When Clareity Consulting is engaged to perform a security assessment, the very first step is to see if an organization’s website has obvious vulnerabilities, and the easiest part of that assessment is determining if the website is running on a web server or web application platform that has known vulnerabilities, which is something typically easily solved by upgrading to the latest version including the latest security patches. Since insecure web server software can lead to the compromise of both website owners’ and visitors’ information and computers, this is an important test. Often, these websites include a login and one must recognize that the usernames and passwords used for these services may be the same as visitors use for banking, e-commerce, and other sensitive sites. If a negative result is found, it’s a sure sign that the organization does not have a rigorous process of risk identification, risk remediation, and monitoring in place. It’s also likely a sign that company policies and procedures and/or the method of monitoring policy compliance have not been implemented.
Clareity Consulting regularly benchmarks patch levels across various parts of the industry – for brokers, MLSs, and associations. The result in 2017 was somewhat better than it has been in years past, but nowhere near as good as it should be:
Across all three segments – MLSs, associations, and brokerages, over 26% were found to be running on vulnerable web servers and web application platforms! 39% were confirmed secure, and the remaining 35% did not self-report the platform version back to the web browser for analysis and an unknown part of this group may or may not be vulnerable. This measure was taken for the top 50 MLSs and associations by size, and the top 50 brokers by transaction volume – the largest organizations that should have had the personnel, resources, and knowledge needed to manage security. It’s likely that overall industry practices are worse than the evaluated segment.
It is important to note that there is a lot more to measure to assess overall organizational information security, including:
- security policies and procedures
- third-party contractual relationships
- physical security
- personnel practices
- web application and “app” security
- platform security (e.g. WordPress, Joomla)
- server and workstation configuration
- installed software management
- secure authentication and account management
- domain name management
- anti-virus practices
- network device configuration (firewall, router, switch, wirelss)
- remote administration practices
- compliance with relevant standards (SSAE 16, PCI DSS, etc.)
- backups and incident response
These aspects of security and others as applicable are normally evaluated as a part of Clareity Consulting’s security audit service.
Why aren’t more organizations assessing, monitoring, and addressing security issues – even basics like web server patching as benchmarked? In Clareity’s experience, sometimes the leadership think that IT staff or a vendor is taking care of it already, and they don’t understand the management responsibility with regard to information security. Sometimes IT staff “doesn’t know what it doesn’t know” – they’re not specialists in security, but hope or believe it’s under control. Sometimes IT staff knows there are problems – at least they know about some of them – but don’t have time or think that time to fix them will soon come. Finally, there are those in IT who would love to convince their bosses to allocate resources to information security – but they know that will never happen until it’s too late and there has been an incident. The important takeaway from this is that information security is an organizational issue – a business issue – and needs to be driven, top-down, by the business owner with the participation of his or her entire organization.
The information security challenge faced by the brokerage community, especially working to improve the security practices of their independent contractors, is weighty. By shining a light on industry information security practices, Clareity hopes that more business leaders will take charge of their organizational information security program to reduce their own company’s risks and liabilities and drive the industry toward further improved benchmarks.
For many useful resources for improving real estate industry information security practices, please visit The Real Estate Information Security Center at https://clareity.com/security/. This repository includes a copy of Reducing the Risk of Real Estate Wire Fraud, a document that has been updated regularly as the threat continues to evolve.
Share this post: