previous year, the figure for small firms has risen since 2011, showing that smaller companies are increasingly being targeted for the sensitive information they produce and store.

VALUABLE INFORMATION

The threats that property businesses, like other organisations, now face are also ever more insidious, with criminals carefully staking out and targeting specific companies, often through social engineering attacks against particular individuals who they have researched thoroughly upfront.

Every property company that transmits and stores sensitive information has an obligation to have adequate protection.” Colin Tankard Digital Pathways

The property industry collects valuable information related to their clients. All of this information can be used for financial gain or for preparing devastating attacks by using the data gleaned for social engineering attacks that attempt to gain the attacker a foothold on the network, where they aim to lie in wait, undetected, to steal further valuable information, often over long periods of time.

Every property company – large or small, corporate or independent – that collects, transmits and stores sensitive information such as this has an obligation to put in place adequate protective measures to ensure that such information does not fall into the wrong hands or be inappropriately accessed to guard against the costly financial and reputational implications associated with security breaches.

EXTERNAL THREATS

There are many ways that an estate agency can boost their defences against attacks from external sources. A whole industry has been built up around anti-malware controls to prevent viruses and other types of malware (threats) from downloading their attachments on the network, which are often designed to locate and exfiltrate sensitive data out of the organisations. Intrusion detection and prevention systems aim to stop hackers from gaining entry to networks and devices such as firewalls that look to control what traffic and applications can pass onto and be run on the network.

Many of these capabilities have been expanded recently from the ability to defend against known threats through to countermeasures to actively stop random threats that individually look safe but collectively could bring down a complete network.

For example, a document is received by an estate agent who opens it not realising that it contains dangerous hidden links that when activated will download a small progamme that will review the user’s address book and forward on the document to all the users contacts and then monitor the user’s activity sending information such as passwords back to the hacker. The user is unaware of the problem, especially as the email seems to have come from a trusted source.

Insider threats

According to research by the Ponemon Institute, 90 per cent of organisations surveyed report that it is certain, or highly likely, that organisations experienced loss of sensitive or confidential information over the past year because of poor internal controls.

In further research, it found that 47 per cent of breaches could be attributed to employee or contractor negligence, and a further 14 per cent to actions taken by malicious insiders. The information considered to be most at risk is that related to customers or consumers, followed by employee-related information.

The need to protect information against the insider threat is clear and this requires a combination of efforts, including user education and technology controls. Policies alone are insufficient for guarding against inappropriate access or use of sensitive information.

The problems include:

• Employees attaching unprotected documents to personal, web-based email accounts such as GMail or HotMail
• Transferring documents to USB drives
• Downloading documents to public drivessuch as ICloud to allow access by mobiledevices
• Uploading documents to online filesharing applications such as Dropbox without permission.

One of the best ways for ensuring that information is not accessed inappropriately is to deploy access controls, where authorisation to access certain resources (files or applications) is generally granted based on the user’s role in the organisation.

For example, only members of the letting division are able to view contracts of landlords.

Good access controls should start from a foundation of ‘good passwords’ however we all know the challenge of remembering passwords especially if they are complicated, for example, using letters and numbers and when this is brought into the business environment trying to enforce good passwords on users invariably results in them writing them down which defeats the object.

There are a number of solutions that a property firm can use to overcome this, such as deploying tokens as the banks issue where a user can use the device plus a PIN to provide the password. The benefit of these devices is the password is unique each time the user logs in and the password is complex so almost impossible to crack.

One new technique is based on remembering a pattern to provide the password and the devices used to provide the authentication can range from specialist card readers through to free download applications for smartphones. Variations on all these techniques are available to meet any company’s needs or size.

Access systems are now available as cloud-based services, where users can access the resources they need through a browser interface, with all authorisations controlled by a single, centralised web-based management console through which all events are monitored and reported on to form an audit trail.

The advantage of these services is that they take away the need to manage complex security policies that often are not generally available in-house for many organisations. An emerging trend being seen is the provision of identity bridges that tie user identities and access rights to back-end company services and that can broker access to internal applications deployed in-house.

Such services are ideally suited to the property industry. Many property companies have numerous offices covering different geographical areas. Since they are cloudbased, users in any office can access common services through just a browser interface on a range of computing devices, whist enforcing the company’s policy of access control that might currently only be enforced at the head office due to technical resource.

Additional data security tips

Richard Wilson, Technical Director, Dezrez, looks at how estate agents can improve their security.

Passwords: Ensure it’s at least six characters long, combining upper and lower case letters, as well as numbers, punctuation marks and symbols. Change your password every 90 day.

Use antivirus and firewall software: Virus protection software should update automatically

User account administration: An account with administrator rights is not needed for daily tasks.

Use up-to-date software: Most successful attacks are due to known security loopholes in old software. Remember to run your Windows Updates!

Software application: Familiarise yourself with security settings for each software application you use.

Uninstall unused software: The critical security loopholes can lurk in old software on
your system. If you no longer use it, remove it.

Save as you work: Always save your work as you go.

Email attachments: Always run any attachments and downloaded files through a virus scanner first.

Lock your PC: Never leave your PC unattended on the desktop or logged into your software.

Encryption

Many property companies are also multidisciplined in nature. This makes it desirable that encryption technologies (the art of scrambling data) be deployed in addition to access controls to create ‘Chinese walls’ between disciplines, so that users working in one discipline cannot access information stored by another but allowing senior management, or marketing, access to all information to use it for strategic business drivers or activities such as email campaigns. The benefit of encrypting data is that it would remain protected, preventing it from being lost or stolen, as without the key to unlock the information, it cannot be read.

Another useful data protection solution is that of classifying messages and documents according to their sensitivity, with encryption being automatically applied to those deemed to be at, or above, a certain level of  sensitivity.

Such technologies can also be used to track the content of messages and documents, looking for sensitive information such as credit card numbers, client information or financial records and automatically applying security controls where violations of policy are encountered and stopping them from leaking out, which could break the company’s regulatory obligations.

Another technology that can be used to enforce digital rights is that of document marking, which places protective watermarks on documents that are visible both on a screen and when printed out. Such watermarks act not only as a deterrent to the copying of information, but can also be used to identify the original source of a printed document or to determine whether the text has in any way been altered, both of which can be essential for legal purposes.

Web application protection

Access to the web is seen as a major business tool for many agents, until it is used as the vehicle to leak out company information or as a way of downloading bad programmes into the company network that ultimately costs tens of thousands of pounds to clean up.

As a rule, unless a company has skilled in-house security experts, it is worth considering deploying an integrated email, web and endpoint security control device to manage the flow of information in and out of the company and stopping bad programmes or content from ever reaching the internal network.

Such appliances, which can often be physical or virtual, provide a range of unified controls to aid organisations in keeping themselves secure from both inbound and outbound threats.

The last thing you want is for your company to be shown to be negligent – in the press or within the industry.”

For instance, among the controls that they provide is web protection, which not only keeps the organisation safe from web-borne viruses or damaging applications, but which also allows it to control what web applications its users can access to stop them uploading sensitive files to online file sharing applications or accessing highly interactive applications such as social networking sites where users might place confidential or derogatory information.

It is also worth remembering that although these systems are designed to stop bad things happening with your sensitive data, they could also improve the performance of the network as the bandwidth is not taken up by, perhaps, users, such as members of staff, accessing online social media sites, instead of focusing on selling or letting properties!

The bottom line FOR EVERY PROPERTY FIRM

No property firm can afford to be complacent in the light of the growth in both the number and sophistication of security threats that they now face, that could easily lead to sensitive information being leaked out. This in turn could potentially harm not only their financial situation, but could also lead to reputations being tarnished or the business facing lawsuits.

By implementing relatively simple controls, an estate agent will be much better placed to not only increase their overall security posture, reducing the likelihood of security breaches occurring considerably, but complying with regulations such as The Data Protection Act or the Financial Services Regulations that demand sensitive information be adequately secured.

As a director, partner, or senior manager within any organisation, not just property, the last thing you would want is for your company to be shown to be negligent in the press or within the industry, so surely, security of your digital assets should be extremely high on your list of things to do – and not be put off.