Every year there are information security breaches that have a real cost to real estate professionals both in terms of their reputation and wallet. One incident cost a west coast broker over one and a half million dollars. So, it’s important that brokers understand at least some of the essentials of information security which follow:
- Use the “Top Ten Tips for Real Estate Agents” article. – the tips in that article will work for you too, and a lot of the tips apply to the office. Also, consider distributing that article to your agents.As a business owner there are some additional essentials you need to concern yourself with:
- Create a Written Information Security Program. Create a document formalizing the steps you are taking as a business to combat information security risks. The plan should identify who is responsible for the program, identify reasonably foreseeable risks, develop policies for the location and both physical and electronic security of records, wire-fraud prevention, prevent terminated employees from accessing sensitive information, contract for security with vendors and verify compliance, limit collection of information to only that which is needed, monitor program compliance and provide for measures to be taken against program violators. Further, there should be documentation of compliance monitoring and annual review. Breaches and responses must also be documented. Following is an example provided by the state of Massachusetts: http://tinyurl.com/csq6vxg (Acrobat / PDF).
- Establish policies and procedures. Policies define what behavior regarding the protection of sensitive information is expected and what behavior is not allowed. They eliminate the “ignorance” excuse: “I didn’t know that I had to shred files before getting rid of them!” and negligence is well defined. Non-technical policies might include acceptable use, sensitive information, password, antivirus, Bring Your Own Device (BYOD) and clean desk policies. Technical policies (for technical employees) may include policies for secure computer, mobile device, firewall, and wireless configuration and management, secure software development, log and backup handling, account management, and more. Policies should be reflected into contractual requirements for contractors. Many draft policies are available here: http://tinyurl.com/d2hta7y. Policy management must include at least employee and contractor education, monitoring, enforcement and regular re-evaluation and revision.
- Set up a secure office network. The office should have a firewall, configured to only allow essential incoming and outgoing network traffic and to protect internal computers from those of visiting agents – and all of those from portable computers brought in by clients. Ideally the firewall should also allow for secure remote network access for key staff, an intrusion prevention system, and also provide web filtering to help prevent visits to malicious websites. If wireless networking is provided, the access point should have a strong administrator password and use WPA2 encryption.
- Have a security audit performed. The only way to know if all reasonable steps are being taken is to have a professional security audit performed. Ideally third parties you work with (web site creators and hosts, document and transaction management system providers, statistics providers, broker back office system providers, etc.) have their own audits performed regularly at their own expense, and if they don’t this is something to consider adding to your contracts. This is a service that Clareity Consulting (https://clareity.com) provides, specializing in real estate information security.
- Prepare for an incident. No matter what steps you take, it’s possible that an information security incident will occur. Be prepared with the appropriate law enforcement, financial institution, and local computer forensics expert phone numbers and consider the messaging your company will use if an incident will occur. A sample is included in this document: http://tinyurl.com/br4wo7o at the end of the “Plan Ahead” section. Keep all this information somewhere printed out – you may not be able to access it on your computer when you need it!
Don’t forget to put in place the policies and procedures necessary to combat Wire Fraud. This article should help: Reducing the Risk of Real Estate Wire Fraud
If you want to learn more about information security, please visit The Real Estate Information Security Center: https://clareity.com/security/
About the author: Matt Cohen is Clareity Consulting’s Chief Technologist and leads its security assessment practice. Matt has spoken at many conferences, workshops, and leadership retreats around the country on security-related topics, and is a well-regarded real estate industry expert on real estate technology and information security. Clareity Consulting (clareity.com) was founded in 1996 to provide management and information technology consulting to the real estate industry.