After many years spent assessing information security practices in numerous industry organizations (tech companies, MLSs, associations, brokerages, franchises…) I have come up with a “top 5” list of issues. This isn’t meant to be a comprehensive list – and some less common items that I consider extremely urgent aren’t even mentioned – but it’s a starting point for understanding our industry challenge.
- Physical Security. Most of the publicized, embarrassing security breaches we’ve had in this industry have not had anything to do with computers, but rather with the physical security of the data. Employees and contractors need to understand not only the sensitivity of the data with which they have been entrusted, but also the real estate regulations and state laws regarding information retention and secure destruction. It’s critical for all people handling sensitive information to understand how to securely store, move, and discard sensitive information, whether on paper, on computers or phones, or in the hard drives of printers and fax machines. Our “geeks” can do everything right with regard to computer settings, but it’s for naught if we can’t get physical security right.
|This is a quote from one of the many news stories that I keep clippings of. This TV news story rather artistically gutted the reputation of a brokerage (the name of which I won’t repeat here, though it was prominently featured in the story): |
“The paper trail stretched for blocks, billowing in the cold breeze on Columbus Avenue. It was not litter, but bits and pieces of people’s lives. There were copies of bank statements, 401k statements, credit reports, tax returns and more drivers’ licenses than we could count.”
- Technical Configuration. When it comes to security, the devil is in the details, and, yes, there are a lot of technical details that need to be right. Making sure best practice configurations are in place for the many operating systems, platforms, and software that we all use is very important. I can usually trust (and easily verify) that my fellow “geeks” have everything done right on the servers. The bigger challenge for our industry is all the employee and agents’ mobile computers (laptops, tablets, and phones) out there with sensitive information on them. Making sure that all of those are kept updated and well configured, with appropriate locking, passwords, and encryption, is crucial to ensuring sensitive information doesn’t go astray.
- Policy & Contracts. I’ve mentioned “sensitive information” a few times but people at many organizations I deal with don’t have a firm idea of what is sensitive, let alone what is expected by their company about how to protect it. If organizations lack appropriate security policies to set information security expectations with employees, and appropriately detailed contracts (including technology contracts and data license agreements) to make those expectations clear to third parties and contractors, we’re not going to be very successful in our information security efforts.I know a lot of companies that outsource much of their IT and software and think they therefore don’t have to deal with information security. That’s just incorrect! First, remember that “information security” is not limited to “IT Security,” as should already be clear from this article. Second, it just means a shift in the areas where you assess risk. With outsourcing, more of your risk assessment must focus on the choices of third parties, the security-related language in the contracts you have with them, and the kind of compliance monitoring performed, and somewhat less on your internal infrastructure. The amount of work you have to do to assure information security remains the same.
- Weak Authentication. Over half of the industry now uses “strong authentication” to improve security for the login – at least for MLS systems. And that’s a great start. But we have many other systems in use that contain sensitive information, especially document and transaction management systems. It’s my hope that the industry will eventually eliminate the non-strong authentication points of access to all of these systems. I think that there will be a renewed focus by our industry on login security, especially as Single Sign-On adoption increases and an increasing amount of sensitive information is protected by a single set of login credentials.
- Lack of Process. Many businesses don’t have a process for assessing or addressing information security risks, and some don’t even have anyone formally accountable for those risks. Without accountability and process, information security doesn’t get done – certainly not to the extent it should. Some state laws (especially in Massachusetts and Oregon) are starting to make it more difficult for companies to duck these responsibilities. Oregon’s “Consumer Identity Theft Protection Act” specifically requires certain minimum administrative, technical and physical safeguards – including a process of risk assessment and testing key controls. It’s likely that other states will follow suit, but ideally it shouldn’t take new laws for business owners to act in their own self-interest and start proactively managing their company’s information security efforts.
This article is just the tip of a pretty huge iceberg. There’s a lot of expertise needed to improve our practices, and I’m thankful to be the person our industry looks to for help. But I can only properly help when called upon to do so. So, putting it bluntly, if you are in charge of anything larger than a very small brokerage and you don’t have a handle on your organization’s security posture – if you haven’t had a security audit in a few years or have made major changes in that time – or you do not have a plan with regular, visible milestones designed to improve your security posture after an assessment, you should be calling me (or someone) and planning your next security assessment and follow-ups in 2015. I already have several calendared in Q1 and my schedule does fill up, so if you want to get started soon, reach out to me now!
Matt Cohen – 612-3747-5976 – firstname.lastname@example.org
Share this post: