As professionals involved in what is often the biggest single purchase that people make, estate agents have a responsibility to their clients and to the buyers, to make sure that everyone’s personal information is as safe as possible.
Similarly, letting agencies deal with highly sensitive information, sometimes for inexperienced clients such as students. In both cases, a cyber security attack can cause a data breach of this sensitive information. It can cause financial losses or even cause the chain of house-movers to freeze, as people are unable to complete their transactions.
Cyber security threats in the property industry
The biggest cyber security threats are likely to be the same as for every other business, such as:
- Phishing – a fraudulent message intended to trick the recipient into revealing sensitive information
- Ransomware – malware that blocks access to data unless a ransom is paid
- Insider threats – people inside the business who may cause security problems by accident, or who may use the inside information they have for malicious purposes.
However, there are some factors that mean cyber criminals may be particularly interested in your property business. For example:
- Whether you are acting as an agent in the sales or in the lettings market, your business is dealing with personal data, including bank details and personally identifiable information
- Some of the financial transactions are very large, and happen frequently
- As in other public-facing businesses, there tends to be a high turnover of staff
- Some of the smaller estate agencies may not have the budget for significant cyber security investment or for cyber security training.
As you’ll no doubt be aware, there have been a number of high-profile incidents of cyber-attacks and fraud recently, targeting the property market, both sales and lettings. This has resulted in significant problems for people trying to move home.
What can you do to reduce the risk?
- Develop an information security policy and clearly defined processes to support it. Then make sure everyone in your company understands it.
- Implement the standard security recommendations for all businesses, such as:
- A strong password regime
- Regular data backups
- Securing your network
- Keeping software up to date
- Provide regular training sessions to all staff, including part time or temporary staff, on cyber security and how to stay safe online.
- Use a secure system to collect client details and encrypt files.
- Advise clients clearly about what you will and won’t communicate to them by phone or email, such as:
- Any change of your bank details
- Request for payment by any other means than a bank transfer
- Advise clients clearly about the procedure you will expect them to go through, and the order of events. This will help ensure they don’t fall foul of ‘pay to play’ scams.
- Tell clients about your cyber security measures, so that they know, for instance, not to trust an email that allegedly comes from you, but is actually from an unexpected email address.
- Advise your staff never to make a payment to a new bank account without verbal confirmation that the account details are genuine.
- Limit the number of staff who have access to sensitive information.
- When the relationship with a client is over, dispose of their information securely. This can be done by shredding any paper documents and securely deleting any electronic files that no longer need to be kept.
Do you need help with getting cyber security in place? Click and Protect can help you establish cyber security policies and procedures, or with Cyber Essentials certification. Call us on 0113 733 6250 or send us an email.