According to Clareity Consulting’s benchmark, real estate brokerage information security practices improved only slightly in 2015. Of the top 50 brokers by transaction volume, use of known insecure web server platforms decreased from 48% in 2014 to 44% in 2015. While this is an improvement, the benchmark demonstrates that the industry still has more to do to improve its security practices.
To make this determination, Clareity visited the websites of these brokers, and noted the version information the web servers volunteered. 40% self-reported secure server software and 44% self-reported insecure server software. In 16% of cases, the web server either did not report or concealed its version; whether or not the server platform was secure is not known. Note that this measure was taken for larger brokerages that should have had the personnel, resources, and knowledge needed to manage security, and overall industry practices are therefore likely not as good as in the evaluated segment.
Since insecure web server software can lead to compromise of both website owners’ and visitors’ information and computers, this is an important benchmark to take, and Clareity takes this measure for the other parts of the industry, including MLSs and associations. One must recognize that the login credentials used for these services may be the same as visitors use for banking, e-commerce, and other sites. However, it is important to note that there is a lot more to measure to assess overall organizational information security, including:
- security policies and procedures
- third-party contractual relationships
- physical security
- personnel practices
- web application and “app” security (including anti-scraping technology)
- platform security (e.g. WordPress, Joomla)
- server and workstation configuration
- installed software management
- secure authentication and account management
- domain name management
- anti-virus practices
- wired and wireless network configuration
- remote administration practices
- compliance with relevant standards (SSAE 16, PCI DSS, etc.)
- backups and incident response
These aspects of security are normally evaluated as a part of Clareity Consulting’s security audit service and cannot be provided as a part of this benchmark.
Why aren’t more brokerages assessing, monitoring, and addressing security issues – even basics like web server patching as benchmarked? In Clareity’s experience, sometimes brokers think that IT staff is taking care of it already – though information security requires more than just IT’s attention. Sometimes IT staff doesn’t know what it doesn’t know – they’re not specialists in security but believe it’s under control. Sometimes IT staff knows there are problems – at least they know about some of them – but always think that time to fix them will soon come. Finally there are those in IT who would love to convince their bosses to allocate resources to information security – but they know that will probably not happen until it’s too late and there has been an incident. The important takeaway from this is that information security is an organizational issue – a business issue – and needs to be driven, top-down, by the business owner with the participation of his or her entire organization.
The information security challenge faced by the brokerage community, especially working to improve the security practices of their independent contractors, is weighty. By shining a light on industry information security practices, Clareity hopes that more business leaders will take charge of their organizational information security program and drive the industry toward further improved benchmarks and reduced risk.
For many useful resources for improving real estate industry information security practices, please visit The Real Estate Information Security Center at https://clareity.com/security/
Share this post: