Real estate services firms—whether a one-person appraisal office or a mammoth provider of property data—are vulnerable to criminal hackers seeking real estate property information. Recently, LandMark White Limited had to announce that it had been the victim of a hack that exposed immeasurable amounts of personal contact information and property valuation data. Research firm CoreLogic Credco, a partner of LandMark, also had a great deal of consumer credit information exposed in 2017.
These invasions often appear to result from poor cybersecurity systems, overconfidence in whatever safeguards the company has in place, or ignorance of potential threats. However, recent innovations from several developers seem to have changed the game in favor of the “good guys.”
The importance of cybersecurity
According to several companies recently contacted by McKissock, it’s not hard for appraisers to up their security game. The challenge lies in putting the time and effort into identifying vulnerabilities—and figuring out how to eliminate them.
“There’s no way, in this day and age, that a company should have a sequel injection [a weakness in a computer application that leaves the database open to invasion], given the data they’re handling,” says Dr. Teresa Piliouras, CEO of Technical Consulting & Research, Inc., a software security services firm. “Sequel injections are easy to test for. If you have an input form on a webpage, and the data are stored in a sequel database, a bad actor can put in a sequel code that hijacks the operation of the normal query, pulls out data, and dumps the whole content. It’s unconscionable for a big company to have that kind of problem; there are all kinds of countermeasures.”
Piliouras advises appraisers and other real estate professionals not to get overconfident in their level of cybersecurity. Years ago, she notes, it was harder to invade an individual appraiser’s database, since “how to” information was limited. Nowadays, hacking techniques are easy to find on the Web, and applicable to most appraisers’ systems.
“An appraiser could easily have data destroyed or held for ransom,” she warns, “and that could devastate your company’s reputation. A successful hack could destroy your ability to collect money, and the physical security of your operation. It could put you out of business, and small companies are especially vulnerable. ‘Phishing’ emails and malware can lock up your computer and make you pay to get unlocked, but once you’ve done that, the bad actor can still watch whom you’re corresponding with and instruct those people to send their payments to the hacker instead of to you. Several companies have been cleaned out that way.”
How to up your cybersecurity game
Piliouras urges appraisers to engage a qualified professional to perform a risk assessment, identify the security gaps, and take countermeasures.
“If you don’t have your own IT team, you need to hire one,” she says. “If you take a shortcut, I promise you’ll be hacked. You have to make the investment up front: before you’re hacked. Our company specializes in cost-effective solutions for smaller clients’ security issues.
“You should also buy cyber liability insurance. At the outset, it’s inexpensive; it’s the best buy you can have. But only for the first time. Once you’re hacked, you’ll pay through the nose for insurance.”
Why appraisers face higher risks
Daniel Eliot, director of small business at National Cyber Security Alliance (NSCA), explains that real estate appraisers face disproportionately high risks, due to the volume of sensitive information that they handle. Their clients inevitably share the appraiser’s risks.
“Cybercriminals know how much data appraisers have, and hope to exploit that in any way they can,” he says. “We often think of sensitive data in the form of personally identifiable information (social security numbers, bank account numbers, etc.), but appraisers are unique in that they also hold information such as property photos, floor plan schematics, property access codes, etc. that can be of incredible value to criminals. Cybercriminals will try to exploit appraisers through various mechanisms, such as business email compromise, phishing attempts, and ransomware attacks, to just name a few.”
Cybersecurity tips and info
“We help appraisers minimize their risk by helping consumers and business professionals understand those risks and what steps they can take to minimize them,” Eliot says. “We also have a program, called CyberSecure My Business, which helps small and medium-sized organizations protect their information through educational webinars, in-person workshops held across the country, and an online library of resources. All the information we provide through the CyberSecure My Business program is free.”
NSCA has a “quick wins” document on its website that provides several valuable tips for taking immediate action. The most valuable of these, Eliot says, are:
- Enable multi-factor authentication on your devices and accounts.
- Be “incredibly suspicious” of all email asking you to open a link or download something, and don’t open attachments or click on links in emails if you aren’t expecting the link.
- Be sure you are connecting to secure networks when accessing sensitive information.
“That last one is especially important for appraisers who are often out in the field,” he concludes.
What you need to know about cyber insurance
Adam Hewitt, COO and CMO of INSUREtrust, confirms that appraisers face the same cybersecurity risks that any business faces—amplified by the fact that they often hold other people’s proprietary data. Ransomware could halt a business’ operation and create unimagined future vulnerabilities.
“Cyber insurance can cover a lot of different potential losses from a cyber attack,” Hewitt says, “including paying to restore a network after a hack, lost business income due to an attack, and notification costs for customers whose data may have been stolen. Cyber insurance can cover a lot more than what most people realize. Additionally, INSUREtrust offers free and reduced-price cybersecurity services that can help an appraisal company mitigate risk. These include phishing testing for employees—which is one of the biggest threat vectors today—employee training, and vulnerability scans of the network.”
Every business has valuable information, Hewitt notes, and even small companies are potential targets of a hacker. If a hacker can install malware on a computer or in a network, they could extract money from a company even if that company doesn’t have particularly sensitive customer information. Every company is at risk and requires both basic cybersecurity and a cyber insurance policy.
“Real estate companies buy commercial building insurance to protect against fire, but their buildings also have sprinkler systems,” he says. “You need both insurance and mitigation tools. Cyber insurance and security are not ‘either-or’ propositions.”
Article written by Joseph Dobrian. Joseph Dobrian has been writing about commercial and residential real estate, and real estate-related finance, for more than 30 years. His by-line has appeared in The Wall Street Journal, The New York Times, The New Yorker, Real Estate Forum, Journal of Property Management, and many other publications. He is also a noted novelist, essayist, and translator. His website is www.josephdobrian.com, and he can be contacted at firstname.lastname@example.org.